Security Onion - Technology Preview 3 - Logstash Configs

270 views
Skip to first unread message

Josh Silvestro

unread,
Sep 6, 2017, 3:48:43 PM9/6/17
to security-onion
Hello,

First, thanks for a great product, and 2, I appreciate the effort put in to moving to ELK so far!

Question:
Trying to configure logstash to parse Sophos UTM logs. I found a nice post with the config file laid out. However, I assume due to docker, I cannot find the location to place the config file, and the location of bin/logstash does not exist for telling logstash to use the config.

I know we're looking to feedback on operation, but this may be helpful for anyone knew to security and or your product.

I did try placing a sophos_utm.conf in /etc/logstash/conf.d/ and restarting services and still no luck. Thanks in advance!


Config:
https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/74394/utm-remote-logging-to-logstash-elasticsearch-elk

Wes Lambert

unread,
Sep 6, 2017, 3:53:35 PM9/6/17
to securit...@googlegroups.com
John,

The config files are located in /etc/logstash/conf.d.  Did you make sure to restart after placing the file?

sudo docker restart so-logstash

I would also tail the log file after restarting:

Ex. sudo docker restart so-logstash && sudo tail -f /var/log/logstash/logstash.log

Thanks,
Wes


--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Message has been deleted

Josh Silvestro

unread,
Sep 6, 2017, 4:14:10 PM9/6/17
to security-onion
Wes,

Thanks for the fast reply. Did as suggested and getting parse errors, which I can work out and find the issue. But would those errors cause no logs to show up? I haven't received a log since 12:15 UTC which is about when I made the change.

Also, I removed the conf file I made and restarted again to see if any changes would occur. However, I'm still seeing parse errors?

Wes Lambert

unread,
Sep 6, 2017, 4:15:35 PM9/6/17
to securit...@googlegroups.com
Josh,

An incorrect config file could cause the pipeline to shut down.  If you are seeing errors still, then it may be another issue.  Would you be able to provide said error(s) for context?

Thanks,
Wes

Josh Silvestro

unread,
Sep 8, 2017, 11:20:47 AM9/8/17
to security-onion
Wes,

Thanks - removing the Sophos conf file everything appears to be working again. I assume it's just an issue in my conf. I know slight topic change, I can start a new post. How do you go about modifying the alert format?

In prior version I modified the sguild.email and had a nice alert format. I did that in the Tech Preview (sguild.email was in a new location all together) and I just get a general "alert: RT from " and I can't seem to modify that anywhere?

Wes Lambert

unread,
Sep 8, 2017, 11:50:51 AM9/8/17
to securit...@googlegroups.com
Josh,

sguild.email should not have moved.  Where is the file you are modifying located?

Thanks,
Wes

Josh Silvestro

unread,
Sep 11, 2017, 9:51:55 AM9/11/17
to security-onion
Wes,

I was able to manually add the sguild.email and now everything appears to be working. thanks!

Reply all
Reply to author
Forward
0 new messages