After seting up Security Onion as my home data center IDS (see https://blog.voina.org/data-center-ids-solution-using-security-onion/) I started to integrate monitoring of other resources to it. The first idea was to add the monitoring of my EdgeMax routers.
Security Onion has a syslog-ng service that is able to receive client syslog data. Then we can visualize this data in Elsa and do searches much more easy.
STEP 1: Redirect EdgeMax based router log to Security Onion
On Edgerouter start the CLI and execute:
set system syslog host 192.168.2.124 facility all level notice
Where 192.168.2.124 is the IP of the Security Onion management interface.
STEP 2: Allow access to syslog
On the Security Onion VM execute in a shell so-allow and add access for 192.168.2.1 my EdgeRouter POE:
gvoina@gvoina-VirtualBox:~$ sudo so-allow
This program allows you to add a firewall rule to allow connections from a new IP address.
What kind of device do you want to allow?
[a] - analyst - ports 22/tcp, 443/tcp, and 7734/tcp
[l] - syslog device - port 514
[o] - ossec agent - port 1514/udp
[s] - Security Onion sensor - 22/tcp, 4505/tcp, 4506/tcp, and 7736/tcp
If you need to add any ports other than those listed above,
you can do so using the standard 'ufw' utility.
For more information, please see the Firewall page on our Wiki:
Please enter your selection (a - analyst, l - syslog, o - ossec, or s - Security Onion sensor):
Please enter the IP address of the syslog you'd like to allow to connect to port(s) 514:
We're going to allow connections from 192.168.2.1 to port(s) 514.
Here's the firewall rule we're about to add:
sudo ufw allow from 192.168.2.1 to any port 514
To continue and add this rule, press Enter.
Otherwise, press Ctrl-c to exit.
Rule has been added.
Here is the entire firewall ruleset:
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
22,443,7734/tcp ALLOW 192.168.2.103
1514/udp ALLOW 192.168.2.21
1514/udp ALLOW 192.168.2.22
1514/udp ALLOW 192.168.2.103
514 ALLOW 192.168.2.1
22/tcp (v6) ALLOW Anywhere (v6)
STEP 3: Start Elsa and check the log entries
Start Elsa from Security Onion VM and look under Host Logs.