-
|
Unable to Pull in Syslogs from Remote Devices into Security Onion within Hyper-V VM. Using Kibana/Elastic. I have syslog-ng installed, What should I put in the config? |
Beta Was this translation helpful? Give feedback.
Replies: 6 comments
-
|
Take a look at our syslog and Filebeat documentation and the Juniper module for Filebeat: |
Beta Was this translation helpful? Give feedback.
-
|
So, I have syslog-ng installed. When I go through this documentation it’s taking me all over the place. I’m not even able to view structured data from kibana/elastic. My trial with elastic cloud ends today (not sure if this will affect anything being open source).
I’ve tried to go through the filebeat modules but now elasticsearch and filebeat modules are missing and show error under status. Not sure what I’m doing wrong.
I’ll continue to go through the documentation, but I would thoroughly appreciate any help you can give that will lead me in the right direction 😊
Best Regards,
Derek Hill
Network Administrator
Office: 936-588-7130
Cell: 936-828-6319
[Logo, company name Description automatically generated]
From: Doug Burks ***@***.***>
Sent: Monday, April 11, 2022 5:53 AM
To: Security-Onion-Solutions/securityonion ***@***.***>
Cc: Derek Hill ***@***.***>; Author ***@***.***>
Subject: Re: [Security-Onion-Solutions/securityonion] Syslog Issues/ I would like to pull syslogs from Juniper SRX340 devices if possible. (Discussion #7742)
Take a look at our syslog and Filebeat documentation and the Juniper module for Filebeat:
https://docs.securityonion.net/en/2.3/syslog.html
https://docs.securityonion.net/en/2.3/filebeat.html#filebeat
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-juniper.html
—
Reply to this email directly, view it on GitHub<#7742 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AYQPZUOOUIE4RYMKPLKQWHTVEQACLANCNFSM5S2SCAVA>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
|
Beta Was this translation helpful? Give feedback.
-
|
Ok, so I now have filebeats installed, but I’m not sure how to get elasticsearch and kibana setup as these are already docker containers within the security onion installation. The Juniper module is enabled, still not getting any syslogs when viewing from Kibana dashboard.
Best Regards,
Derek Hill
Network Administrator
Office: 936-588-7130
Cell: 936-828-6319
[Logo, company name Description automatically generated]
From: Derek Hill
Sent: Tuesday, April 12, 2022 9:21 AM
To: 'Security-Onion-Solutions/securityonion' ***@***.***>
Subject: RE: [Security-Onion-Solutions/securityonion] Syslog Issues/ I would like to pull syslogs from Juniper SRX340 devices if possible. (Discussion #7742)
So, I have syslog-ng installed. When I go through this documentation it’s taking me all over the place. I’m not even able to view structured data from kibana/elastic. My trial with elastic cloud ends today (not sure if this will affect anything being open source).
I’ve tried to go through the filebeat modules but now elasticsearch and filebeat modules are missing and show error under status. Not sure what I’m doing wrong.
I’ll continue to go through the documentation, but I would thoroughly appreciate any help you can give that will lead me in the right direction 😊
Best Regards,
Derek Hill
Network Administrator
Office: 936-588-7130
Cell: 936-828-6319
[Logo, company name Description automatically generated]
From: Doug Burks ***@***.******@***.***>>
Sent: Monday, April 11, 2022 5:53 AM
To: Security-Onion-Solutions/securityonion ***@***.******@***.***>>
Cc: Derek Hill ***@***.******@***.***>>; Author ***@***.******@***.***>>
Subject: Re: [Security-Onion-Solutions/securityonion] Syslog Issues/ I would like to pull syslogs from Juniper SRX340 devices if possible. (Discussion #7742)
Take a look at our syslog and Filebeat documentation and the Juniper module for Filebeat:
https://docs.securityonion.net/en/2.3/syslog.html
https://docs.securityonion.net/en/2.3/filebeat.html#filebeat
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-juniper.html
—
Reply to this email directly, view it on GitHub<#7742 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AYQPZUOOUIE4RYMKPLKQWHTVEQACLANCNFSM5S2SCAVA>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
|
Beta Was this translation helpful? Give feedback.
-
|
I'm not sure I understand your responses as you talk about Elastic Cloud and installing syslog-ng and Filebeat. Filebeat should already be installed by default in Security Onion, syslog-ng should be unnecessary, and I'm not sure how Elastic Cloud is related to the discussion. Seems like you might want to start a fresh new installation of Security Onion and choose Standalone mode: Then follow the links that I provided previously to configure the already installed filebeat to accept Juniper logs: |
Beta Was this translation helpful? Give feedback.
-
|
Ok, I see my mistake now, I was trying to install elasticsearch and filebeat on top of the embedded containers Security Onion has for these.
I’ve installed the standalone version of Security Onion. I’ve enabled the juniper modules within the filebeat.yml file. I’ve configured syslog to reach my designated network via the so-allow command.
Which config file would I make the changes for this link?: Juniper module | Filebeat Reference [8.1] | Elastic<https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-juniper.html>
- module: junos
firewall:
enabled: true
var.input: udp
var.syslog_host: 0.0.0.0
var.syslog_port: 9006
Also, I’m getting the attached errors in filebeat.log. Are there any videos out there that shows these steps like Using ELSA in Security Onion to parse Juniper SRX logs | jackofalltech (wordpress.com)<https://jackofalltech.wordpress.com/2015/04/10/using-elsa-in-security-onion-to-parse-juniper-srx-logs/>?
Best Regards,
Derek Hill
From: Doug Burks ***@***.***>
Sent: Wednesday, April 13, 2022 12:17 PM
To: Security-Onion-Solutions/securityonion ***@***.***>
Cc: Derek Hill ***@***.***>; Author ***@***.***>
Subject: Re: [Security-Onion-Solutions/securityonion] Syslog Issues/ I would like to pull syslogs from Juniper SRX340 devices if possible. (Discussion #7742)
I'm not sure I understand your responses as you talk about Elastic Cloud and installing syslog-ng and Filebeat. Filebeat should already be installed by default in Security Onion, syslog-ng should be unnecessary, and I'm not sure how Elastic Cloud is related to the discussion.
Seems like you might want to start a fresh new installation of Security Onion and choose Standalone mode:
https://docs.securityonion.net/en/2.3/architecture.html#standalone
Then follow the links that I provided previously to configure the already installed filebeat to accept Juniper logs:
https://docs.securityonion.net/en/2.3/syslog.html
https://docs.securityonion.net/en/2.3/filebeat.html#filebeat
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-juniper.html
—
Reply to this email directly, view it on GitHub<#7742 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AYQPZUN55GUWWJZIZWUMDTDVE36QJANCNFSM5S2SCAVA>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
|
Beta Was this translation helpful? Give feedback.
-
|
You should be able to do something similar to one of the other filebeat examples shown at: |
Beta Was this translation helpful? Give feedback.
Take a look at our syslog and Filebeat documentation and the Juniper module for Filebeat:
https://docs.securityonion.net/en/2.3/syslog.html
https://docs.securityonion.net/en/2.3/filebeat.html#filebeat
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-juniper.html