SO Sensor only talking to my other ELK?
34 views
Skip to first unread message
Blason R
Oct 9, 2017, 12:16:05 AM10/9/17
to security-onion
Hi SO Gurus :)
Would want to know if I can build only SO sensors with bro and then let that talk to my other built ELK stack? Would yo please guide me how what changes I might need to achieve that on SO? On ELK I do have logstatsh running and configured to receive bro alters on port 2556.
What do I do on SO sensor? Also does SO by default come with critical-stack agent installed?
Doug Burks
Oct 9, 2017, 6:14:56 AM10/9/17
to securit...@googlegroups.com
Hi Blason,
Replies inline.
On Mon, Oct 9, 2017 at 12:16 AM, Blason R <blas...@gmail.com> wrote:
> Hi SO Gurus :)
>
> Would want to know if I can build only SO sensors with bro and then let that talk to my other built ELK stack? Would yo please guide me how what changes I might need to achieve that on SO? On ELK I do have logstatsh running and configured to receive bro alters on port 2556.
>
> What do I do on SO sensor?
You can configure syslog-ng to forward Bro logs to your separate Elastic stack:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ThirdPartyIntegration#how-do-i-send-bro-and-ossec-logs-to-an-external-syslog-collector
> Also does SO by default come with critical-stack agent installed?
No, the Critical Stack agent is not open source and is therefore not
included in Security Onion.
--
Doug Burks
Replies inline.
On Mon, Oct 9, 2017 at 12:16 AM, Blason R <blas...@gmail.com> wrote:
> Hi SO Gurus :)
>
> Would want to know if I can build only SO sensors with bro and then let that talk to my other built ELK stack? Would yo please guide me how what changes I might need to achieve that on SO? On ELK I do have logstatsh running and configured to receive bro alters on port 2556.
>
> What do I do on SO sensor?
https://github.com/Security-Onion-Solutions/security-onion/wiki/ThirdPartyIntegration#how-do-i-send-bro-and-ossec-logs-to-an-external-syslog-collector
> Also does SO by default come with critical-stack agent installed?
included in Security Onion.
--
Doug Burks
Blason R
Oct 9, 2017, 1:38:30 PM10/9/17
to securit...@googlegroups.com
Awesome!! Thank you. Let me try doing that.
And how do I load those SO dashboards in other ELK? Where are those kept? Or templates?
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/cQCwlsnvl9E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Doug Burks
Oct 9, 2017, 3:07:22 PM10/9/17
to securit...@googlegroups.com
First, please note the following:
- our dashboards are designed for our pipeline config and our specific
software versions and may not work elsewhere
- we cannot provide any support whatsoever for running our dashboards elsewhere
That being said, you can find all of our Elastic config here:
https://github.com/Security-Onion-Solutions/elastic-test
>> security-onio...@googlegroups.com.
>> To post to this group, send email to securit...@googlegroups.com.
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
Doug Burks
- our dashboards are designed for our pipeline config and our specific
software versions and may not work elsewhere
- we cannot provide any support whatsoever for running our dashboards elsewhere
That being said, you can find all of our Elastic config here:
https://github.com/Security-Onion-Solutions/elastic-test
>> To post to this group, send email to securit...@googlegroups.com.
>> Visit this group at https://groups.google.com/group/security-onion.
>> For more options, visit https://groups.google.com/d/optout.
>
>
> You received this message because you are subscribed to the Google Groups
>> For more options, visit https://groups.google.com/d/optout.
>
>
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
> For more options, visit https://groups.google.com/d/optout.
Doug Burks
Blason R
Oct 10, 2017, 10:53:09 PM10/10/17
to securit...@googlegroups.com
Cool..Thanks man and really appreciate being so supportive.
Cheers!!
>> security-onion+unsubscribe@googlegroups.com.
>> To post to this group, send email to security-onion@googlegroups.com.
>> Visit this group at https://groups.google.com/group/security-onion.
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/cQCwlsnvl9E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages