Receive Logs Over SSL (Port 6514/TCP)

[gfabia]

Hi everyone,

Wanted to solicit ideas on how to configure SecurityOnion to receive logs over SSL.

We have a distributed deployment (Manager + 1 Search Node) and wanted to connect AV logs to SecurityOnion. Problem is, AV solution only supports transmitting logs via secure syslog (on port 6514/tcp).

Question is, which settings should I check/modify to make this work? I believe Filebeat (Not Syslog-ng) is responsible for receiving logs in SO and that it runs on a Docker container. I also I think I should modify filebeat.yml being read by such container. Is that correct? Right now, I don't know how Filebeat settings is exposed in SO Manager Node so I can modify it. I also don't know which specific SSL settings are required for this setup. Finally, what other config changes will be necessary (so-firewall/so-allow?, docker daemon configs?).

Will appreciate any help. Thanks in advance!

[dougburks]

Here's our Filebeat documentation:
https://docs.securityonion.net/en/2.3/filebeat.html

Looks like the Filebeat input for syslog supports SSL:
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-syslog.html#filebeat-input-syslog-tcp-ssl

[Rbartram]

Hi @gfabia. I'm also wanting to figure out how setup syslog over SSL in a distributed deployment. I have the same question as you on where to modifying settings. Have you had any luck with this? If so, do you mind sharing what you've learned?

Thank you, ...Rob