How to forward remote Bro logs to Security Onion ELSA?
陈昱竹
source s_bro_conn { file("/usr/local/bro/logs/current/conn.log" flags(no-parse) program_override("bro_conn")); };
source s_bro_http { file("/usr/local/bro/logs/current/http.log" flags(no-parse) program_override("bro_http")); };
source s_bro_dns { file("/usr/local/bro/logs/current/dns.log" flags(no-parse) program_override("bro_dns")); };
source s_bro_notice { file("/usr/local/bro/logs/current/notice.log" flags(no-parse) program_override("bro_notice")); };
source s_bro_smtp { file("/usr/local/bro/logs/current/smtp.log" flags(no-parse) program_override("bro_smtp")); };
source s_bro_smtp_entities { file("/usr/local/bro/logs/current/smtp_entities.log" flags(no-parse) program_override("bro_smtp_entities")); };
source s_bro_ssl { file("/usr/local/bro/logs/current/ssl.log" flags(no-parse) program_override("bro_ssl")); };
source s_bro_arp { file("/usr/local/bro/logs/current/arp.log" flags(no-parse) program_override("bro_arp")); };
filter f_bro_headers { message("^#") };
rewrite r_bro_host { set("192.168.1.13", value("HOST")); };
destination d_elsa { tcp("192.168.1.14" port(514)); };
log { source(s_bro_conn); destination(d_elsa); };
log { source(s_bro_http); destination(d_elsa); };
log { source(s_bro_dns); destination(d_elsa); };
log { source(s_bro_notice); destination(d_elsa); };
log { source(s_bro_smtp); destination(d_elsa); };
log { source(s_bro_smtp_entities); destination(d_elsa); };
log { source(s_bro_ssl); destination(d_elsa); };
log { source(s_bro_arp); destination(d_elsa); };
However, I didn't see any logs entered into ELSA on SecurityOnion. Another interesting thing is that I didn't find ARP log location on ELSA web interface. So my problem might be like this: How to configure syslog-ng to forward Bro logs to SecurityOnion which is running ELSA, do I have to configure syslog-ng on both sides? and How to configure ELSA to receive new types of logs?
Simone Bonetti
I use this configuration on bro sensor:
you have create /etc/syslog-ng/conf.d/10bro2elsa.conf file with this (Text between begin end. You have to edit the http log line to insert your right capture interface and you have to insert your SO IP server):
----begin
source s_bro_conn { file("/nsm/bro/logs/current/conn.log" flags(no-parse) program_override("bro_conn")); };
source s_bro_dhcp { file("/nsm/bro/logs/current/dhcp.log" flags(no-parse) program_override("bro_dhcp")); };
source s_bro_dns { file("/nsm/bro/logs/current/dns.log" flags(no-parse) program_override("bro_dns")); };
source s_bro_files { file("/nsm/bro/logs/current/files.log" flags(no-parse) program_override("bro_files")); };
source s_bro_ftp { file("/nsm/bro/logs/current/ftp.log" flags(no-parse) program_override("bro_ftp")); };
source s_bro_http { file("/nsm/bro/logs/current/http_ethx.log" flags(no-parse) program_override("bro_http")); };
source s_bro_intel { file("/nsm/bro/logs/current/intel.log" flags(no-parse) program_override("bro_intel")); };
source s_bro_irc { file("/nsm/bro/logs/current/irc.log" flags(no-parse) program_override("bro_irc")); };
source s_bro_notice { file("/nsm/bro/logs/current/notice.log" flags(no-parse) program_override("bro_notice")); };
source s_bro_radius { file("/nsm/bro/logs/current/radius.log" flags(no-parse) program_override("bro_radius")); };
source s_bro_smtp { file("/nsm/bro/logs/current/smtp.log" flags(no-parse) program_override("bro_smtp")); };
source s_bro_smtp_entities { file("/nsm/bro/logs/current/smtp_entities.log" flags(no-parse) program_override("bro_smtp_entities")); };
source s_bro_snmp { file("/nsm/bro/logs/current/snmp.log" flags(no-parse) program_override("bro_snmp")); };
source s_bro_software { file("/nsm/bro/logs/current/software.log" flags(no-parse) program_override("bro_software")); };
source s_bro_ssh { file("/nsm/bro/logs/current/ssh.log" flags(no-parse) program_override("bro_ssh")); };
source s_bro_ssl { file("/nsm/bro/logs/current/ssl.log" flags(no-parse) program_override("bro_ssl")); };
source s_bro_syslog { file("/nsm/bro/logs/current/syslog.log" flags(no-parse) program_override("bro_syslog")); };
source s_bro_tunnels { file("/nsm/bro/logs/current/tunnel.log" flags(no-parse) program_override("bro_tunnels")); };
source s_bro_x509 { file("/nsm/bro/logs/current/x509.log" flags(no-parse) program_override("bro_x509")); };
source s_bro_weird { file("/nsm/bro/logs/current/weird.log" flags(no-parse) program_override("bro_weird")); };
destination d_elsa { tcp("ELSASERVERIP" port(514)); };
log { source(s_bro_conn); destination(d_elsa); };
log { source(s_bro_dhcp); destination(d_elsa); };
log { source(s_bro_dns); destination(d_elsa); };
log { source(s_bro_files); destination(d_elsa); };
log { source(s_bro_ftp); destination(d_elsa); };
log { source(s_bro_http); destination(d_elsa); };
log { source(s_bro_intel); destination(d_elsa); };
log { source(s_bro_irc); destination(d_elsa); };
log { source(s_bro_notice); destination(d_elsa); };
log { source(s_bro_radius); destination(d_elsa); };
log { source(s_bro_smtp); destination(d_elsa); };
log { source(s_bro_smtp_entities); destination(d_elsa); };
log { source(s_bro_snmp); destination(d_elsa); };
log { source(s_bro_software); destination(d_elsa); };
log { source(s_bro_ssh); destination(d_elsa); };
log { source(s_bro_ssl); destination(d_elsa); };
log { source(s_bro_syslog); destination(d_elsa); };
log { source(s_bro_tunnels); destination(d_elsa); };
log { source(s_bro_x509); destination(d_elsa); };
log { source(s_bro_weird); destination(d_elsa); };
----end
If you do this you haven't problems during a syslog-ng upgrade.
After that you have to restart syslog-ng on bro sensor.
You have to open or check port 514 on so servers (tcp or udp as you prefer, above is for tcp) to permit bro sensor access.
Next elsa upgrades will add some interesting parsers to parse new logs from bro 2.4. So you have to remember to upgrade /etc/syslog-ng/conf.d/10bro2elsa.conf
To check if the configuration is ok you can use ngrep on both side: sensor and server:
ngrep -n 5 -W byline -d ethx -l -s 3000 -qt '.*' ' port 514'
bye