Reputation: 503
aws autoscaling AMI with OSSEC installed
so we've created an autoscaling group with an ami of our own, that ami have a server and an automated ossec service that reports to slack channel, the thing is that when a new instance is launched, the ossec send a lot of alerts because the files signatures are different and that is ok because when a new instance is launched it recreates the ami in new volumes.
Now how can I have ossec installed in those ami, but when as launch a new instance not having all the alerts from files changed.
I tried restarting ossec service when a new instance is launched but It had the same behavior, ossec sends alerts that all the files were changed.
Upvotes: 0
Views: 216
Answers (3)
Reputation: 1116
I have been working to implement ossec under our golden amis in AWS the last days and this has been a huge pain due to the alarms by files changes which generate every time a ec2 instance is created.
Exists two big points here:
- An ec2 is created using cloud init. I had to create a new systemd template of ossec service to start after cloud-final.service:
[Unit]
Description=OSSEC
After=network.target cloud-final.service
After=multi-user.target
[Service]
Type=forking
ExecStart=/var/ossec/bin/ossec-control start
ExecStop=/var/ossec/bin/ossec-control stop
ExecReload=/var/ossec/bin/ossec-control restart
Restart=always
[Install]
WantedBy=multi-user.target
- OSSEC work using queues. You have to ensure at the moment you are generating the ami the ossec service is stopped and the following directories cleaned:
- /var/ossec/queue/diff/local/*
- /var/ossec/queue/syscheck/*
- /var/ossec/logs/alerts/*
I have to do a big effort to achieve that. So I hope that my answer in this post will be helpful in the future
Upvotes: 0
Reputation: 503
One way to solve this could be using a cronjob or systemd, to restart o start the hybrid OSSEC process.
In my case we decide to add the folders in the exceptions so the OSSEC don't scan that folders.
Upvotes: 0
Reputation: 2123
Since your ossec agent included in your AMI I don't think it is possible to stop these alerts on the first boot, becuase as you said it is simply what ossec does when recognize any change, so I would suggest to do not include ossec agent in the image but alternatively install it using User data whenever auto scale group create a new instance, this may cause extra time to boot the instances but it may fix your problem.
Upvotes: 0
Related Questions
- ECS auto scaling: scale down
- How to autoscale Servers in ECS?
- aws ecs autoscaling instances
- Rapid AWS autoscaling
- Auto scaling on amazon ec2
- AWS AutoScaling - Instance Lifecycle
- Update autoscaling group AMIs and running instances
- Is there any way to edit AMI being used for auto scaling in AWS?
- AWS Autoscaling, Launch new instance with current version of AMI
- Error in autoscaling in ec2?