I like using Prowl (in addition to Growl) with nagios. This allows me to get my notifications anywhere as long as I have my iphone. Just like with the growl notifications, the prowl notifications are just as easy to setup. It is very well documented here at the Reluctant Hacker.

One simple was is to get your notifications via growl. I really like this, it lets me know almost instantly when some is going on and I don’t have to worry about keeping my eyes on my email program while I’m busy on something else.

The way I implemented it was from a great script and good write up on the Nagios-users mailing list, you can see it all right here: Notify via Growl

So I simply edit my localhost.cfg and add:
define service{
use generic-service
host_name localhost
service_description Snort
check_command check_snort_procs!1:1!snort
}

Edit the commands.cfg and add:
define command{
command_name check_snort_procs
command_line $USER1$/check_procs -c $ARG1$ -C $ARG2$
}

reload nagios and thats it.

2. Unzip and untar the file
tar -xvzf adodb510.tgz

3. Move the folder
I did:
cp -R adodb5/ /Library/WebServer/Documents/adodb5/

4. Download base: http://sourceforge.net/projects/secureideas/ The version I got was: base-1.4.4.tar.gz

5. Unzip and tar the file
tar -xvzf base-1.4.4.tar.gz

6. You should now have a folder: base-1.4.4/
cd base-1.4.4/

7. Copy the base folder to your webserver folder
cp base-1.4.4/ /Library/WebServer/Documents/base/
change the owner on the folder
sudo chown -R _www:_www /Library/WebServer/Documents/base/
*NOTE*
With this version there was a known problem with the file: base_state_citems.inc.php on some setups, mine included.
So I had to download the fixed version from CVS
You can also download it from the website, follow the link from here:
http://secureideas.cvs.sourceforge.net/viewvc/secureideas/base-php4/includes/base_state_citems.inc.php?view=log
it goes in your /base/templates/

8. Now install the needed pear extensions for graphs to work in base
On my system it was as follows:
First I had to update pear to the rest of the packages would work:
sudo /usr/local/php5/bin/pear install PEAR-1.9.0

Then the following packages:
sudo /usr/local/php5/bin/pear install Image_Color
sudo /usr/local/php5/bin/pear install Image_Canvas-0.3.2
sudo /usr/local/php5/bin/pear install Image_Graph-0.7.2

9. Open up base in your browser:
http://localhost/base/setup/index.php
You should get the page up with the settings, if you have any errors you need to fix them first with their suggestions.
Once you answer all the setup questions you should have a working base install.

11. Get the rules from the snort site and untar them
I used snorttemp as the folder
12. Make a folder for the rules
mkdir /opt/local/etc/snort/
mkdir /opt/local/etc/snort/rules/
13. Copy the rules over
cd ~/snorttemp/rules/
cp * /opt/local/etc/snort/rules/
I also copied over the etc folder
cd ~/snorttemp/etc/
cp * /opt/local/etc/snort/
14. Edit the Snort configuration
vi /opt/local/etc/snort/snort.cfg
change “var HOME_NET any” to “var HOME_NET 192.168.0.0/24″ or whatever your home network is
change “var EXTERNAL_NET any” to “var EXTERNAL_NET !$HOME_NET” This is everything except your home network
change “var RULE_PATH ../rules” to “var RULE_PATH /opt/local/etc/snort/rules”
goto the line that starts with “# output database: log, mysql, user=” and remove the # from the begining of the line
enter your user password and db name
15. mysql setup
log in to mysql as root
mysql -u root -p

create a snort database
mysql> create database snort;

create a user and password to match your mysql setup in the snort config:
mysql> CREATE USER ’snort’@'localhost’ IDENTIFIED BY ’somepassword’;

give that user access to the database
mysql> GRANT ALL PRIVILEGES ON snort.* TO ’snort’@'localhost’;
mysql> exit

Import the snort schema into the database.
mysql -D snort -u root -p < /schemas/create_mysql

16. Start it up
snort -c /opt/local/etc/snort/snort.conf

If it works it should look something like:
–== Initialization Complete ==–

,,_ -*> Snort! <*-
o” )~ Version 2.8.5.1 (Build 114)
”” By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team

You can use ctrl+c to stop it.

So I had to make a boot disk. I’ve done it in Linux several times before but never from OSX. So the commands aren’t exactly the same, here are my notes taken from a couple places on the web, which should serve as a reminder for the next time I have do to it.

First I downloaded the debian image I wanted to use from there site.
Next I stuck the thumb drive in the box.
from the termial (I use iTerm)
#diskutil list
mine was listed as /dev/disk1
#diskutil unmountDisk /dev/disk1
#bzcat debian.img | dd of=/dev/disk1
#diskutil eject /dev/disk1

It was a simple as that. To test i stuck it in my handy netbook and reboot and I was at the lovely command prompt. Then of course other things happened that required my attention so I haven’t gotten back to that project of getting the box installed yet.

So copy that script as check_splunk and stick it in your libexec folder. If your playing along with my setup thats: /opt/local/libexec/nagios

Once you have it downloaded you can ./check_splunk ports or procs
I didn’t worry about checking or trying to edit the search portion as for what I’m doing I don’t really need it right now, but I will revisit it if the need arises.

Now you have the script, its time todo the normal nagios setup stuff.
1. Add it to your commands
vi /opt/local/etc/nagios/objects/commands.cfg

define command {
command_name check_splunk
command_line $USER1$/check_splunk $ARG1$
}

2. Add it to your localhost
vi /opt/local/etc/nagios/objects/localhost.cfg

define service{
use generic-service
host_name localhost
service_description Splunk Port
check_command check_splunk!ports
}

define service{
use generic-service
host_name localhost
service_description Splunk Procs
check_command check_splunk!procs
}

Now restart nagios and you should be good to go

1. Click Manager in the upper right-hand corner of Splunk Web.
2. Under System configurations, click Data Inputs.
3. Click Files and directories.
4. Click New to add an input
I choose Monitor a file or directory
6. Specify the path to the file:
With my setup it is:
/Library/WebServer/Documents/cacti/log/cacti.log
7. Under Host Heading
I choose constant value
8. Under Source Type
I choose Automatic
9. Click Save

Thats it now your cacti logs show up in splunk.

1. Add it to your commands (Note I’m adding a new command for this instead of using the command already there so I can pass some different information, plus I like to keep all my modifications separate to make things easier to reproduce on other boxes)

vi /opt/local/etc/nagios/objects/commands.cfg

# ‘check_ossec_procs’ command definition
define command{
command_name check_ossec_procs
command_line $USER1$/check_procs -c $ARG1$ -C ARG2$
}

2. Add it to your localhost
vi /opt/local/etc/nagios/objects/localhost.cfg

define service{
use generic-service
host_name localhost
service_description OSSEC csyslogd
check_command check_ossec_procs!1:1!ossec-csyslogd
}

define service{
use generic-service
host_name localhost
service_description OSSEC maild
check_command check_ossec_procs!1:1!ossec-maild
}

define service{
use generic-service
host_name localhost
service_description OSSEC execd
check_command check_ossec_procs!1:1!ossec-execd
}

define service{
use generic-service
host_name localhost
service_description OSSEC analysisd
check_command check_ossec_procs!1:1!ossec-analysisd
}

define service{
use generic-service
host_name localhost
service_description OSSEC logcollector
check_command check_ossec_procs!1:1!ossec-logcollector
}

define service{
use generic-service
host_name localhost
service_description OSSEC monitord
check_command check_ossec_procs!1:1!ossec-monitord
}

Now just reload nagios and you should be able to tell if you ossec process is there or not.

1. Edit your ossec.conf (If you’ve installed it like I have its located at: /var/ossec/etc/ossec.conf)
add the following block:
<syslog_output>
<server>172.10.2.3</server>
<port>10002</port>
</syslog_output>

2. Enable syslog_output module and restart OSSEC:
#/var/ossec/bin/ossec-control enable client-syslog
#/var/ossec/bin/ossec-control restart

On restart you’ll see ossec-csyslogd starting up.

On the Splunk Side
1. Goto Manager
2. Goto Data Inputs
3. On UDP click Add New
4. On my setup the UPD Port is 10002
5. Set sourcetype is Manual
6. Source type is ossec
7. Save

Now since things have changed in Splunk 4 the rest of the wiki entry doesn’t help. But there is more information on this Forum Thread.

So download that file and extract it to your splunk directory as stated. Restart splunk and bingo your OSSEC alerts plus lots of nice menu options to access that data.