Pointing an external Logstash to Security Onion

[hacker0ni]

In this guide I'll share the basics of pointing your own Logstash to the ElasticSearch running on one of your Search Nodes. This applies to Distributed Deployments only.

1 - Set up Logstash on your chosen server and configure the inputs and filters.
2 - Go to /opt/so/saltstack/local/salt/elasticsearch/curl.config on the manager node and grab the credentials from there. It should be formatted like ":"
3 - Create the Logstash output configuration file and output it to ElasticSearch, make sure to add the IP address of the Search Node under the hosts. You can also specify the Ingest Node pipeline you want to use, if you have one. One example config would look like this:

output {
 elasticsearch {
    pipeline => "my_pipeline"
    hosts => "<IP_of_search_node>"
    user => "<username>"
    password => "<password_from_curl.config>"

    index => "so-test"
    ssl => true
    ssl_certificate_verification => false
  }
}

4 - Create a hostgroup on the manager node using so-firewall addhostgroup <my_group>
5 - Add the IP of the logstash instance to this group using so-firewall includehost <my_group> <logstash_server_ip>
6 - Go to the minion.sls file of the Search node you're going to ship logs to, and append the following to the file, replace <my_group> with your host group name (not in quotes). This file is in /opt/so/saltstack/local/salt/pillar/<searchnode_name.sls>:

firewall:
  assigned_hostgroups:
    chain:
      DOCKER-USER:
        hostgroups:
          <my_group>:
            portgroups:
              - portgroups.elasticsearch_node
              - portgroups.elasticsearch_rest

7 - Apply the firewall state on that search node using sudo salt "<searchnode_name>" state.apply firewall
8 - Run the Logstash instance to start shipping logs to SO. By default some fields may not be named the same as the ones in the Hunt interface, so you might not see details in there. If you need to parse those fields, you'll need to write an ingest node pipeline which is specified in the output config, which I can write about upon request.

This isn't the best and most secure way to implement this but hopefully it helps! I'd appreciate feedback!

[tientmse62290]

Thanks for sharing

I see the output have the ssl. Do we need a ssl trust or anything to use that?
Thanks

[wdpless]

Great Work!

[weslambert]

In this guide I'll share the basics of pointing your own Logstash to the ElasticSearch running on one of your Search Nodes. This applies to Distributed Deployments only.

1 - Set up Logstash on your chosen server and configure the inputs and filters. 2 - Go to /opt/so/saltstack/local/salt/elasticsearch/curl.config on the manager node and grab the credentials from there. It should be formatted like ":" 3 - Create the Logstash output configuration file and output it to ElasticSearch, make sure to add the IP address of the Search Node under the hosts. You can also specify the Ingest Node pipeline you want to use, if you have one. One example config would look like this:

output {
 elasticsearch {
    pipeline => "my_pipeline"
    hosts => "<IP_of_search_node>"
    user => "<username>"
    password => "<password_from_curl.config>"

    index => "so-test"
    ssl => true
    ssl_certificate_verification => false
  }
}

4 - Create a hostgroup on the manager node using so-firewall addhostgroup <my_group> 5 - Add the IP of the logstash instance to this group using so-firewall includehost <my_group> <logstash_server_ip> 6 - Go to the minion.sls file of the Search node you're going to ship logs to, and append the following to the file, replace <my_group> with your host group name (not in quotes). This file is in /opt/so/saltstack/local/salt/pillar/<searchnode_name.sls>:

firewall:
  assigned_hostgroups:
    chain:
      DOCKER-USER:
        hostgroups:
          <my_group>:
            portgroups:
              - portgroups.elasticsearch_node
              - portgroups.elasticsearch_rest

7 - Apply the firewall state on that search node using sudo salt "<searchnode_name>" state.apply firewall 8 - Run the Logstash instance to start shipping logs to SO. By default some fields may not be named the same as the ones in the Hunt interface, so you might not see details in there. If you need to parse those fields, you'll need to write an ingest node pipeline which is specified in the output config, which I can write about upon request.

This isn't the best and most secure way to implement this but hopefully it helps! I'd appreciate feedback!

Thanks for posting, however, I would advise approaching this a bit differently. Ideally, you would want to use the Lumberjack plugin, however, we don't package that with our version of Logstash. But, you can still use the http or tcp input plugin within the manager pipeline to receive events from the exterior Logstash instance at your manager's Logstash instance. What ends up happening when you directly hit Elasticsearch is that the load is no longer spread out among the nodes in your distributed environment, and you end up pummeling a single search node with the data. In some cases, this is acceptable, but in the case where there are a lot of events coming from the exterior instance, there could be some performance issues, since you are bypassing the redis queue and distribution of events amongst the nodes in the grid.

[hacker0ni]

This can be addressed by loadbalancing the Elasticsearch output to include all the Search nodes on your grid.