Should I use Security Onion as a syslog server, and how?

[Sazerak]

Hi all, I don't have much experience with syslog but I decided to try and send some syslogs to Security Onion to see what it would be like. I ran so-allow and identified the host I want to send syslogs to my manager (vSphere syslogs in this case), and set my vSphere to send to SO2 using port 514/udp.

I noticed immediately that there was a lot of traffic coming into the manager, so that's good, but when I looked under Dashboard, everything syslog shows up as Missing which led me to Discussion #9571 where someone was having the same issue.. and that's where I started wondering if Security Onion was actually a good choice for syslog. Maybe I'm missing something, but I kind of figured once those initial steps were done, everything would happen auto-magically, but it seems that the logs need to be parsed in various ways and filebeat settings and containers need to be modified, etc, etc..

To be honest, I'm really hoping I'm just going down a rabbit hole because it seems to be very complicated to configure. I tried at first adding the CEF module to my manager's SLS file using port 514, but that gave me errors because port 514 was already in use, so then I tried port 9003 and then modifying the init.sls of the container to add the new port (as shown the youtube video linked in #9571) but that gave me another error, so that's when I decided I'd stop and come to the community to see if I'm going about this in the wrong way, or if I should just use something else for syslogs.

Any guidance is appreciated!

[InfosecGoon]

Unfortunately, it doesn't look like there's a Filebeat module for VMware logs: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-modules.html

That means that if you want to send those logs to Security Onion, you'll have to either write a parser for them yourself (or find it somewhere else on the Internet), or you'll have to deal with the logs being unparsed. That means you'll be able to do things like full-text searching against them, but you won't be able to pivot on attributes like source.ip and the like.

If VMWare is able to sent logs formatted in CEF, then you could indeed use the CEF module in Filebeat to read them - the configuration would be something like the one here, but using the CEF module rather than the Fortinet one: #9705

[Sazerak]

Thanks for the info. I never realized the complexity of using SO2 for syslog. I guess I assumed it would be more straightforward.

You mention "If VMWare is able to send logs formatted in CEF", any idea how I can find out is that's possible? I did try to use CEF thinking it was sort of "universal" and would work with anything, but I kept running into issue after issue until I gave up. I have no idea if this is because the VMware logs can't use CEF, or if I just wasn't configuring it right.