Replies: 7 comments 10 replies
-
Beta Was this translation helpful? Give feedback.
-
You want to send the Fortinet logs to the Management interface IP on port 9004 and make sure that the customportgroup0 is assigned to customhostgroup0 in the Standalone role. Also make sure that you're running a current version of SO, Fortinet integration didn't work earlier and 2.4.100 doesn't exist so I'm not sure what you're on. |
Beta Was this translation helpful? Give feedback.
-
I already Saw this video and read The documentation but they didn't State
or list to which IP will send The log of FortiGate . I will be thankful and
grateful to you if you reply to My two questions on The past post .
my questions , on the syslog menu on FortiGate should i put IP (
10.240.0.204 ) to send it the Log or should send it to the IP of sniffing
Nic's of the Host (the one configured during VM creation )" - No. Think of
the sniffing interface are for all your passive ingest of live data/pcap.
In which the SO tools Suricata, Zeek and Stenographer uses to ingest data.
Infact typically there is no IP address on the sniffing interface. The
active tools like ingesting Fortigate logs uses the management interface.
"the second question is the IP requested to be listed on the allowed IP or
subnet during installation is for receiving the log from FortiGate" - NO.
However the mgmt interface secondary role is for ingesting external logs
like your Fortigate logs.
"or for the allowed IP to access the analyst and SO ?" - YES. This is the
primary role of the mgmt interface.
…On Fri, Apr 26, 2024, 7:39 PM TotieBash ***@***.***> wrote:
"during the installation I assigned the IP 10.240.3.204 for MGMT with
interface joined to the management NIC's on Host (ens192 )" - This mgmt
interface is where you will receive the fortigate logs. Which you corrected
already.
"then during the installation asked me to provide the allowed IP or subnet
and I put 10.240.0.204 ( Ip on the same subnet of FortiGate)" - That
"allowed IP" is really for your management workstation you will use to
manage SO. For example if you want to manage SO from your MacOS, you give
it the IP address of your MacOS or you can give an entire CIDR block. Its
just permitting 443 on firewalld so your MacOS is allowed to come in https.
"my questions , on the syslog menu on FortiGate should i put IP (
10.240.0.204 ) to send it the Log or should send it to the IP of sniffing
Nic's of the Host (the one configured during VM creation )" - No. Think of
the sniffing interface are for all your passive ingest of live data/pcap.
In which the SO tools Suricata, Zeek and Stenographer uses to ingest data.
Infact typically there is no IP address on the sniffing interface. The
active tools like ingesting Fortigate logs uses the management interface.
"the second question is the IP requested to be listed on the allowed IP or
subnet during installation is for receiving the log from FortiGate" - NO.
However the mgmt interface secondary role is for ingesting external logs
like your Fortigate logs.
"or for the allowed IP to access the analyst and SO ?" - YES. This is the
primary role of the mgmt interface.
To get your issue iron out you need to follow this instructions to the T:
https://docs.securityonion.net/en/2.4/pfsense.html
also use #12055
<#12055>
Also use this youtube for reference:
https://www.youtube.com/watch?v=aoH8qZwAxek
I think with these material you should get your issue sort out.
—
Reply to this email directly, view it on GitHub
<#12833 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ANTT2VBBDO6FMQA64HNW6ZLY7J7NXAVCNFSM6AAAAABGRC2BQSVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TEMZZGU3DS>
.
You are receiving this because you authored the thread.Message ID:
<Security-Onion-Solutions/securityonion/repo-discussions/12833/comments/9239569
@github.com>
|
Beta Was this translation helpful? Give feedback.
-
already did these configurations on customhostgroup0 and customportgroup0 ![]() ![]() |
Beta Was this translation helpful? Give feedback.
-
@TotieBash but till now no alerts or events on the Dashboard ![]() |
Beta Was this translation helpful? Give feedback.
-
@TotieBash ![]() also i browsed the content of the path /opt/so/log/logstash/logstash.log , there are lot of events |
Beta Was this translation helpful? Give feedback.
-
@TotieBash ![]() [2024-05-26T07:07:08,186][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[>[2024-05-26T07:07:09,488][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"https://so_elastic:xxxxx>[2024-05-26T07:07:09,527][INFO ][logstash.outputs.elasticsearch] Elasticsearch version determined (8.10.4) {:es_version=>8} |
Beta Was this translation helpful? Give feedback.
-
Version
2.4.100
Installation Method
Security Onion ISO image
Description
installation
Installation Type
Standalone
Location
airgap
Hardware Specs
Exceeds minimum requirements
CPU
6
RAM
24 GB
Storage for /
500
Storage for /nsm
326 GB
Network Traffic Collection
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
I am running a standalone on-prem deployment installed from the ISO image, and I am trying to get syslogs sent from my Fortigates firewalls to appear in Kibana.
First i will share my installation info
i have VMware Esxi , i configured to adapters one for management and the second for sniffing.
Installation Mode : Standalone
Managment IP : 10.240.x.y
Airgap : True
Proxy :NA
Allowed IP or subnet ( Sniffing Interface ) : 10.240.0.0/24 ( i have tried to assign specific IP like 10.240.0.204 but when i tried to access it via web from my workstation i couldn't only from machine from the same subnet 10.240.0x.x so i assigned it this full subnet )
on my Fortigate on syslog server menu i added 10.240.0.0 and port number 9004 as UDP
is this configuration correct or shoud i add single IP which is the sniffing interface of SO ?
then i I have added the fortigate integration to the "so-grid-nodes_general" agent policy
I have created a custom host group and custom port group with my fortigate IPs and the port 9004 respectively, (I've also assigned the custom port group to the custom host group)
here is the tcpdump output taken from the standalone node , only events sourced from my devices is shown on the output
![image](https://private-user-images.githubusercontent.com/57097556/324225586-0d1a7e24-07df-434e-bd8a-1d4e61825a55.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkxOTkxODUsIm5iZiI6MTcxOTE5ODg4NSwicGF0aCI6Ii81NzA5NzU1Ni8zMjQyMjU1ODYtMGQxYTdlMjQtMDdkZi00MzRlLWJkOGEtMWQ0ZTYxODI1YTU1LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjQlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjI0VDAzMTQ0NVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTQ4MGQ1YTI5ZjI0ZjViYjRmYjI0ZGQzMmY4YTc4NjBiMTljODkwODI0ZGEzNGQyODgyMDBkZDczYjY0NjZmNDImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.04thvfi_1wzZcLsNFwTB900ekMTzWCBZxtmLZgqOD80)
Here is the contet of logstash.log
logstach.txt
The issue is first want to check if my security onion installation is correct with the above specifications specifically the sniffer IF IP ?
then till now i didn't see any alerts or got any event's on standalone nodes as the output of tcpdum is show only my devices event's ( SSH event of my connection to the standalone node )
Thanks
i appreciate the assistance
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions