SO setup only for syslogs and windows events

[IzacFrank]

Hello,

I have already a SO server as IDS. I like to have another one only for collecting syslog messages and Windows events and analyzing them.

Should I only create an analyst VM? Would it be enough? What is your recommendation?

Thank you.

Cheers,

Isac

[InfosecGoon]

If you're trying to collect logs to review, you can do that with your current SO server. Simply use so-allow to allow traffic from the endpoints that will be sending logs and they should be parsed and available for you in Hunt.

Dcoumentation:

• so-allow: https://docs.securityonion.net/en/2.3/so-allow.html
• collecting Windows logs: https://docs.securityonion.net/en/2.3/beats.html#winlogbeat
• collecting syslog: https://docs.securityonion.net/en/2.3/syslog.html

[IzacFrank]

Thank you for your advice @InfosecGoon but it is not an option for me to use the existing server.

Would it be possible to install SO without IDS etc., and only with log management apps such as Sylog-ng, wingbeat, elastic, kibana etc.?

Thanks.
Isac

[dougburks]

Yes, you can install a single ManagerSearch box or you can install a Manager box with a separate Search box:
https://docs.securityonion.net/en/2.3/architecture.html#distributed