Where do I view syslog data?

[Bill Hogue]

I'm new to Security Onion. I've got a PC setup from the 20120125 ISO
and updated to the latest version today. I just ran the basic
Security Onion setup to get started. I have two NICs (eth0 connects
to a SPAN port and eth1 is management) and I'm successfully collecting
data in Snort/Snorby. I've pointed my firewall (Cisco ASA) to send
syslogs to the management IP. What to I need to configure to start
collecting syslogs? Will it show up in Snorby or somewhere else?
Thanks in advance.

Bill

[Martin Holste]

There's work underway now to get ELSA
(enterprise-log-search-and-archive.googlecode.com) into SecurityOnion
as a pre-installed app (thanks guys!). However, ELSA will install
just fine right now on SecurityOnion. Since you're all set and just
waiting for the interface, you might want to give it a shot now (Doug
et al., correct me here if you'd rather Bill waits for the official
implementation). Just follow the quickstart documentation:
http://code.google.com/p/enterprise-log-search-and-archive/wiki/Quickstart
.

There was a thread on this list a while ago titled "ELSA on Security
Onion" which detailed the few tweaks you need to get all of the logs
dumping in, but the basics were:

Add "*.* @127.0.0.1" to the end of /etc/rsyslog.d/50-default.conf.
This will have rsyslog forward all logs to ELSA.

For Snort, edit /etc/nsm/<sensor-interface>/barnyard2.conf and add:
output alert_syslog: LOG_LOCAL6 LOG_ALERT

To get Bro logs, follow the instructions on my blog here:
http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html
for exporting via syslog.

To run ELSA on a non-standard port, use this Apache config in
/etc/apache2/sites-available/elsa.conf:
<VirtualHost *:8443>
DocumentRoot /usr/local/elsa/web/lib
SetEnv ELSA_CONF /etc/elsa_web.conf
<Location "/">
Order Allow,Deny
Allow from all
SetHandler perl-script
PerlResponseHandler Plack::Handler::Apache2
PerlSetVar psgi_app /usr/local/elsa/web/lib/Web.psgi
</Location>
# Cleanup proxied HTTP auth
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/apache2/ssl_request_log ssl_combined
</VirtualHost>

Please let me know if there are other tweaks necessary to get ELSA
working out of the box on SecurityOnion.

[Doug Burks]

Hi Bill,

Replies inline.

On Wed, Feb 22, 2012 at 1:03 PM, Bill Hogue <bho...@bmhvt.org> wrote:
> I'm new to Security Onion.   I've got a PC setup from the 20120125 ISO
> and updated to the latest version today.  I just ran the basic
> Security Onion setup to get started.

Are you saying you chose "Quick Setup" instead of "Advanced Setup"?

> I have two NICs (eth0 connects
> to a SPAN port and eth1 is management) and I'm successfully collecting
> data in Snort/Snorby.

If you chose Quick Setup, then both eth0 and eth1 are being monitored.

> I've pointed my firewall (Cisco ASA) to send
> syslogs to the management IP.  What to I need to configure to start
> collecting syslogs?

Bro is not a standard syslog collector running on port 514, but it
will collect any syslog data it sees on any interfaces it's
monitoring. Take a look at /nsm/bro/logs/current/syslog.log and see
if you see what you're expecting.

Another option would be to enable OSSEC's syslog collector, which
would not only collect, but also decode/analyze those ASA logs:
http://www.ossec.net/wiki/PIX_and_IOS_Syslog_Config_examples

If you go this route, don't forget to allow port 514 inbound in the
UFW firewall.

> Will it show up in Snorby or somewhere else?

Bro logs are currently only visible in the filesystem as described
above. OSSEC logs can be found in Sguil and Squert. Ultimately,
we're going to include ELSA which will be the final resting place for
all logs (Bro, OSSEC, and others).

> Thanks in advance.
>
> Bill

Hope that helps!

Thanks,
--
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org

[Doug Burks]

Martin, thanks for your reply!

All, if you're considering installing ELSA on your Security Onion
boxes, I'd prefer that you wait until we roll out our official
implementation to cut down on conflicts and other support issues.

Thanks,
Doug

--

[Bill Hogue]

Thanks all for the prompt replies. Yes, it was Quick Setup. Now that I understand it better I'll leave it as is for now and wait for the ELSA integration. I'm getting great information with just the SPAN ports.

Bill

_______________________________________________________________

The information contained in, or attached to, this e-mail, may contain confidential information and is intended solely for the use of the individual or entity to whom it is addressed and may be subject to legal privilege. If you have received this e-mail in error you should notify the sender immediately by reply e-mail, delete the message from your system and notify your system manager. Please do not copy it for any purpose, or disclose its contents to any other person. The views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the company. The recipient should check this e-mail and any attachments for the presence of viruses. The company accepts no liability for any damage caused, directly or indirectly, by any virus transmitted in this email.
_______________________________________________________________