OSSEC is an open-source Host-based Intrusion Detection System (HIDS) used for server protection, log analysis, and security monitoring. Panther can collect, normalize, and monitor OSSEC logs to help you identify suspicious activity in real time. Your normalized data is then retained to conduct future security investigations in a serverless data lake powered by Snowflake.
Use Cases for OSSEC Logs
Common security use cases for monitoring OSSEC logs include:
- Monitoring suspicious logs and operational anomalies
- Monitoring syslog data
- Monitoring user activity such as failed logins and other user-related events
Onboarding OSSEC Logs in Panther
Panther’s integration for OSSEC is simple and fast to configure, allowing you to onboard logs in just a few minutes. Simply select OSSEC from the list of pre-defined log sources, choose your preferred data transport method, and configure OSSEC to push logs to your data transport source.
For more detailed steps on onboarding OSSEC logs or for supported log schema, you can view our OSSEC documentation.
Parsing, Normalizing, & Analyzing OSSEC Logs
As Panther ingests OSSEC audit logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows security teams to build detections, identify anomalies, and conduct investigations on logs in the context of days, weeks, or months of data.
Panther applies normalization fields to all log records, which standardizes names for attributes and allows users to correlate data across all log sources. Panther’s intuitive search features allow you to investigate your normalized logs for suspicious activity or vulnerabilities. For more on searching normalized log data in Panther, check out our documentation on Investigations & Search.
A number of pre-built detections are available by default in Panther, offering users immediate value for monitoring common IoCs and threats. You can explore our built-in detection coverage for OSSEC logs here.
With Panther, your team won’t be confined to restrictive detection rules or proprietary languages as seen in many SIEM platforms. Panther is built with detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering processes. This results in powerful, flexible, and reusable scripting of detection logic for your security team.
Panther fires alerts when your detection rules or policies are triggered, and integrates with a variety of alert destinations to allow for easy access and management of alerts for your security team. Alerts can also be sent to alert context or SOAR platforms for more remediation options.
Alerts are categorized by different severity levels: Info, Low, Medium, High, and Critical. Security teams have the options to dynamically assign severity based on specific log event attributes.
If you have any questions about configuring or monitoring OSSEC logs in Panther, we’re here to help. All customers have access to our technical support team via a dedicated Slack channel, email, or in-app messenger.
You can view our detailed documentation on configuring and monitoring OSSEC logs here, or customers can sign up for the Panther Community to share best practices or custom detections for monitoring OSSEC.
Replacing Traditional SIEM for OSSEC Log Monitoring
With Panther, you don’t have to struggle with rigid detection logic, waste time and effort on operational overhead, or pay skyrocketing costs to keep up with the growth of cloud app data. Panther was founded by a team of veteran security practitioners who struggled with legacy SIEM challenges first-hand, and built an intuitive, cloud-native platform to solve them.
Panther is a cloud-native SIEM built for security operations at scale, offering powerful detection-as-code, intuitive security workflows, and actionable real-time alerts to keep up with the needs of today’s security teams. For a powerful, flexible, and scalable SIEM solution for OSSEC, request a demo today.