Reporting

[Simon]

What is the best way to generate reports for events? I have used Snorby to generate a report but I could really do with a way to customise reports for instance generate a report for a specific sensor or network range.

Any suggestions?

Many Thanks

Simon

[Heine Lysemose]

Hi Simon

Sguil has some capabilities to report. I haven't done this myself but I see the menu from the client.

Otherwise, I know it isn't report, but ELSA has a dashboard functionality, 

https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation#Dashboards

Here are two dashbaords for Snort and Bro

https://code.google.com/p/enterprise-log-search-and-archive/source/browse/#svn%2Ftrunk%2Felsa%2Fcontrib%2Fdashboards 

At last you can always query the database yourself.

Regards,

Lysemose

Simon

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

[Simon]

Yea some reason SGUIL just seems to generate an empty report for which ever sensor I choose, ideally I would like a report like Snorbys but with the ability to select exactly what you want in it. I might end up having to manually create a report probably using Squerts data.

Thanks

Simon

[Martin Holste]

You can schedule ELSA queries as reports.  They can run against indexed or archived data.  What kinds of event reporting are you interested in?

[Simon Hall]

Sorry for the delay I have been away for a week, how do you go about scheduling ELSA queries as reports, I would like to generate a Report for all events on a specific network, maybe with TOP source and destination data.

--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/p5TG9-84am8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.

[Martin Holste]

Once you get the query you like, click "Alert or schedule" under the "Result Options" button.  You can then schedule that query to be run any schedule you like.