configuration.md

Configuring

Table of Contents

• Firewall
  • OPNsense
  • pfSense
    • Suricata
    • Snort
    • Proxy
      • HAProxy
      • NGINX
    • Squid
    • Unbound
• Extras
• Finished

0️⃣ Firewall

• 🅰️ OPNsense

  1. Navigate to System -> Settings -> Logging/Targets
  2. Add a new Logging/Target (Click the plus icon)
     • Transport = UDP(4)
     • Applications = Nothing Selected
     • Levels = Nothing Selected
     • Facilities = Nothing Selected
     • Hostname = Input the ELK IP address ointo (eg 192.168.100.50)
     • Port = 5140
     • Description = pfELK
     • Click Save
  3. 📌 References
     • ⭕ Screenshot
     • 🎥 YouTube Guide

• 🅱️ pfSense

  1. Navigate to Status -> System Logs, then click on Settings
  2. At the bottom check Enable Remote Logging
  3. (Optional) Select a specific interface to use for forwarding
  4. Input the ELK IP address into the field Remote log servers followed by port 5140 (e.g. 192.168.100.50:5140)
  5. Under Remote Syslog Contents check Everything
  6. Click Save
  7. 📌 References
     • ⭕ Screenshot

1️⃣ Suricata - (Optional)

• 🅰️ OPNsense

1. In OPNsense navigate to Services -> Intrusion Detection -> Administration

   • Enable = [X]
   • IPS mode = [ ] or [X]
   • Promiscuous mode = [ ] or [X]
   • Enable syslog alerts = [ ] or [X]
   • Enable eve syslog output [X]
   • Pattern matcher = Default / Aho-Corasick /Hyperscan
   • Interfaces = Select As Necessary (must have at least one or nothing will be detected)
   • Rotate log = Default / Weekly / Daily
   • Save logs = Any Value You Desire
   • Click Apply

2. 📌 References

   • 🎥 YouTube Guide

• 🅱️ pfSense

1. On your pfSense web UI go to Services -> Suricata -> Interfaces, and enable Suricata on desired interfaces
2. You can have separate configuration for each of your interfaces, you can edit them via clicking on the pencil icon
3. Enable the EVE JSON output format for log forwarding, enabled the following options within the EVE Output Settings section:
   • EVE JSON log: Suricata will output selected info in JSON format to a single file or to syslog.
   • EVE Output type: FILE
   • EVE Syslog Output Facility: AUTH
   • EVE Syslog Output Priority: NOTICE
   • EVE Log Alerts: Suricata will output Alerts via EVE
   • Saving this will auto-enable settings at the Logging Settings menu, the Log Facility should be "LOCAL1", and the Log Priority should be "NOTICE".
4. 📌 References
   • ❌ In-Depth Guide Located Here

2️⃣ Snort - (Optional)

• 🅰️ pfSense - Only

  1. Navigate to Services -> Snort -> Snort Interfaces
  2. For each configured interface, click on the pencil, to the right, to edit (repeat these steps for each)
  3. In each "Interface" Settings -> under Alert Settings check Send Alerts to System Log
  4. Scroll down and choose Save
  5. 📌 References
     • ⭕ Screenshot

3️⃣ Proxy - (Optional)

• 🅰️ HAProxy - (OPNsense)

  1. Navigate to Services -> HAProxy -> Settings -> Settings -> Logging Configuration
  2. Log Host = Enter the IP address of where pfELK is installed and the Port 5140 (e.g. 192.168.100.50:5140)
  3. Syslog facility = local0[default]
  4. Filter syslog level = info[default]
  5. Add the httplog under HAProxy -> Settings -> Virtual Services -> Public Servers -> edit your public service
  6. Enable advanced mode and scroll down
  7. Under Option pass-through add option httplog
  8. 📌 References
     • ⭕ Screenshot

• 🅱️ NGINX - (OPNsense)

  1. Navigate to Services -> Nginx -> Other -> SYSLOG Targets
  2. Host = Enter the IP address of where pfELK is installed and the Port 5140 (e.g. 192.168.100.50:5140)
  3. Facility = local0
  4. Filter syslog level = info
  5. Add the created syslog target to your HTTP Server(s) under HTTP(S) -> HTTP Server -> Select Server -> advanced mode -> SYSLOG Targets
  6. Enable Extended Log on same page under Access Log Format -> Extended

• 🅱️ NGINX - (pfSense)

  • WiKi Reference

4️⃣ Squid - (Optional)

• 🅰️ OPNsense

  1. In OPNsense navigate to Services -> Web Proxy -> Administration -> General Proxy Settings
  2. Enable advanced mode
  3. Access log target = Syslog(JSON)
  4. 📌 References
     • ⭕ Screenshot

5️⃣ Unbound - (Optional)

• 🅰️ OPNsense

  1. In OPNsense navigate to Services -> Unbound DNS -> Advanced
  2. Log level verbosity = Level 0
  3. Log Queries = [X]
  4. 📌 References
     • ⭕ Screenshot

• 🅱️ pfSense

  1. Navigate to Services>>DNS Resolver
  2. Add the following line to the custom options:

  server:
      log-queries: yes
  ........
  * any other custom config options *
  

  3. Navigate to Services>>DNS Resolver>>Advance Settings
  4. Set Log Level to Level 0: No Logging**

6️⃣ Extras - (Optional)

• 🅰️ Grafana Dashborads (Externally Supported)

  • Visit here to install/configure Grafana Dashboard

• 🅱️ Microsoft Azure Sentinel (Externally Supported)

  • Visit here to configure for Azure Sentinel

🏁 Finished

• 🕔 Wait a few minutes after configuring the above and explore the enriched visualizations.

_Preparation • _Install • _Security • _Templates • Configuration