Sending Bro Logs to another server using syslog-ng

227 views
Skip to first unread message

Steve Williamson

unread,
May 18, 2018, 11:51:39 AM5/18/18
to security-onion
I have two instances of security onion on the same versions. One is remote and one is local. Setting up a sensor -> server installation is not possible at this time. I want to send the bro logs to the local server using syslog-ng. I have tried changing the syslog-ng.conf to this:

destination d_office { tcp("xx.xx.xx.xx" port(6050) template("$(format-json --scope selected_macros --scope nv_pairs --exclude DATE --key ISODATE)\n")); };

I have port 6050 open on the firewalls outgoing and incoming pointing to the local so box.

The logs are sending and the logs are received because I verified with tcpdump.

I turned on the dead letter on Logstash and checked to see if it was being rejected. Nothing is in the dead letter folder.

On the local instance there is no listening for port 6050 in tcp but only on tcp6. I read somewhere that that is normal, but it seems odd. Here is the output

netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4505 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4506 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:47761 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:47762 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:47763 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:7734 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:7736 0.0.0.0:* LISTEN
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::47761 :::* LISTEN
tcp6 0 0 :::47762 :::* LISTEN
tcp6 0 0 :::47763 :::* LISTEN
tcp6 0 0 :::5044 :::* LISTEN
tcp6 0 0 :::6050 :::* LISTEN
tcp6 0 0 :::6051 :::* LISTEN
tcp6 0 0 :::6052 :::* LISTEN
tcp6 0 0 :::6053 :::* LISTEN
tcp6 0 0 :::7734 :::* LISTEN
tcp6 0 0 :::7736 :::* LISTEN
tcp6 0 0 :::9600 :::* LISTEN

I know Logstash is working locally because the local machine is dumping bro logs into elk, but nothing from the remote.

What am I missing to make this work?

Steve

Steve Williamson

unread,
May 18, 2018, 3:17:00 PM5/18/18
to security-onion
I do not think the so-logstash docker is allowing access to the 6050 port from outside. I have another machine on same network and I cannot telnet to the local security onion box on port 6050. Which I believe I should be able to. I also cannot access port 5044 either.

I have other Logstash running on the network and I can telnet to the Logstash port.

Steve

Wes

unread,
May 21, 2018, 7:41:16 AM5/21/18
to security-onion

Steve,

Have you tried running so-allow for Logstash so that the appropriate iptables rules are in place?

Is there any reason you could not setup a standalone (although, not recommended), and configure the remote sensor as a forward node?

When a forward node is configured, we do a port forward so that the forward node is sending logs to the port 6050 locally and that port is forwarded by the remote host, so that the remote host receives it on the Logstash port of 6050. This is all done through an AutoSSH tunnel. You can read more about that in the /usr/sbin/sosetup script.

Thanks,
Wes

Steve Williamson

unread,
May 21, 2018, 1:18:49 PM5/21/18
to security-onion
Thanks Wes, The so-allow with the iptables docker routing fixed the problem.

Thank you
Steve

On Friday, May 18, 2018 at 10:51:39 AM UTC-5, Steve Williamson wrote:

Reply all
Reply to author
Forward
0 new messages