One of the most interesting projects utilizing syslog-ng is Security Onion, a free and open source Linux distribution for threat hunting, enterprise security monitoring, and log management. It is utilizing syslog-ng for log collection and log transfer and uses the Elastic stack to store and search log messages. Even if you do not use its advanced security features, you can still use it for centralized log collection and as a nice web interface for your logs. But it is also worth getting acquainted with its security monitoring features, as it can show you useful insights about your network. Best of all, Security Onion is completely free and open source, with commercial support available for it.
From this blog, you can learn how to get started with Security Onion in evaluation mode. This does not mean any limitations, just a simplified setup where all services are installed on a single host. That said, for a production environment, a distributed installation is recommended instead.
Before you begin
To install Security Onion, you need a (virtual) machine with at least 8GB of RAM and some storage space. I went with the usual 20GB storage offered by Vmware Workstation by default, but you might need more if you store more logs or want to do stress testing. Also, you need syslog-ng running on another machine to send some test logs to Security Onion.
Installing Security Onion
First, download the installer CD. The download location of the latest installer and instructions on verifying the downloaded ISO file are available at https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md. Once you downloaded the installer, follow the installation instructions from the Quick Evaluation page. You can test your freshly installed system by clicking the Kibana icon on the Security Onion desktop and logging in with the user name and password you just configured. Note that at this stage, you cannot reach the web interface remotely.
Before doing any further configuration, update your system. Instead of using the regular distro tools you should use “soup”, the Security Onion updater which updates not just the base operating system, but also the containers, and makes sure that everything is restarted along the way. You might need to reboot the machine at the end.
Opening ports on the firewall
By default, only port 22 (ssh) is open on the freshly installed system. To send logs from remote systems and to access the web interface from other hosts, you need to open up two ports on the firewall. Luckily, you do not have to deal with iptables directly – Security Onion has an easy to use command line tool for that.
Running “so-allow-view” lists the already open ports. Right after installation, only port 22 is listed here.
You can use the “so-allow” command to open ports. From the list, you should choose “analyst” and “syslog device” and the IP address or range where you plan to access those ports. You can add your local network in a similar format: “192.168.3.0/24”. After adding the extra ports, you should see something similar:
root@czanik-virtual-machine:~# so-allow-view ========================================================================= UFW Rules ========================================================================= To Action From -- ------ ---- 22/tcp ALLOW Anywhere 514 ALLOW 192.168.3.0/24 22,443,7734/tcp ALLOW 192.168.3.0/24 22/tcp (v6) ALLOW Anywhere (v6) ========================================================================= Docker IPTables Rules ========================================================================= To Action From -- ------ ----
Configuring syslog-ng
As a test, configure at least one additional host to send its logs to Security Onion. In syslog-ng, the following configuration forwards all local logs to Security Onion. Check your syslog-ng configuration for the name of the local log source (“src” is used on SUSE systems). Of course, the target IP address will most likely be different in your environment:
destination d_tcp { tcp("192.168.3.136" port(514)); }; log { source(src); destination(d_tcp); };
Append it to syslog-ng conf, or drop it with a .conf extension in the /etc/syslog-ng/conf.d/ and reload the configuration.
Testing
Once the new syslog-ng configuration is live, you are ready for testing. A few logs from the remote system will most likely show up in Kibana within minutes, if you are patient. You can also use the “logger” command to make sure that you have some test messages:
logger this is a test logger bla bla bla
Now, that the firewall for the web interface is open, you can check the results in two ways. Either by logging in to the Security Onion desktop and start Kibana from there, or by accessing the web interface remotely. Note that port 80 is closed, so there is no redirect to a secured port – you need to enter “https://” in front of the IP address (or host name) to access it. The opening page is available without authentication, but you will need to enter your user name and password to access Kibana.
By default, you will see a dashboard on screen, with the focus on IDS results. You can reach syslog messages by clicking the “syslog” link at the bottom of the left-hand side menu.
What is next?
Log management is just one of many features of Security Onion. You should check out others as well as they could provide you with much better insight on what is happening on your network. This blog showed you just a quick way to get started with syslog-ng and Security Onion. If you would like to use it in production, you will need more nodes and careful planning.
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or chat. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik.