Data Center: Add EdgeRouter logs to Security Onion

By | November 10, 2016

After seting up Security Onion as my home data center IDS (see https://blog.voina.uk/data-center-ids-solution-using-security-onion/) I started to integrate monitoring of other resources to it. The first idea was to add the monitoring of my EdgeMax routers.
Security Onion has a syslog-ng service that is able to receive client syslog data. Then we can visualize this data in Elsa and do searches much more easy.

STEP 1: Redirect EdgeMax based router log to Security Onion

On Edgerouter start the CLI and execute:

configure
set system syslog host 192.168.2.124 facility all level notice
commit
save
exit

Where 192.168.2.124 is the IP of the Security Onion management interface.

STEP 2: Allow access to syslog

On the Security Onion VM execute in a shell so-allow and add access for 192.168.2.1 my EdgeRouter POE:

gvoina@gvoina-VirtualBox:~$ sudo so-allow 
This program allows you to add a firewall rule to allow connections from a new IP address.

What kind of device do you want to allow?

[a] - analyst - ports 22/tcp, 443/tcp, and 7734/tcp
[l] - syslog device - port 514
[o] - ossec agent - port 1514/udp
[s] - Security Onion sensor - 22/tcp, 4505/tcp, 4506/tcp, and 7736/tcp

If you need to add any ports other than those listed above,
you can do so using the standard 'ufw' utility.

For more information, please see the Firewall page on our Wiki:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Firewall

Please enter your selection (a - analyst, l - syslog, o - ossec, or s - Security Onion sensor):
l
Please enter the IP address of the syslog you'd like to allow to connect to port(s) 514:
192.168.2.1
We're going to allow connections from 192.168.2.1 to port(s) 514.

Here's the firewall rule we're about to add:
sudo ufw allow from 192.168.2.1 to any port 514

To continue and add this rule, press Enter.
Otherwise, press Ctrl-c to exit.

Rule added
Rule has been added.

Here is the entire firewall ruleset:
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22,443,7734/tcp            ALLOW       192.168.2.103
1514/udp                   ALLOW       192.168.2.21
1514/udp                   ALLOW       192.168.2.22
1514/udp                   ALLOW       192.168.2.103
514                        ALLOW       192.168.2.1
22/tcp (v6)                ALLOW       Anywhere (v6)

STEP 3: Start Elsa and check the log entries

Start Elsa from Security Onion VM and look under Host Logs.

elsa

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.