Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

ThirdPartyIntegration

Jump to bottom
doug edited this page Aug 27, 2019 · 10 revisions

Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/ThirdPartyIntegration.

Introduction

Many organizations would like to take data from Security Onion and send it to third party systems.

Support

We don't provide free support for third party systems, so this wiki page will be just a brief introduction to how you would accomplish this. If you need commercial support, please see: https://www.securityonionsolutions.com

How do I send Bro and OSSEC logs to an external syslog collector?

Configure /etc/syslog-ng/syslog-ng.conf with a new destination to forward to your external syslog collector and then restart syslog-ng.

How do I send IDS alerts to an external system?

2 options:

  • Edit ALL /etc/nsm/HOSTNAME-INTERFACE/barnyard2*.conf files on ALL sensors with a new output to send IDS alerts to your external systems and then restart all barnyard2 instances:
sudo nsm_sensor_ps-restart --only-barnyard2

OR

  • On your master server (running sguild), configure /etc/syslog-ng/syslog-ng.conf with a new source to monitor /var/log/nsm/securityonion/sguild.log for Alert Received lines and a new destination to send to your external system, and then restart syslog-ng. To do this modify /etc/syslog-ng/syslog-ng.conf and add the following lines:
# This line specifies where the sguild.log file is located, and informs syslog-ng to tail the file, the program_override inserts the string sguil_alert into the string
source s_sguil { file("/var/log/nsm/securityonion/sguild.log" program_override("sguil_alert")); };

# This line filters on the string “Alert Received”
filter f_sguil { match("Alert Received"); };

# This line tells syslog-ng to send the data read to the IP address of 10.80.4.37, via UDP to port 514
destination d_sguil_udp { udp("10.80.4.37" port(514)); };

# This log section tells syslog-ng how to structure the previous ‘source / filter / destination’ and is what actually puts them into play
log {
        source(s_sguil);
        filter(f_sguil);
        destination(d_sguil_udp);
};

Please note that this option requires set DEBUG 2 in /etc/sguild/sguild.conf.

Installing FIR on Security Onion

Please see: Installing FIR

Installing GRR on Security Onion

Please see: Installing GRR

Installing NtopNG on Security Onion

Please see: Installing NtopNG

Installing RITA on Security Onion

Please see: Installing RITA

Installing Etherpad on Security Onion

Please see: Installing Etherpad

Getting Started

Update/Upgrade

Analyst Tools

Network Visibility

Host Visibility

Elastic Stack

Customizing for your network

Tuning

Tricks and Tips

Help

Issues

Other

Scripts

Clone this wiki locally