Syslog and snmp?

535 views
Skip to first unread message

mariogd

unread,
Feb 10, 2012, 11:28:10 AM2/10/12
to security-onion
Just wanted to get an idea of how others utilizing security onion in
production are handling syslog and snmp data? Are you guys all
pointing it to security onion? Or are options like splunk and Elsa
with exporting to security onion more popular?

Doug Burks

unread,
Feb 10, 2012, 11:39:53 AM2/10/12
to securit...@googlegroups.com
Hi mariogd,

If you're already sending syslog data somewhere and it's going across
a Security Onion sensor, then Bro should be automatically capturing
any syslog data it sees to /nsm/bro/logs/current/syslog.log.

Security Onion also includes OSSEC, which has a syslog collector. You
just have to enable it and tell it which IP addresses it should accept
logs from. OSSEC will then do analysis and alerting based on the
events it sees. Alerts go to the Sguil console. For more information
about OSSEC, please see:
http://www.ossec.net/

In the future, we'll have ELSA for a nice web-based interface to all this.

Hope that helps!

Thanks,
Doug

--
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org

Mario DiNatale

unread,
Feb 10, 2012, 12:00:24 PM2/10/12
to securit...@googlegroups.com, securit...@googlegroups.com
Thanks Doug, I understand that much, I think maybe I worded my question incorrectly... I'm trying to get an idea of other user's preferred/best case scenarios and why... If perhaps there's added value in one option or another, etc... But considering you guys are going to integrate Elsa I may just wait for integration... But I'd still like to hear how you and others are handling syslog/securityonion integration...

Sent from my iPhone

Scott Runnels

unread,
Feb 10, 2012, 12:43:04 PM2/10/12
to securit...@googlegroups.com
Hi Mariogd,

I'm about half way done with the ELSA integration and I'm hoping to see a working version soon if all goes well.  It's a big project!  My impetus for attempting to integrating ELSA is thus:

When I took Mr Bejtlich's TCP Weapons class, he relied heavily on SecurityOnion (how I discovered Doug's awesomeness!) and Splunk.  He would basically shovel as many logs as he could to Splunk and pivot to Splunk when he wanted to validate the information presented in SecurityOnion - did malware detonate on a host, is there any evidence of that, etc.  So, host logs, event logs, weblogs, anything.  Splunk is /really/ good at taking as much data as you can throw at it.  However, Splunk is costly and one of the beauties of SecurityOnion is in no time flat you're up and running and looking at actionable intelligence.  We think that providing log correlation would make that intelligence more robust and be an immense help to responders.  Martin Holste's ELSA project is a fantastic tool. 

v/r
Scott Runnels
--
Scott Runnels


Reply all
Reply to author
Forward
0 new messages