Using SO as a SYSLOG server

431 views
Skip to first unread message

namobud...@gmail.com

unread,
Jul 14, 2015, 1:47:17 PM7/14/15
to securit...@googlegroups.com
I going to start using the SO as more of a syslog server in the coming weeks. I'm wondering what people's successes and failures have been with it?

I did some initial testing, and I use tthe Syslog-NG (Host) filter in ELSA to view syslogs. I wondering how folks do this at scale, and use SO as a syslog security tool. Also, how will sending a lot of syslog traffic to the SO server effect bandwidth.

Any sage advise is appreciated!

And Doug, you're awesome bro, that's for the great SO project!

Thanks!

Doug Burks

unread,
Jul 14, 2015, 7:06:16 PM7/14/15
to securit...@googlegroups.com
Replies inline.

On Tue, Jul 14, 2015 at 1:47 PM, <namobud...@gmail.com> wrote:
> I going to start using the SO as more of a syslog server in the coming weeks. I'm wondering what people's successes and failures have been with it?

Yes, Security Onion is a very effective syslog server!

> I did some initial testing, and I use tthe Syslog-NG (Host) filter in ELSA to view syslogs.

Yes, also see the "Syslog-NG (Program)" query. Also, you can search
ELSA for an IP address, domain name, username, or other search
criteria and it will find that in any log in any sensor in your sensor
grid. If you want to run groupby queries on fields that aren't
currently being parsed, then you can write syslog-ng patterns to parse
out the proper values:
https://github.com/Security-Onion-Solutions/security-onion/wiki/CustomELSAParsers

> I wondering how folks do this at scale, and use SO as a syslog security tool.

If you do a Security Onion distributed deployment (master server and
one or more separate sensor boxes), then each box has its own syslog
collector and its own local ELSA database to store that syslog data.
The central ELSA web interface queries all sensors in parallel, giving
you a distributed database that can slice and dice your data very
quickly and easily.

> Also, how will sending a lot of syslog traffic to the SO server effect bandwidth.

If running a distributed deployment (master server and one or more
separate sensor boxes), then you don't have to send syslog traffic to
the master server at all. You can configure your syslog sender to
send to its nearest Security Onion box.

> Any sage advise is appreciated!
>
> And Doug, you're awesome bro, that's for the great SO project!

Thanks for the feedback!


--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

namobud...@gmail.com

unread,
Jul 16, 2015, 9:31:40 AM7/16/15
to securit...@googlegroups.com
Doug this is great to know.

One more question I had was will the ELSA databases automatically be purged when the hard disk on the sensors and server reaches 90% using the hourly script the way the pcaps get purged?

Thanks again!

On Tuesday, July 14, 2015 at 7:06:16 PM UTC-4, Doug Burks wrote:
> Replies inline.
>

namobud...@gmail.com

unread,
Jul 16, 2015, 9:35:42 AM7/16/15
to securit...@googlegroups.com
I see you answered this already and sorry for the dupe threads.
Reply all
Reply to author
Forward
0 new messages