Using kofe on ossec+

Support/Development for OSSEC
rostami
New Forum User
New Forum User
Posts: 1
Joined: Sun Apr 11, 2021 3:16 am

Using kofe on ossec+

Unread post by rostami »

Hi,
I used https://www.ossec.net/finish-ossec-plus-install/ to install ossec+ and the KOFE extension, but I got the error that "No indices match pattern 'ossec*' " when open the KOFE-Compliance dashboard in Kibaba. I think this is a bug because when I checked the

Code: Select all

/etc/filebeat/filebeat.yml
find out that the log path set as

Code: Select all

/var/ossec/logs/alerts/alerts.json
but I checked this path and I couldn't found any file with ".json" postfix instead, I found

Code: Select all

/var/ossec/logs/alerts/alerts.log
I think this file must pass as a log path in the "Filebeat.yaml" and "ossec-template.json" also should change.
I have another question, too, that how can I use the machine learning feature of ossec+? Is that embedded in the Elasticsearch ML? or anything else?

Thank you
jmacdonald
New Forum User
New Forum User
Posts: 1
Joined: Mon Oct 11, 2021 10:32 pm

Re: Using kofe on ossec+

Unread post by jmacdonald »

Any more info on this?

I had long used OSSEC with minimal issues. I'm doing a new deployment with OSSEC+ & KOFE and have lots of problems...from non-existent OS checking code in the ubuntu installer (so it tries to use yum instead of apt!) to a bug on the RHEL agent where it won't import the key (manage_agents: ERROR: Cannot unlink /queue/rids/sender: No such file or directory). I even tried removing the agent and going back to previous versions, but every single version available (back to ossec-hids-agent-3.4.0-9608.el6.art.x86_64.rpm) seems to have the same issue. Tried it across RHEL6/7/8. And of course, also having this issue, where the KOFE dashboard install seems to work, but gives the error that "No indices match pattern 'ossec*' "
Last edited by jmacdonald on Mon Oct 11, 2021 10:51 pm, edited 1 time in total.
tonny
Forum User
Forum User
Posts: 7
Joined: Fri Apr 09, 2021 8:56 am
Location: Sweden

Re: Using kofe on ossec+

Unread post by tonny »

Simply add the following in the <global> section of ossec.conf to get the json

<jsonout_output>yes</jsonout_output>
Post Reply