Running SIEM in a Cloud
AlienVault OSSIM is an open source SIEM software. It is a great security addition to any low-budget environment. I am going to run OSSIM inside my virtual lab. Unfortunately it is not available on Azure Marketplace (and AWS is offering only paid version of AlienVault SIEM: USM). However it is possible to create your own VM Image and upload it to the Cloud.
Creating OSSIM image for MS Azure
- Download OSSIM iso and VirtualBox. Install VirtualBox.
- Start VirtualBox and click “New”. Select Linux, Debian (64 bit) VM. If you can’t see 64 bit version, please enable hardware virtualization first in your BIOS. [Sample tutorial]
- Choose memory size: 4096 MB or more to run your local VM smoothly. This setting will not affect VM configuration in the cloud.
- Create new virtual hard disk. Select VHD type, fixed size. 8 GB is just fine. Wait, it might take a while.
- After VM is created, right click on it and go to Settings. It is not required step, but assigning more than one core to the VM will speed up the process.
- Start the VM and select start-up disk – OSSIM iso.
- Select the first menu option “Install AlienVault OSSIM 5.2.X (64 bit).
- Select language, location and keyboard layout.
- Configure management interface IP. Put anything you like, for example 10.0.0.100/24. This is only for the template and you are going to change it later.
- Unless you already know your gateway, leave the default, it can be changed later.
- Optional – put the name server address.
- Set root password. Note: this password is needed only to do some modifications locally, to the template. The administrative account for the VM is created later, via Azure interface.
- Select the time zone.
- Wait till installation is completed.
- Login as root user.
- Choose “3 – Jailbreak System” and “Yes”.
- Edit /etc/network/interfaces. Set eth0 to dhcp. Restart networking service.
service networking restart
- Now you should have internet access. Check it with ping command (for example ping Google’s DNS)
- Type nano /etc/default/grub and add new line
AZURE=”console=tty0 console=ttyS0,115200 earlyprintk=ttyS0,115200 rootdelay=30”
Add $AZURE at the end of GRUB_CMDLINE_LINUX_DEFAULT.
Press Ctrl + o and Ctrl + x to write and exit.
- In order to run your template in Azure Cloud, you need to install Windows Azure Agent. It can be done manually, from the git repository: https://github.com/Azure/WALinuxAgent. An easier alternative is to use waagent package from repositories.
deb http://debian-archive.trafficmanager.net/debian jessie-backports main
deb-src http://debian-archive.trafficmanager.net/debian jessie-backports main
deb http://debian-archive.trafficmanager.net/debian-azure jessie main
deb-src http://debian-archive.trafficmanager.net/debian-azure jessie main
apt-get install waagent
Allow apt to restart services without asking.
waagent -force -deprovision
- Your VHD by default is located at C:\Users\UserName\VirtualBox VMs\ossim_template. In the next part of this guide we are going to send it to Azure Cloud, use as an Image and deploy a VM.