Replies: 1 comment 7 replies
-
|
You would use an Elastic Agent integration, but as of right now we do not support the Cisco IOS integration. However it is on the list to be added and might be ready for 2.4.40, but no guarantee. Additional documentation about the integration installation and configuration process can be found here: https://docs.securityonion.net/en/2.4/elastic-fleet.html#integrations |
Beta Was this translation helpful? Give feedback.
-
|
I just did, I missed the last step of the firewall config. I can see it in "iptables --list" but I still don't see it in "ss -tulpn" or any docker container that has the port 9002 open. |
Beta Was this translation helpful? Give feedback.
-
|
Where is "Save and deploy changes"? Maybe that is the magic button I am looking. |
Beta Was this translation helpful? Give feedback.
-
|
That's just the "synchronize grid" option at the top of SOC when you're in Configuration, as shown here:
|
Beta Was this translation helpful? Give feedback.
-
|
I did that, I even rebooted. I see logs coming in tcpdump. I should see the port 9002 open in "ss -tulpn" and "docker ps" correct? |
Beta Was this translation helpful? Give feedback.
-
Ok I figured it out...On step 1 of the instruction it says "click desired policy", I used the existing "so-grid-nodes_general" policy since it already has an elastic agent installed on my standalone host that is associated with it. Previously I was creating new policy so it wasn't working since I would need to deploy an elastic-agent associated with it. my "so-grid-nodes_general" policy:
ss -tulpn should look like this:
iptables should look like this:
SO Kibana dashboard will have cisco.ios dataset:
|
Beta Was this translation helpful? Give feedback.
-
Version
2.4.30
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Standalone
Location
airgap
Hardware Specs
Meets minimum requirements
CPU
8
RAM
32
Storage for /
200
Storage for /nsm
200
Network Traffic Collection
tap
Network Traffic Speeds
Less than 1Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
In SO2.3 I use filebeat Cisco ios module to ingest logs on UDP:9002. With SO2.4 I believe the old method is no longer the way forward and there is no more so-filebeat docker container. I think I need to put custom Cisco parser here /opt/so/saltstack/local/salt/elasticsearch/files/ingest/ but is that something I build from scratch or Elastic has a custom repo where I can just download these?
https://docs.securityonion.net/en/2.4/elasticsearch.html#parsing
Also, I am unclear on how I configure the device, do I need to configure Cisco IOS with "logging host SO-IP transport udp port 514" or is it like SO2.3 where I send it to a custom port?
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions