Security Onion as a central log server
374 views
Skip to first unread message
b4dpxl
May 1, 2012, 9:45:31 AM5/1/12
to securit...@googlegroups.com
Hi. I'm looking to set up a central log server to capture information from a wide variety of sources, including firewalls and switches, AV console and Event Logs, using a syslog and OSSEC agents, amongst other things.
I want to be able to do analysis and alerting on these, and was planning on deploying a box with syslog-ng, OSSEC and Splunk. But I really like the idea of Security Onion for the extra functionality it gives.
What are peoples thoughts on using Security Onion as a central log server for capturing and analysing information from sources other than the sensors like Snort? The alternative is that I still deploy a syslog/splunk server and use Security Onion to capture a lot of events and then forward them on.
Thanks.
Scott Runnels
May 1, 2012, 10:51:55 AM5/1/12
to securit...@googlegroups.com
We are about to push Martin Holste's ELSA (enterprise log search and archive) for Security Onion. I'm confident it will go to testing soon and we will publish it as a configurable option.
--
Scott Runnels
Vr
Scott
--
Scott Runnels
b4dpxl
May 1, 2012, 11:14:06 AM5/1/12
to securit...@googlegroups.com
Thanks. Does ELSA support dashboards? What I'm particularly looking for is something that can show trends and spikes in events (such as a sudden increase in failed logons) in a dashboard that can be left running in a NOC and used as a trigger for an investigation.
Chris
On Tuesday, May 1, 2012 3:51:55 PM UTC+1, Scott Runnels wrote:
> We are about to push Martin Holste's ELSA (enterprise log search and archive) for Security Onion. I'm confident it will go to testing soon and we will publish it as a configurable option.
>
> </div>
> Vr</div>
>
> Scott<span></span>
>
> --
> Scott Runnels
>
> </div>
Chris
On Tuesday, May 1, 2012 3:51:55 PM UTC+1, Scott Runnels wrote:
> We are about to push Martin Holste's ELSA (enterprise log search and archive) for Security Onion. I'm confident it will go to testing soon and we will publish it as a configurable option.
>
> </div>
> Vr</div>
>
> Scott<span></span>
>
>
> On Tuesday, May 1, 2012, b4dpxl wrote:
> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi. I'm looking to set up a central log server to capture information from a wide variety of sources, including firewalls and switches, AV console and Event Logs, using a syslog and OSSEC agents, amongst other things.
>
> On Tuesday, May 1, 2012, b4dpxl wrote:
>
>
>
>
> I want to be able to do analysis and alerting on these, and was planning on deploying a box with syslog-ng, OSSEC and Splunk. But I really like the idea of Security Onion for the extra functionality it gives.
>
>
>
> What are peoples thoughts on using Security Onion as a central log server for capturing and analysing information from sources other than the sensors like Snort? The alternative is that I still deploy a syslog/splunk server and use Security Onion to capture a lot of events and then forward them on.
>
>
>
>
> Thanks.
>
> </blockquote></div></div>
>
>
>
> I want to be able to do analysis and alerting on these, and was planning on deploying a box with syslog-ng, OSSEC and Splunk. But I really like the idea of Security Onion for the extra functionality it gives.
>
>
>
> What are peoples thoughts on using Security Onion as a central log server for capturing and analysing information from sources other than the sensors like Snort? The alternative is that I still deploy a syslog/splunk server and use Security Onion to capture a lot of events and then forward them on.
>
>
>
>
> Thanks.
>
>
> --
> Scott Runnels
>
> </div>
Martin Holste
May 1, 2012, 11:47:20 AM5/1/12
to securit...@googlegroups.com
Yes, ELSA supports dashboards. For now, they are simple CSV files
with the first column the title of the graph and the second column the
query that produces it. In the future, there will be full web admin
for all dashboard management. Here's an example:
downloads.csv:
Downloads by Country,+md5 class:bro_notice groupby:dstip | whois | sum(cc)
events.csv:
Trojan IDS Events,trojan groupby:sig_msg
Top Scanners,sig_msg:scan groupby:srcip
Top Scanning Orgs,sig_msg:sig_msg:scan groupby:srcip | whois | sum(descr)
Top Websites Attacked by SQLi,sig_msg:sql groupby:srcip |
subsearch(class:url groupby:site,srcip)
(Notice the subsearch in the last one--it lets you pivot between log
types so we can go from Snort to URL.)
The config file gets an entry to point at it like this:
"dashboards": {
"downloads": {
"file": "/path/to/downloads.csv",
"package": "Dashboard::File"
},
"ids": {
"file": "/path/to/events.csv",
"package": "Dashboard::File"
}
}
You then access the dashboard like this (where the URI has the name of
the config entry):
http://elsa/dashboard/downloads
Which will use the defaults of the past seven days. You can specify
the time period like this:
http://elsa/dashboard/downloads?start=last tuesday&end=last thursday
or
http://elsa/dashboard/ids?days=14
As we progress, not only will dashboards be easier to manage, we may
find queries good enough to include as default dashboards.
with the first column the title of the graph and the second column the
query that produces it. In the future, there will be full web admin
for all dashboard management. Here's an example:
downloads.csv:
Downloads by Country,+md5 class:bro_notice groupby:dstip | whois | sum(cc)
events.csv:
Trojan IDS Events,trojan groupby:sig_msg
Top Scanners,sig_msg:scan groupby:srcip
Top Scanning Orgs,sig_msg:sig_msg:scan groupby:srcip | whois | sum(descr)
Top Websites Attacked by SQLi,sig_msg:sql groupby:srcip |
subsearch(class:url groupby:site,srcip)
(Notice the subsearch in the last one--it lets you pivot between log
types so we can go from Snort to URL.)
The config file gets an entry to point at it like this:
"dashboards": {
"downloads": {
"file": "/path/to/downloads.csv",
"package": "Dashboard::File"
},
"ids": {
"file": "/path/to/events.csv",
"package": "Dashboard::File"
}
}
You then access the dashboard like this (where the URI has the name of
the config entry):
http://elsa/dashboard/downloads
Which will use the defaults of the past seven days. You can specify
the time period like this:
http://elsa/dashboard/downloads?start=last tuesday&end=last thursday
or
http://elsa/dashboard/ids?days=14
As we progress, not only will dashboards be easier to manage, we may
find queries good enough to include as default dashboards.
Chris Hembrow
May 1, 2012, 2:25:56 PM5/1/12
to securit...@googlegroups.com
Thanks Martin, sounds good, looking forward to having a play.
Chris
--
Chris
Chris
Chris
Reply all
Reply to author
Forward
0 new messages