Help with adding custom firewall rules

[DoughnutPeach]

Version

2.4.50

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

cloud

Hardware Specs

Exceeds minimum requirements

CPU

32

RAM

16

Storage for /

500

Storage for /nsm

1TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Context

We already have existing syslog pipelines and would like to pipe out syslog data from my entire Distributed Security Onion setup (from all master, sensors, fleet nodes) to our external syslog server.

I have tried following the manual https://docs.securityonion.net/en/2.4/firewall.html#creating-a-custom-host-group-with-a-custom-port-group, but I'm still lost as to how to implement this.

A few questions:

1. How do I correctly define the firewall role? I have already created customhostgroup1 and customportgroup1, but I still can't find the iptables output that defines ALLOW onion-hosts -> customhostgroup1:customportgroup1
2. What are the DOCKER-USER and INPUT options under firewall role? Which should I be using?

Thanks in advance for any help!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Just so I am clear, you want to send your SO server's syslog to an external syslog server?

[DoughnutPeach]

Yup thats right.

[cm-ops]

You could set up a Logstash syslog output plugin to do that https://docs.securityonion.net/en/2.4/logstash.html#forwarding-events-to-an-external-destination https://www.elastic.co/guide/en/logstash/current/plugins-outputs-syslog.html

[petiepooo]

To be clear, the firewall configuration in Security Onion is for inbound connections to your sensors. There is no firewall configuration needed for outbound connections, AFAIK. Your external syslog server may need something, but if it's receiving syslog from other hosts now, that's probably already done.