SecurityOnion as a Syslog server using ELSA
Grant Sims
What i would like is to be able to use it like our current syslog server where i point the firewall device to securityonion (the mgmt interface?) for logging then when i search by class=BRO_SYSLOG the source and dest IPs will be the actual source and ip of the connection that the syslog message reported... NOT the source ip of the device that sent the syslog... is this possible? thanks!
Doug Burks
Yes, you should be able to point your firewall device to the IP
address of the management interface of your Security Onion box.
syslog-ng should be listening there on standard syslog port 514 (udp
and tcp). sosetup should've opened these ports in UFW (the host-based
firewall), but you can verify by running:
sudo ufw status
Have you verified that you have no network firewall rules or ACLs
blocking the syslog traffic before it hits your management interface?
On Thu, Jul 17, 2014 at 11:55 AM, Grant Sims <sims....@gmail.com> wrote:
> I am currently trying to setup securityonion to replace our syslog appliance. I am having a hard time trying to receive the results I'm looking for. I would like to be able to point our firewalls logging to security onion. then use elsa to search the syslogs for accepted and denied traffic. HOWEVER, the only way i could in a way to get this to work was to point our firewall devices at a different IP (our current syslog server), then sniff the traffic. This makes searching through elsa difficult because the source is always the firewall and the destination is always the ip that i configured the firewall to send the syslogs too (our current syslog server).
>
> What i would like is to be able to use it like our current syslog server where i point the firewall device to securityonion (the mgmt interface?) for logging then when i search by class=BRO_SYSLOG the source and dest IPs will be the actual source and ip of the connection that the syslog message reported... NOT the source ip of the device that sent the syslog... is this possible? thanks!
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
http://securityonionsolutions.com
Grant Sims
i might also be having an issue with how to use elsa to search through the syslogs. If i send syslogs to the mgmt interface how would i search for syslogs coming from say device 192.168.0.1 (firewall) and i want to see any message (looking for accepts or denies) that references ip address 10.0.0.1 (host machine)?
ufw show that "514 ALLOW Anywhere"
Thanks!
Doug Burks
Syslog-NG" and see if anything looks familiar.
If that doesn't work, try the following query and see what log types you get:
"10.0.0.1" groupby:program
Grant Sims
"Host= 'ip address of firewall'" does select the device that is sending the syslogs but the only other parsed info is "program" and "class".
"Class" for both devices is 'NONE'.
"Program" for the PaloAlto is "1,'Date'" ex. "1,2014/07/18". for the ASA it is %asa-'somedigits' EX. "%asa-3-305012"
is this expected behavior?
Thanks.
Doug Burks
your own parsers. You may want to take a look at the ELSA mailing
list:
https://groups.google.com/forum/#!forum/enterprise-log-search-and-archive
and also:
https://code.google.com/p/security-onion/wiki/FAQ#Where_do_I_put_my_custom_ELSA_parsers?