After seting up Security Onion as my home data center IDS (see https://blog.voina.org/data-center-ids-solution-using-security-onion/) I started to integrate monitoring of other resources to it. The first idea was to add the monitoring of my EdgeMax routers.
Security Onion has a syslog-ng service that is able to receive client syslog data. Then we can visualize this data in Elsa and do searches much more easy.
STEP 1: Redirect EdgeMax based router log to Security Onion
On Edgerouter start the CLI and execute:
configure set system syslog host 192.168.2.124 facility all level notice commit save exit
Where 192.168.2.124 is the IP of the Security Onion management interface.
STEP 2: Allow access to syslog
On the Security Onion VM execute in a shell so-allow and add access for 192.168.2.1 my EdgeRouter POE:
gvoina@gvoina-VirtualBox:~$ sudo so-allow This program allows you to add a firewall rule to allow connections from a new IP address. What kind of device do you want to allow? [a] - analyst - ports 22/tcp, 443/tcp, and 7734/tcp [l] - syslog device - port 514 [o] - ossec agent - port 1514/udp [s] - Security Onion sensor - 22/tcp, 4505/tcp, 4506/tcp, and 7736/tcp If you need to add any ports other than those listed above, you can do so using the standard 'ufw' utility. For more information, please see the Firewall page on our Wiki: https://github.com/Security-Onion-Solutions/security-onion/wiki/Firewall Please enter your selection (a - analyst, l - syslog, o - ossec, or s - Security Onion sensor): l Please enter the IP address of the syslog you'd like to allow to connect to port(s) 514: 192.168.2.1 We're going to allow connections from 192.168.2.1 to port(s) 514. Here's the firewall rule we're about to add: sudo ufw allow from 192.168.2.1 to any port 514 To continue and add this rule, press Enter. Otherwise, press Ctrl-c to exit. Rule added Rule has been added. Here is the entire firewall ruleset: Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 22,443,7734/tcp ALLOW 192.168.2.103 1514/udp ALLOW 192.168.2.21 1514/udp ALLOW 192.168.2.22 1514/udp ALLOW 192.168.2.103 514 ALLOW 192.168.2.1 22/tcp (v6) ALLOW Anywhere (v6)
STEP 3: Start Elsa and check the log entries
Start Elsa from Security Onion VM and look under Host Logs.