Logs, specifically sysmon

[An0th3rguy]

Hello, I am currently testing Security Onion version 2.3.2, and it is working fine for network monitoring and PCAP capture. However, I am unsure how Security Onion deals with logs. I have read the documentation and was able to get sysmon + winlogbeat to send logs from Windows machines to Security Onion.

Now, I can see the logs in Security Onion, but I am not sure how to export them similarly to network traffic logs in the PCAP interface. I have not found any threads about exporting logs in the documentation. I tried to export them from Kibana, but I was not able to find an easy way.

Another question I have is regarding the information about how long the logs or PCAPs are stored in Security Onion, where can I change that. Also, what happens when the HDD capacity gets full? Where to follow for detailed log management in SO?

Here are examples of Sysmon logs I want to export.

[InfosecGoon]

The logs are stored in Elasticsearch on the backend, so they can be exported using Kibana or any Elasticsearch-compatible reporting tool. Can you share a little more about your use case? Why do you want to export the logs?

As for retention periods, by default most logs are closed after thirty days (the exception being so-zeek, which is forty-five) and deleted after one year by default, unless your /nsm volume reaches 80% utilization at which point the oldest data will be deleted to free up space. These periods can be adjusted in /opt/so/saltstack/local/pillar/global.sls.

[An0th3rguy]

I'm currently testing Security Onion on a virtual environment as a learning platform and for potential future deployment. As part of my testing, I'm simulating various security incidents in internal network and would like to export logs for forensic analysis and learning purposes. I know the logs are supposed to be in Kibana but still, unable to find the way to export them. I'll take a deeper look on Elasticsearch. I wasn't sure if there is not any specific method for Security Onion.

I appreciate your quick response and thank you for the information provided.

[InfosecGoon]

You should be able to download the logs as a CSV if you click on the ellipsis (right above "17 documents" in your screenshot), then select "more" and "Download CSV". This will require you to have administrative access in Kibana.