Import syslog data to logstash

[Tony Butt]

I am currently importing some syslog data from our linux webmail server to a sof-elk VM for monitoring. Having now resolved my issues with SecurityOnion + ELK, I'd like to send that data to the SecurityOnion system instead, and decomission the sof-elk system.
I'm currently using rsyslog to do this forward the logs to sof-elk.

Is there a recommended way to do this?

For instance, is this as simple as uncommenting the lines in 0003_input_syslog.conf , following the processing chain through logstash and checking the configuration, then restarting logstash?

Following from that, we have a Fortinet firewall whose logs I'd also like to forward in.

[Wes Lambert]

Hi Tony,

You should just need to run so-allow on the Security Onion box to allow the syslog traffic in ('l' option).

If you have certain fields that you would like to have parsed, you will need to add your own configuration.

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/