Security Onion Firewall Logs
Matt
I was wondering what you use for firewall log analysis. We have all
pFSense routers dumping to Security Onion over MySQL. Soon we will go
away from MySQL and implement TAPs to gain full functionality with
Security Onion. However we are currently just viewing the logs in the
PfSense GUI....any recommendations for log visualization/analysis? We
are using GLTails for active visualization but need something for
incident response/analysis.
Thanks,
- Matt
Scott Runnels
A lot of people will use something like syslog-ng or splunk - both have their advantages. With syslog-ng you're looking at a fully opensource solution. With splunk you're looking at a very detailed easily searchable way to organize logs. Unfortunately, Splunk's free version has a 500MB limit, I believe (someone feel free to correct me on that).
v/r
Scott
At Wed, 18 Jan 2012 06:48:12 -0800 (PST),
Doug Burks
One option would be OSSEC:
http://www.ossec.net/
It's already installed in Security Onion and it can collect logs in 2 ways:
1. from an OSSEC agent
I don't have experience with PFSense, but perhaps you could install
the full OSSEC agent on PFSense. This would give you the logs AND
rootkit detection and file integrity checking.
2. standard syslog
OSSEC can listen on standard syslog port 514/UDP for logs.
Once you have the logs in OSSEC, you could install Splunk and the
Splunk OSSEC app for web-based searching. But, as Scott mentioned, be
aware of the 500MB/day limit.
In the future, I'm hoping to add ELSA to Security Onion to provide a
Splunk alternative out of the box. For more information about ELSA,
please see:
http://ossectools.blogspot.com/2011/11/elsa-beta-available.html
http://blog.bro-ids.org/2012/01/monster-logs.html
Thanks,
Doug
--
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
Please vote for Security Onion for 2011 Toolsmith Tool of the Year! |
http://goo.gl/PwTDi