Alert summary log file

[ConRock5000]

Are the alerts shown in the Security Onion - Alerts page listed/output to a log file as well?
I was wondering if there was a log file that contained the same information that is available in the Alerts page. Something I could monitor with with code.
Or even a real-time rollup/summary of all the high severity events security onion is pulling in - but exported back into a single log.

I'm not looking for a daily/weekly report. I saw that asked in other discussions.

Thanks for the help.

[dougburks]

All alerts and logs are stored in Elasticsearch:
https://docs.securityonion.net/en/2.3/elasticsearch.html

[ConRock5000]

Thank you. Are any of the queries that security onion performs to build the results shown in Alerts available?

[dougburks]

https://github.com/Security-Onion-Solutions/securityonion/blob/master/salt/soc/files/soc/alerts.queries.json

https://github.com/Security-Onion-Solutions/securityonion/blob/master/salt/soc/files/soc/soc.json#L206

https://github.com/Security-Onion-Solutions/securityonion-soc

[ConRock5000]

Thank you. You're going above and beyond here. I just can't figure out how those alert queries work with the so-elasticsearch-query command from the first response. I just get errors with my syntax.
Unless those queries are meant for another tool.

sudo so-elasticsearch-query ':so-/_search' -d '{"query": {"match_all": {}},"size": 1}' | jq

[dougburks]

The queries at https://github.com/Security-Onion-Solutions/securityonion/blob/master/salt/soc/files/soc/alerts.queries.json are in our own OQL format and you can read more about that at https://docs.securityonion.net/en/2.3/dashboards.html#oql.

SOC translates those OQL queries to a standard Elasticsearch query. You can find the SOC source at https://github.com/Security-Onion-Solutions/securityonion-soc.

so-elasticsearch-query sends standard Elasticsearch queries to Elasticsearch. For more about standard Elasticsearch queries, please use your favorite search engine.