Adding addition network ports for Logstash
529 views
Skip to first unread message
John Rossiter
May 4, 2020, 2:35:49 PM5/4/20
to security-onion
Hi,
I'm attempting to add an additional port in my logstash configuration as follows -->
input part of the plugin is as follows-->
input {
syslog {
port => 1520
type => "Cisco_Umbrella"
}
}
When I reload the logstash config, I see logstash confirming the ports are open but ultimately the ports don't get opened on the SO host (not in netstat either). I'm assuming there is a docker configuration file somewhere, but can't seem to locate it. Would anyone know what I need to do here?
FYI - This does work on a non SO ELK stack.
Thanks for your help in advance!
John
Joe Brown
May 4, 2020, 2:52:19 PM5/4/20
to securit...@googlegroups.com
You will probably need to adjust the firewall on Security Onion. Even though logstash may be opening the port, the firewall is most likely blocking the connection.
Joe
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/be4a247e-693c-4ac4-b244-de70a747f581%40googlegroups.com.
Joe Brown
John Rossiter
May 4, 2020, 2:55:47 PM5/4/20
to securit...@googlegroups.com
Thanks Joe. I should have mentioned that I did add the firewall ports to the firewall (ufw) and even tried turning it off. Either way, it does not have any effect.
thx
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAEFNj3Nsy4A_WE1M9opBMwb3yO5DboPpzwRLzGYYenGA73%2B23w%40mail.gmail.com.
John Rossiter
May 4, 2020, 3:43:16 PM5/4/20
to security-onion
Thanks again. To clarify, you mean ufw, correct? As I mentioned I've tried to both add the ports using the UFW commands, and then even turned it off....same issue. Is there another configuration I should be looking at here?
If I look at iptables, I see a docker section, which makes me think I may need to adjust the docker config for logstash, but can't seem to find anything about it-->
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:9300
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:9200
ACCEPT tcp -- anywhere 172.17.0.3 tcp dpt:5601
ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:9600
ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:6053
ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:6052
ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:6051
ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:6050
ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:5044
On Monday, May 4, 2020 at 2:52:19 PM UTC-4, Joe Brown wrote:
You will probably need to adjust the firewall on Security Onion. Even though logstash may be opening the port, the firewall is most likely blocking the connection.Joe
On Mon, May 4, 2020 at 2:35 PM John Rossiter <jrossi...@gmail.com> wrote:
Hi,--I'm attempting to add an additional port in my logstash configuration as follows -->input part of the plugin is as follows-->input {syslog {port => 1520type => "Cisco_Umbrella"}}When I reload the logstash config, I see logstash confirming the ports are open but ultimately the ports don't get opened on the SO host (not in netstat either). I'm assuming there is a docker configuration file somewhere, but can't seem to locate it. Would anyone know what I need to do here?FYI - This does work on a non SO ELK stack.Thanks for your help in advance!John
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to securit...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/be4a247e-693c-4ac4-b244-de70a747f581%40googlegroups.com.
--Joe Brown
Wes Lambert
May 4, 2020, 8:47:19 PM5/4/20
to securit...@googlegroups.com
You may also want to modify LOGSTASH_OPTIONS in /etc/nsm/securityonion.conf to publish the port.
Thanks,
Wes
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/5c4fb6fc-619d-44c9-931e-443a0f79d867%40googlegroups.com.
John Rossiter
May 4, 2020, 9:34:20 PM5/4/20
to securit...@googlegroups.com
Thanks Wes, I appreciate the response. I tried both of the following-->
# Logstash options
LOGSTASH_ENABLED="yes"
LOGSTASH_HOST="localhost"
LOGSTASH_PORT=9600,1520
LOGSTASH_ENABLED="yes"
LOGSTASH_HOST="localhost"
LOGSTASH_PORT=9600,1520
and
# Logstash options
LOGSTASH_ENABLED="yes"
LOGSTASH_HOST="localhost"
LOGSTASH_PORT=1520
LOGSTASH_PORT=9600
LOGSTASH_ENABLED="yes"
LOGSTASH_HOST="localhost"
LOGSTASH_PORT=1520
LOGSTASH_PORT=9600
But neither resulted in logstash (or anything else listening on that port). As I mentioned in my initial post, this works perfectly on a non SO ELK instance.
Thanks again,
John
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAHjBB6E%3DyCwcmH4bv2CxsBM%3DcF65K0XzMt0VHp%2Bn6L2mPRua%3Dg%40mail.gmail.com.
Kailaas Nana
May 4, 2020, 10:15:57 PM5/4/20
to security-onion
Hey John,
We recently tried to also connect a Logstash Instance in our Cloud Tenant to our On PREM SO Master Server.
We found that after adding the config file to "/etc/logstash/custom" and adding the firewall rules using "sudo ufw" we also needed to run "sudo nano /usr/sbin/so-logstash-start"
Towards the bottom there is some port mapping done and we had to put our custom port number in there. Should look like this:
# Publish ports to $LOGSTASH_PUBLISH_IP but control them with iptables rules in DOCKER-USER
docker run --name=so-logstash \
--detach \
--publish $LOGSTASH_PUBLISH_IP:CUSTOMPORT:CUSTOMPORT \
--publish $LOGSTASH_PUBLISH_IP:5044:5044 \
--publish $LOGSTASH_PUBLISH_IP:6050:6050 \
--publish $LOGSTASH_PUBLISH_IP:6051:6051 \
--publish $LOGSTASH_PUBLISH_IP:6052:6052 \
--publish $LOGSTASH_PUBLISH_IP:6053:6053 \
--publish $LOGSTASH_PUBLISH_IP:9600:9600 \
After doing this and restarting Logstash it seemed to work.
Cheers
Kailaas
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/5c4fb6fc-619d-44c9-931e-443a0f79d867%40googlegroups.com.
--
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to securit...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAHjBB6E%3DyCwcmH4bv2CxsBM%3DcF65K0XzMt0VHp%2Bn6L2mPRua%3Dg%40mail.gmail.com.
Wes Lambert
May 4, 2020, 10:30:58 PM5/4/20
to securit...@googlegroups.com
Please don't modify /usr/sbin/so-logstash-start, as your changes may get overwritten during an update.
As I mentioned before, you should be able to do the same thing via LOGSTASH_OPTIONS in /etc/nsm/securityonion.conf (port mapping).
Thanks,
Wes
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/d807c331-e47b-4778-ad99-58316b0b2f7c%40googlegroups.com.
Kailaas Nana
May 4, 2020, 10:33:59 PM5/4/20
to security-onion
Alright if modifying it in securityonion.conf achieves the same thing we shall try that.
Thanks Wes.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/d807c331-e47b-4778-ad99-58316b0b2f7c%40googlegroups.com.
John Rossiter
May 4, 2020, 10:40:13 PM5/4/20
to securit...@googlegroups.com
Thank you both!
Wes, can you provide the syntax in the securityonion.conf file?
Would it look like this?
LOGSTASH_PORT=1520:1520
As I mentioned in my earlier response, just adding an extra line in the config like this-->
LOGSTASH_PORT=1520
was not effective.
Thanks !
John
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/e5826765-0f05-4b12-b480-6e3425165284%40googlegroups.com.
Wes Lambert
May 4, 2020, 10:44:42 PM5/4/20
to securit...@googlegroups.com
There should already be a line like:
LOGSTASH_OPTIONS=""
Change it to be like so:
LOGSTASH_OPTIONS="-p 0.0.0.0:1520:1520"
Thanks,
Wes
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CABpMKTarcCJdHJMXPZnyzwDO_ECnCPW9OucOk5sATFrRBKAS0g%40mail.gmail.com.
John Rossiter
May 4, 2020, 10:54:42 PM5/4/20
to securit...@googlegroups.com
That did it....thanks!
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAHjBB6HXKtV2e3k0CrJs%3DJaid%2BRbgv5qC5L7gjST4456V1QrgA%40mail.gmail.com.
Wes Lambert
May 4, 2020, 11:28:56 PM5/4/20
to securit...@googlegroups.com
Good to hear!
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CABpMKTb5Dia_rNHb%2BLcRMmJWRdrnzYX58%2BeTjE48BTPY6ymOEw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages