Setting up Security Onion with a SumoLogic Collector
Josh Galloway
Another question, does Security Onion send out alerts on port 443? The reason I ask is, I've been connecting to the sensor over openvpn that calls back to my openvpn server on AWS using port 443, but when I ssh in through that, alerts show up in the terminal in real time. Any idea why this would be the case? If I could get exactly these alerts fed to the SumoLogic collector my problem would be solved.
Wes Lambert
I'm trying to set up Security Onion to feed alerts into a SumoLogic collector. I'd like it to have the sorts of alerts that are visible in squert and sguil, but having trouble finding a log file that is only that. I'm using Suricata as the IDS engine, but the suricata log doesn't include the alerts. Has anyone done something like this and could point me to a guide of some sort?
Another question, does Security Onion send out alerts on port 443? The reason I ask is, I've been connecting to the sensor over openvpn that calls back to my openvpn server on AWS using port 443, but when I ssh in through that, alerts show up in the terminal in real time. Any idea why this would be the case? If I could get exactly these alerts fed to the SumoLogic collector my problem would be solved.
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Josh Galloway
When I ssh in through VPN I'm getting exactly the sort of alerts I'm looking for showing up in the terminal in real time, things like:
2017 Aug 24 18:49:27 micro2 [1:2012648:3] ET POLICY Dropbox Client Broadcasting [Classification: Potential Corporate Privacy Violation] [Priority: 1]: <micro2-eth0> {UDP} 172.x.x.x:17500 -> 255.255.255.255:17500
I want to know where things like that get recorded, and why it would be showing up in terminal spontaneously but only when I ssh into it by the VPN, and not directly.
On Thursday, August 24, 2017 at 2:21:29 PM UTC-4, Wes wrote:
> Josh.
>
> The actual log file to which you are referring is /var/log/nsm/securityonion/sguild.log.
>
>
> You can get more info on what (it sounds like) you are looking for here:
>
>
> https://github.com/Security-Onion-Solutions/security-onion/wiki/ThirdPartyIntegration#how-do-i-send-ids-alerts-to-an-external-system>
>
>
> To answer your second question, alerts are sent from the sensor to the server on port 7736.
>
>
> You can find the required ports for a sensor to connect to a master, here
>
>
> https://github.com/Security-Onion-Solutions/security-onion/wiki/Firewall#sensors-automatically-add-their-own-firewall-rules-to-the-master-server
>
>
>
> Thanks,
> Wes
>
>
>
>
> On Thu, Aug 24, 2017 at 11:37 AM, Josh Galloway <jsha...@gmail.com> wrote:
> I'm trying to set up Security Onion to feed alerts into a SumoLogic collector. I'd like it to have the sorts of alerts that are visible in squert and sguil, but having trouble finding a log file that is only that. I'm using Suricata as the IDS engine, but the suricata log doesn't include the alerts. Has anyone done something like this and could point me to a guide of some sort?
>
>
>
> Another question, does Security Onion send out alerts on port 443? The reason I ask is, I've been connecting to the sensor over openvpn that calls back to my openvpn server on AWS using port 443, but when I ssh in through that, alerts show up in the terminal in real time. Any idea why this would be the case? If I could get exactly these alerts fed to the SumoLogic collector my problem would be solved.
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.
Wes
Josh,
From the link:
Please note that this option requires set DEBUG 2 in /etc/sguild/sguild.conf.
This required to see the output of alerts, etc (and a restart of sguild).
To the second question, it sounds your sensor isn't reaching the required port(s) to the server until you log in, so it sounds like there is no persistent tunnel or it isn't configured correctly.
You may want to take a look at:
https://github.com/Security-Onion-Solutions/security-onion/wiki/CloudClient
Thanks,
Wes