Feeding syslogs into Security Onion / ELSA

2,321 views
Skip to first unread message

Barry G

unread,
Mar 25, 2016, 9:30:15 PM3/25/16
to security-onion
Hi,

I've got Security Onion running fine in a VM; I've also previously used a SQUIL system I built 'from scratch' years ago...

I'd also like to have a centralized log server for the syslogs from my machines, including:
NSM Firewall & its integrated (snort-based) IPS
WebServer (including apache logs of web traffic)

and possibly some other servers.

Questions:
1. Does it make sense to try to load all of those logs into ELSA on SO?
Or would it make more sense to setup a separate ELSA or GrayLog server?

2. Would SO be able to correlate events from BRO or SQUIL with logs from my other sources?
e.g. find the apache log events matching an IDS event


Thank you,
Barry





Wes Lambert

unread,
Mar 25, 2016, 10:53:27 PM3/25/16
to securit...@googlegroups.com

Barry,

You could definitely use ELSA for centralized logging.  ELSA scales very well for enterprise log collection, storage, and analysis.  You could send these logs to the master server or to a designated sensor.  Many folks decide to use this for their network devices and other systems capable of forwarding syslog.

Depending on which logs you are looking to import, to be able to filter and search as you wish, you may need to add parsers for the particular log types.

You may not be able to perform direct correlation (such as IDS event to apache) between the log types, but you can determine correlation between the different logs by sorting, filtering and querying, based on various factors, and drilling into logs.

Thanks,
Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

namobud...@gmail.com

unread,
Mar 28, 2016, 8:22:02 AM3/28/16
to security-onion
If you just point your syslog servers towards Security Onion it should receive them and work I believe.

Wes

unread,
Mar 28, 2016, 9:45:19 PM3/28/16
to security-onion

Barry,

You can have a look here for more information:

https://github.com/Security-Onion-Solutions/security-onion/wiki/Syslog

Thanks,
Wes

Reply all
Reply to author
Forward
0 new messages