Syslog to Elastic Integration - 2.4.x

[trb143]

I am trying to get syslog integration working between a Raspberry Pi and SO. The PI is working as a bastion and network traffic is covered by Zeek. I am trying to add syslog via the Elastic ingestor.
When I connect rsyslog between the machines the logs sync correctly but this is not what I want as the log messages get merged in SO.
I have added the Raspberry PI IP address to the syslog firewall rules in the SOC.
When I disable the listening port on SO rsyslog.conf the Raspberry PI complains it cannot see a listener on 514. Running NMAP from the PI shows the port is closed.
I have read the documentation for 2.3 and 2.4 to see what I am missing and I thought I had done everything.

[cm-ops]

Did you follow this? https://docs.securityonion.net/en/2.4/syslog.html?highlight=syslog#syslog

[trb143]

yes I have, How can I check the external firewall from within my Onion box as NMAP from the bastion is seeing a port but with a status of closed.

[willb0t]

I am having the same problem. I am trying to get syslog forwarding from my pfsense box to the so box.
I have checked the firewall and can see the fire entry using iptables -L

[root@securityonion ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- 172.17.1.0/24 anywhere tcp
ACCEPT udp -- 172.17.1.0/24 anywhere udp
ACCEPT tcp -- securityonion anywhere tcp
ACCEPT udp -- securityonion anywhere udp
ACCEPT tcp -- securityonion anywhere tcp dpt:4505
ACCEPT tcp -- securityonion anywhere tcp dpt:4506
ACCEPT tcp -- securityonion anywhere tcp dpt:shell
ACCEPT udp -- securityonion anywhere udp dpt:syslog
ACCEPT udp -- securityonion anywhere udp dpt:etlservicemgr
ACCEPT tcp -- 192.168.5.0/24 anywhere tcp dpt:shell
ACCEPT udp -- 192.168.5.0/24 anywhere udp dpt:syslog
ACCEPT udp -- 192.168.5.0/24 anywhere udp dpt:etlservicemgr
ACCEPT tcp -- _gateway anywhere tcp dpt:shell
ACCEPT udp -- _gateway anywhere udp dpt:syslog
ACCEPT udp -- _gateway anywhere udp dpt:etlservicemgr
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT icmp -- anywhere anywhere
LOGGING all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP icmp -- anywhere anywhere icmp timestamp-reply

Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.1.20 tcp dpt:commplex-main
ACCEPT tcp -- anywhere 172.17.1.22 tcp dpt:wap-wsp
ACCEPT tcp -- anywhere 172.17.1.22 tcp dpt:vrace
ACCEPT tcp -- anywhere 172.17.1.21 tcp dpt:8220
ACCEPT tcp -- anywhere 172.17.1.44 tcp dpt:webcache
ACCEPT tcp -- anywhere 172.17.1.26 tcp dpt:d-s-n
ACCEPT tcp -- anywhere 172.17.1.27 tcp dpt:esmagent
ACCEPT tcp -- anywhere 172.17.1.28 tcp dpt:vop
ACCEPT tcp -- anywhere 172.17.1.28 tcp dpt:4434
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:rtraceroute
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:lxi-evntsvc
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:unot
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:intecom-ps1
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:5644
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:6050
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:6051
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:6052
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:6053
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:micromuse-ncpw
ACCEPT tcp -- anywhere 172.17.1.30 tcp dpt:mysql
ACCEPT tcp -- anywhere 172.17.1.31 tcp dpt:http
ACCEPT tcp -- anywhere 172.17.1.31 tcp dpt:https
ACCEPT tcp -- anywhere 172.17.1.31 tcp dpt:pcsync-https
ACCEPT tcp -- anywhere 172.17.1.31 tcp dpt:7788
ACCEPT tcp -- anywhere 172.17.1.33 tcp dpt:redis
ACCEPT tcp -- anywhere 172.17.1.33 tcp dpt:9696
ACCEPT tcp -- anywhere 172.17.1.34 tcp dpt:9822
ACCEPT tcp -- anywhere 172.17.1.35 tcp dpt:afs3-fileserver
ACCEPT tcp -- anywhere 172.17.1.41 tcp dpt:redis
ACCEPT tcp -- anywhere 172.17.1.40 tcp dpt:redis
ACCEPT tcp -- anywhere 172.17.1.38 tcp dpt:57314

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
ACCEPT tcp -- securityonion anywhere tcp
ACCEPT udp -- securityonion anywhere udp
ACCEPT tcp -- securityonion anywhere tcp dpt:hbci
ACCEPT tcp -- securityonion anywhere tcp dpt:mysql
ACCEPT tcp -- securityonion anywhere tcp dpt:esmagent
ACCEPT tcp -- securityonion anywhere tcp dpt:redis
ACCEPT tcp -- securityonion anywhere tcp dpt:9696
ACCEPT tcp -- securityonion anywhere tcp dpt:d-s-n
ACCEPT tcp -- securityonion anywhere tcp dpt:wap-wsp
ACCEPT tcp -- securityonion anywhere tcp dpt:vrace
ACCEPT tcp -- securityonion anywhere tcp dpt:commplex-main
ACCEPT tcp -- securityonion anywhere tcp dpt:https
ACCEPT tcp -- securityonion anywhere tcp dpt:https
ACCEPT tcp -- securityonion anywhere tcp dpt:lxi-evntsvc
ACCEPT tcp -- securityonion anywhere tcp dpt:5644
ACCEPT tcp -- securityonion anywhere tcp dpt:intecom-ps1
ACCEPT tcp -- securityonion anywhere tcp dpt:redis
ACCEPT tcp -- securityonion anywhere tcp dpt:9696
ACCEPT tcp -- securityonion anywhere tcp dpt:vrace
ACCEPT tcp -- securityonion anywhere tcp dpt:8220
ACCEPT tcp -- securityonion anywhere tcp dpt:unot
ACCEPT tcp -- securityonion anywhere tcp dpt:pcsync-https
ACCEPT tcp -- securityonion anywhere tcp dpt:rtraceroute
ACCEPT tcp -- securityonion anywhere tcp dpt:57314
ACCEPT tcp -- securityonion anywhere tcp dpt:7788
ACCEPT tcp -- 192.168.5.0/24 anywhere tcp dpt:http
ACCEPT tcp -- 192.168.5.0/24 anywhere tcp dpt:https
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
LOGGING all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain LOGGING (2 references)
target prot opt source destination[root@securityonion ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- 172.17.1.0/24 anywhere tcp
ACCEPT udp -- 172.17.1.0/24 anywhere udp
ACCEPT tcp -- securityonion anywhere tcp
ACCEPT udp -- securityonion anywhere udp
ACCEPT tcp -- securityonion anywhere tcp dpt:4505
ACCEPT tcp -- securityonion anywhere tcp dpt:4506
ACCEPT tcp -- securityonion anywhere tcp dpt:shell
ACCEPT udp -- securityonion anywhere udp dpt:syslog
ACCEPT udp -- securityonion anywhere udp dpt:etlservicemgr
ACCEPT tcp -- 192.168.5.0/24 anywhere tcp dpt:shell
ACCEPT udp -- 192.168.5.0/24 anywhere udp dpt:syslog
ACCEPT udp -- 192.168.5.0/24 anywhere udp dpt:etlservicemgr
ACCEPT tcp -- _gateway anywhere tcp dpt:shell
ACCEPT udp -- _gateway anywhere udp dpt:syslog
ACCEPT udp -- _gateway anywhere udp dpt:etlservicemgr
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT icmp -- anywhere anywhere
LOGGING all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP icmp -- anywhere anywhere icmp timestamp-reply

Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.1.20 tcp dpt:commplex-main
ACCEPT tcp -- anywhere 172.17.1.22 tcp dpt:wap-wsp
ACCEPT tcp -- anywhere 172.17.1.22 tcp dpt:vrace
ACCEPT tcp -- anywhere 172.17.1.21 tcp dpt:8220
ACCEPT tcp -- anywhere 172.17.1.44 tcp dpt:webcache
ACCEPT tcp -- anywhere 172.17.1.26 tcp dpt:d-s-n
ACCEPT tcp -- anywhere 172.17.1.27 tcp dpt:esmagent
ACCEPT tcp -- anywhere 172.17.1.28 tcp dpt:vop
ACCEPT tcp -- anywhere 172.17.1.28 tcp dpt:4434
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:rtraceroute
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:lxi-evntsvc
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:unot
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:intecom-ps1
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:5644
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:6050
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:6051
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:6052
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:6053
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:micromuse-ncpw
ACCEPT tcp -- anywhere 172.17.1.30 tcp dpt:mysql
ACCEPT tcp -- anywhere 172.17.1.31 tcp dpt:http
ACCEPT tcp -- anywhere 172.17.1.31 tcp dpt:https
ACCEPT tcp -- anywhere 172.17.1.31 tcp dpt:pcsync-https
ACCEPT tcp -- anywhere 172.17.1.31 tcp dpt:7788
ACCEPT tcp -- anywhere 172.17.1.33 tcp dpt:redis
ACCEPT tcp -- anywhere 172.17.1.33 tcp dpt:9696
ACCEPT tcp -- anywhere 172.17.1.34 tcp dpt:9822
ACCEPT tcp -- anywhere 172.17.1.35 tcp dpt:afs3-fileserver
ACCEPT tcp -- anywhere 172.17.1.41 tcp dpt:redis
ACCEPT tcp -- anywhere 172.17.1.40 tcp dpt:redis
ACCEPT tcp -- anywhere 172.17.1.38 tcp dpt:57314

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
ACCEPT tcp -- securityonion anywhere tcp
ACCEPT udp -- securityonion anywhere udp
ACCEPT tcp -- securityonion anywhere tcp dpt:hbci
ACCEPT tcp -- securityonion anywhere tcp dpt:mysql
ACCEPT tcp -- securityonion anywhere tcp dpt:esmagent
ACCEPT tcp -- securityonion anywhere tcp dpt:redis
ACCEPT tcp -- securityonion anywhere tcp dpt:9696
ACCEPT tcp -- securityonion anywhere tcp dpt:d-s-n
ACCEPT tcp -- securityonion anywhere tcp dpt:wap-wsp
ACCEPT tcp -- securityonion anywhere tcp dpt:vrace
ACCEPT tcp -- securityonion anywhere tcp dpt:commplex-main
ACCEPT tcp -- securityonion anywhere tcp dpt:https
ACCEPT tcp -- securityonion anywhere tcp dpt:https
ACCEPT tcp -- securityonion anywhere tcp dpt:lxi-evntsvc
ACCEPT tcp -- securityonion anywhere tcp dpt:5644
ACCEPT tcp -- securityonion anywhere tcp dpt:intecom-ps1
ACCEPT tcp -- securityonion anywhere tcp dpt:redis
ACCEPT tcp -- securityonion anywhere tcp dpt:9696
ACCEPT tcp -- securityonion anywhere tcp dpt:vrace
ACCEPT tcp -- securityonion anywhere tcp dpt:8220
ACCEPT tcp -- securityonion anywhere tcp dpt:unot
ACCEPT tcp -- securityonion anywhere tcp dpt:pcsync-https
ACCEPT tcp -- securityonion anywhere tcp dpt:rtraceroute
ACCEPT tcp -- securityonion anywhere tcp dpt:57314
ACCEPT tcp -- securityonion anywhere tcp dpt:7788
ACCEPT tcp -- 192.168.5.0/24 anywhere tcp dpt:http
ACCEPT tcp -- 192.168.5.0/24 anywhere tcp dpt:https
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
LOGGING all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain LOGGING (2 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level warning prefix "IPTables-dropped: "
DROP all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level warning prefix "IPTables-dropped: "
DROP all -- anywhere anywhere

I did see a diff when I did a so-firewall apply
Changes:
----------
diff:
---
+++
@@ -121,6 +121,8 @@
-A INPUT -s 192.168.5.236 -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -s 192.168.5.0/24 -p tcp -m tcp --dport 514 -j ACCEPT
-A INPUT -s 192.168.5.0/24 -p udp -m udp --dport 514 -j ACCEPT
+-A INPUT -s 192.168.5.1 -p tcp -m tcp --dport 514 -j ACCEPT
+-A INPUT -s 192.168.5.1 -p udp -m udp --dport 514 -j ACCEPT

               -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
               -A INPUT -i lo -j ACCEPT

---

      ID: disable_firewalld
Function: service.dead
    Name: firewalld
  Result: True
 Comment: The service firewalld is already dead
 Started: 17:40:41.930419
Duration: 46.221 ms
 Changes:

[trb143]

Interesting.
I did a iptables -L | grep syslog and this produced

ACCEPT udp -- anywhere udp dpt:syslog

so for me, the SOC firewall only added upd messages.
running so-firewall allow did nothing

I changed the rsyslog configuration to send UDP messages and things are now working and I am seeing parsed messages.

BUT
why do you have TCP and I do not - The Elastic endpoint has both configured.
I seem to have needed to switch on parsing of messages. Is this correct?

[willb0t]

I ran the command via so-firewall, kind of miss so-allow
Also found out that if you make changes in the UI and manually execute so-firewall apply it makes it happen