Syslog shows *missing

[Skullack]

Hey community.

I am getting over 9 million *missing on syslog in 24 hours on the alerts tab and not sure where this is coming from or even how to stop getting that.

Can anyone point me in a direction on what to look for that is causing this and possible fix.

[InfosecGoon]

That Sankey diagram seems to indicate that you've got a whole lot of data coming in via syslog, but it's not being recognized so it doesn't have an event.category assigned to it (hence the *Missing). What are you ingesting via syslog in Security Onion?

If you need to see what's coming in, try this query in Hunt:

event.dataset: "syslog" | groupby source.ip

[Skullack]

Ah awesome thank you for the direction. I will look into that tonight and hopefully it works out.

[Skullack]

to confirm the config for CEF looks like this.
filebeat:
third_party_filebeat:
modules:
cef:
log:
enabled: true
var.syslog_host: 0.0.0.0

[Skullack]

Would I need to change my port on the CEF logs being send. It is currently sending to SO on port 514. Would I need to change it to 9003 ?

[Skullack]

Its finally working as it should thanks to you. Logs are starting to look normal and parsing correctly. Thank you for the help and the direction.

[An0th3rguy]

Have you managed to map it to the existing syslog port 514 or you did configuration for a new port (9003). If you could provide more details how you got it work. Thanks

[Skullack]

That Sankey diagram seems to indicate that you've got a whole lot of data coming in via syslog, but it's not being recognized so it doesn't have an event.category assigned to it (hence the *Missing). What are you ingesting via syslog in Security Onion?

If you need to see what's coming in, try this query in Hunt:

event.dataset: "syslog" | groupby source.ip

I will try that query and get back to you but I have pfsense sending Syslog to Security Onion. I have changed what is being sent and will see if the logs change.
Appreciate your help/ input so far.

[Skullack]

Standard port and the CEF is working fine with filebeat now. Sent from my iPhoneOn Feb 20, 2023, at 1:26 PM, An0th3rguy ***@***.***> wrote: Have you managed to map it to the existing syslog port 514 or you did configuration for a new port (9003). Thanks —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[An0th3rguy]

Standard port and the CEF is working fine with filebeat now. Sent from my iPhoneOn Feb 20, 2023, at 1:26 PM, An0th3rguy @.> wrote: Have you managed to map it to the existing syslog port 514 or you did configuration for a new port (9003). Thanks —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.>

Could you please describe how you did it? I have exactly same problem spent all night configuring but no luck to get it work. Thank you.

[An0th3rguy]

My configuration:

filebeat:
third_party_filebeat:
modules:
cef:
log:
enabled: true
var.syslog_host: 0.0.0.0

firewall:
assigned_hostgroups:
chain:
DOCKER-USER:
hostgroups:
syslog:
portgroups:
- portgroups.syslog
INPUT:
hostgroups:
syslog:
portgroups:
- portgroups.syslog

sudo so-firewall addhostgroup syslog
sudo so-firewall addportgroup syslog
sudo so-firewall includehost syslog 192.168.0.0/16
sudo so-firewall addport syslog udp 514

I don`t know what am I missing. Would you please point me to the right direction? Thank you

[An0th3rguy]

Any help with configuration would be appreciated. Still unable to get it work. Thank you

…

On Mon, Feb 20, 2023 at 8:38 PM Skullack ***@***.***> wrote: Standard port and the CEF is working fine with filebeat now. Sent from my iPhoneOn Feb 20, 2023, at 1:26 PM, An0th3rguy ***@***.***> wrote: Have you managed to map it to the existing syslog port 514 or you did configuration for a new port (9003). Thanks —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***> — Reply to this email directly, view it on GitHub <#9571 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIIB6BVEHCRQYHT4OVHILNLWYPB2XANCNFSM6AAAAAATZ66RTI> . You are receiving this because you commented.Message ID: <Security-Onion-Solutions/securityonion/repo-discussions/9571/comments/5056822 @github.com>

[InfosecGoon]

By default, the CEF module for filebeat listens on port 9003 -- you'd need to add a var.syslog_port: #### directive if you want it to listen on something else.

Module docs: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-cef.html

If you're still having trouble, I'd suggest starting a new thread.