Snort / Bro Logs to Logstash with Filebeat
987 views
Skip to first unread message
jesse...@gmail.com
Dec 18, 2017, 10:20:33 PM12/18/17
to security-onion
Hello all,
I'm looking to configure Security Onion with Filebeat to send Bro and Snort logs to Logstash remotely but in the same internal network. Has anyone set up Security Onion with Filebeat for this purpose? I've been looking for posts or guidance for something similar, but haven't seen anything specific to Security Onion. I wanted to hit up the Google group prior to pulling the trigger. Any suggestions? Thanks.
V/r,
Jesse
Wes Lambert
Dec 18, 2017, 10:38:31 PM12/18/17
to securit...@googlegroups.com
Jesse,
You should be able to use so-allow to allow the beats port (In Beta 3). All other versions do not expose this port externally (would require SSH tunnel w/ port forward). Keep in mind, we only have a basic mapping template in place for *Winlogbeat, so you could certainly still use Filbeat, but there would be no guarantee that the fields would be properly mapped, etc, unless you provided your own mapping (which may get overwritten in the future). We are in the process of providing further mappings support for different type of Beat usage. As support is more official we will provide more documentation detailing integration.
Back to Filebeat, you should be able to follow the instructions provided by Elastic, and point the Beat to your Security Onion machine after allowing port 5044 through so-allow.
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
jesse...@gmail.com
Dec 18, 2017, 10:43:46 PM12/18/17
to security-onion
Hello Wes,
Thanks. So, I've been reading various Filebeat guides. It seems as though I need to install Filebeat on Security Onion, and configure it to send the Bro/Snort logs to the system that has Logstash. Then I need to create input/output configs for Logstash to ingest the logs and visualize them in Kibana. Does this make sense to you? I'm going to give it a shot soon.
On Monday, December 18, 2017 at 10:38:31 PM UTC-5, Wes wrote:
> Jesse,
>
>
> You should be able to use so-allow to allow the beats port (In Beta 3). All other versions do not expose this port externally (would require SSH tunnel w/ port forward). Keep in mind, we only have a basic mapping template in place for *Winlogbeat, so you could certainly still use Filbeat, but there would be no guarantee that the fields would be properly mapped, etc, unless you provided your own mapping (which may get overwritten in the future). We are in the process of providing further mappings support for different type of Beat usage. As support is more official we will provide more documentation detailing integration.
>
>
> Back to Filebeat, you should be able to follow the instructions provided by Elastic, and point the Beat to your Security Onion machine after allowing port 5044 through so-allow.
>
>
> Thanks,
> Wes
>
>
> On Mon, Dec 18, 2017 at 10:20 PM, <jesse...@gmail.com> wrote:
> Hello all,
>
>
>
> I'm looking to configure Security Onion with Filebeat to send Bro and Snort logs to Logstash remotely but in the same internal network. Has anyone set up Security Onion with Filebeat for this purpose? I've been looking for posts or guidance for something similar, but haven't seen anything specific to Security Onion. I wanted to hit up the Google group prior to pulling the trigger. Any suggestions? Thanks.
>
>
>
> V/r,
>
>
>
> Jesse
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.
Thanks. So, I've been reading various Filebeat guides. It seems as though I need to install Filebeat on Security Onion, and configure it to send the Bro/Snort logs to the system that has Logstash. Then I need to create input/output configs for Logstash to ingest the logs and visualize them in Kibana. Does this make sense to you? I'm going to give it a shot soon.
On Monday, December 18, 2017 at 10:38:31 PM UTC-5, Wes wrote:
> Jesse,
>
>
> You should be able to use so-allow to allow the beats port (In Beta 3). All other versions do not expose this port externally (would require SSH tunnel w/ port forward). Keep in mind, we only have a basic mapping template in place for *Winlogbeat, so you could certainly still use Filbeat, but there would be no guarantee that the fields would be properly mapped, etc, unless you provided your own mapping (which may get overwritten in the future). We are in the process of providing further mappings support for different type of Beat usage. As support is more official we will provide more documentation detailing integration.
>
>
> Back to Filebeat, you should be able to follow the instructions provided by Elastic, and point the Beat to your Security Onion machine after allowing port 5044 through so-allow.
>
>
> Thanks,
> Wes
>
>
> On Mon, Dec 18, 2017 at 10:20 PM, <jesse...@gmail.com> wrote:
> Hello all,
>
>
>
> I'm looking to configure Security Onion with Filebeat to send Bro and Snort logs to Logstash remotely but in the same internal network. Has anyone set up Security Onion with Filebeat for this purpose? I've been looking for posts or guidance for something similar, but haven't seen anything specific to Security Onion. I wanted to hit up the Google group prior to pulling the trigger. Any suggestions? Thanks.
>
>
>
> V/r,
>
>
>
> Jesse
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
>
> To post to this group, send email to securit...@googlegroups.com.
Wes Lambert
Dec 18, 2017, 10:49:16 PM12/18/17
to securit...@googlegroups.com
Sorry, I completely missed the first part due to multi-tasking. I've not setup Filebeat on Security Onion itself to forward logs, but have you considered using syslog-ng to forward logs in that manner, simply changing the local destination to a remote one?
Also, is there any reason you would not want to try using Security Onion on the Elastic Stack?
Thanks,
Wes
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Wes Lambert
Dec 18, 2017, 10:50:43 PM12/18/17
to securit...@googlegroups.com
But yes, for Logstash, you would need various input/output config files to process the incoming data/process it/and send it to Elasticsearch (unless you feed Elasticsearch directly from Filebeat).
Wes Lambert
Dec 18, 2017, 10:55:39 PM12/18/17
to securit...@googlegroups.com
jesse...@gmail.com
Dec 18, 2017, 10:56:16 PM12/18/17
to security-onion
It's all good. I resorted to this setup because I couldn't figure out how to get Winlogbeat to work with Security Onion.
I was considering pointing syslog to the system with logstash, but I wanted to learn how to utilize Filebeat, as I've heard good things about it relative to it's compatibility with logstash.
jesse...@gmail.com
Dec 18, 2017, 10:58:26 PM12/18/17
to security-onion
I actually did go over this site already. I'm considering using that if Filebeat gives me trouble. I can make a logstash input/output config after ingesting them via syslog. I'm just trying to make use of the new Filebeat technology if possible.
Reply all
Reply to author
Forward
0 new messages