ThirdPartyIntegration
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/ThirdPartyIntegration.
Many organizations would like to take data from Security Onion and send it to third party systems.
We don't provide free support for third party systems, so this wiki page will be just a brief introduction to how you would accomplish this. If you need commercial support, please see: https://www.securityonionsolutions.com
Configure /etc/syslog-ng/syslog-ng.conf with a new destination to forward to your external syslog collector and then restart syslog-ng.
2 options:
- Edit ALL
/etc/nsm/HOSTNAME-INTERFACE/barnyard2*.conffiles on ALL sensors with a newoutputto send IDS alerts to your external systems and then restart all barnyard2 instances:
sudo nsm_sensor_ps-restart --only-barnyard2
OR
- On your master server (running sguild), configure
/etc/syslog-ng/syslog-ng.confwith a newsourceto monitor/var/log/nsm/securityonion/sguild.logforAlert Receivedlines and a newdestinationto send to your external system, and then restartsyslog-ng. To do this modify/etc/syslog-ng/syslog-ng.confand add the following lines:
# This line specifies where the sguild.log file is located, and informs syslog-ng to tail the file, the program_override inserts the string sguil_alert into the string
source s_sguil { file("/var/log/nsm/securityonion/sguild.log" program_override("sguil_alert")); };
# This line filters on the string “Alert Received”
filter f_sguil { match("Alert Received"); };
# This line tells syslog-ng to send the data read to the IP address of 10.80.4.37, via UDP to port 514
destination d_sguil_udp { udp("10.80.4.37" port(514)); };
# This log section tells syslog-ng how to structure the previous ‘source / filter / destination’ and is what actually puts them into play
log {
source(s_sguil);
filter(f_sguil);
destination(d_sguil_udp);
};
Please note that this option requires set DEBUG 2 in /etc/sguild/sguild.conf.
Please see: Installing FIR
Please see: Installing GRR
Please see: Installing NtopNG
Please see: Installing RITA
Please see: Installing Etherpad
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs