-
|
Dear Friends, Right now I just make a SPAN port on the aggregation switch and collect the logs in my Elastic. Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
Beta Was this translation helpful? Give feedback.
-
|
Great @dougburks but would I need any configuration on the firewall, or routers, or switches, because I allowed syslog on firewall but still not getting netflows in hunt search |
Beta Was this translation helpful? Give feedback.
-
|
If you want to collect syslog from your firewall/router/switch, then you would need to configure that device to send syslog to the IP address of your Security Onion box. If you're looking for netflow, see https://docs.securityonion.net/en/2.3/filebeat.html#walkthrough-netflow-logs. |
Beta Was this translation helpful? Give feedback.
-
|
While @dougburks answer isn't incorrect, it's incomplete. Filebeat has modules for a variety of network devices, which do a lot more parsing of the logs than the syslog module, and the results go into their own indices. Here are some examples of how to configure modules in SecurityOnion. I'm using the modules for Palo Alto and Cisco ASA. I have the filebeat instance running on a sensor node, with a listening port for each module. The network devices send syslog to the appropriate port on the sensor. (You could instead configure filebeat on the manager node to do this, but I like having some buffering of the data). If you just use basic syslog, you'll just end up with a bunch of log messages. With the modules you get details like source and destination split out into their own fields (depending on the particular messages. The modules aren't perfect, see my screed in #5553, but they're better than generic syslog. |
Beta Was this translation helpful? Give feedback.
-
|
I've added the following to https://docs.securityonion.net/en/2.3/syslog.html:
|
Beta Was this translation helpful? Give feedback.
https://docs.securityonion.net/en/2.3/syslog.html