Title
#general
s

sebasveloso

09/24/2018, 3:33 PM
hello everyone, some have experience with osquery integration towards alienvault ossim (opensource, no-USM) ?
stefanmaerz

stefanmaerz

09/24/2018, 3:55 PM
you might have more responses if you describe what you've done/what you need.
3:55 PM
I have not used ossim. However I did get data into Splunk using the Splunk forwarder in conjunction with Fleet.
s

sebasveloso

09/24/2018, 5:45 PM
thanks for you response @stefanmaerz
5:48 PM
I basically need to establish a transition from OSSEC to osquery. but ossim by default does not have a plugin
5:49 PM
only USM (paid version) Alienvault ..
8:20 PM
any ideas? @stefanmaerz
8:20 PM
hehe
stefanmaerz

stefanmaerz

09/25/2018, 12:40 PM
Well. I know nothing about the ossim plugin. presumably it provides some means of ingesting a log file. So i suppose you could either: use that functionality on each osquery endpoint or aggregate the logs in a central place via syslog or fleet, then use that functionaly to ingest the log file.
12:47 PM
The other issue you might encounter is if the ossim plugin does any magic like text parsing or correlation or whatever. Osquery outputs JSON, which should be easy for a SIEM to parse
s

sebasveloso

09/25/2018, 1:08 PM
thanks bro! @stefanmaerz
1:09 PM
algo asi puede servir 😃