[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] Security Onion to ELSA & another syslog server
From: Robert Campbell <insecuritymatters () gmail ! com>
Date: 2013-06-27 17:49:04
Message-ID: CAJUviSFJeUZ6Zehtjhu=o59YACFaiiTof7Pk97OKWCvsYUU6Yw () mail ! gmail ! com
[Download RAW message or body]
That was my original intent and I could not fond a way to do that either. I
have the advantage of all my remote networks being connected through VPNs.
If anyone knows how to forward them from the server I would prefer to do
that as well.
J. Robert Campbell, SR.
CISSP
On Jun 27, 2013 11:03 AM, "Pietro Delsante" <pietro.delsante@gmail.com>
wrote:
> Hi,
>
> I know this is an old thread, sorry to bump it, however there's something
> that is still not clear to me.
>
> What I want to do is to forward Snort's events to an external syslog
> server.
>
> Robert's configuration only works when forwarding Snort's events directly
> from the sensors, but not from the central server, as there is no syslog
> flow between the sensors and the server for Snort events: they get
> transferred using Sguil's agent through Barnyard2.
>
> So, supposing that I want to forward the events via syslog from the
> central server and not from the sensors (as they will be placed on remote
> networks), what would be the best way to do this? The easiest way would
> probably be that of duplicating the flows from sensors to server:
>
> 1. [snort -> barnyard2 -> sguil agent] -> [sguil on central server]
> 2. [snort -> barnyard2 -> syslog-ng] -> [syslog-ng on central server] ->
> [syslog on other server]
>
> I do not like the idea of having the same events transferred from the
> sensors to the server twice; another option would be that of having some
> sort of daemon running on the central server and looking for new entries in
> securityonion-db, then this daemon should reconstruct the events in syslog
> format and send them to the final syslog server.
>
> However, both options seem to me a stretch; does anybody have any better
> ideas about how to do this?
>
> Thanks in advance,
> Pietro
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "security-onion" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/security-onion/KY9EHLIQiZM/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/groups/opt_out.
[Attachment #3 (text/html)]
<p dir="ltr">That was my original intent and I could not fond a way to do that \
either. I have the advantage of all my remote networks being connected through VPNs. \
If anyone knows how to forward them from the server I would prefer to do that as \
well.</p>
<p dir="ltr">J. Robert Campbell, SR.<br>
CISSP</p>
<div class="gmail_quote">On Jun 27, 2013 11:03 AM, "Pietro Delsante" <<a \
href="mailto:pietro.delsante@gmail.com">pietro.delsante@gmail.com</a>> wrote:<br \
type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi,<br>
<br>
I know this is an old thread, sorry to bump it, however there's something that is \
still not clear to me.<br> <br>
What I want to do is to forward Snort's events to an external syslog server.<br>
<br>
Robert's configuration only works when forwarding Snort's events directly \
from the sensors, but not from the central server, as there is no syslog flow between \
the sensors and the server for Snort events: they get transferred using Sguil's \
agent through Barnyard2.<br>
<br>
So, supposing that I want to forward the events via syslog from the central server \
and not from the sensors (as they will be placed on remote networks), what would be \
the best way to do this? The easiest way would probably be that of duplicating the \
flows from sensors to server:<br>
<br>
1. [snort -> barnyard2 -> sguil agent] -> [sguil on central server]<br>
2. [snort -> barnyard2 -> syslog-ng] -> [syslog-ng on central server] -> \
[syslog on other server]<br> <br>
I do not like the idea of having the same events transferred from the sensors to the \
server twice; another option would be that of having some sort of daemon running on \
the central server and looking for new entries in securityonion-db, then this daemon \
should reconstruct the events in syslog format and send them to the final syslog \
server.<br>
<br>
However, both options seem to me a stretch; does anybody have any better ideas about \
how to do this?<br> <br>
Thanks in advance,<br>
Pietro<br>
<br>
--<br>
You received this message because you are subscribed to a topic in the Google Groups \
"security-onion" group.<br> To unsubscribe from this topic, visit <a \
href="https://groups.google.com/d/topic/security-onion/KY9EHLIQiZM/unsubscribe" \
target="_blank">https://groups.google.com/d/topic/security-onion/KY9EHLIQiZM/unsubscribe</a>.<br>
To unsubscribe from this group and all its topics, send an email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br>
To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br>
Visit this group at <a href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> For more \
options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> <br>
<br>
</blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to \
security-onion+unsubscribe@googlegroups.com.<br /> To post to this group, send email \
to security-onion@googlegroups.com.<br /> Visit this group at <a \
href="http://groups.google.com/group/security-onion">http://groups.google.com/group/security-onion</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/groups/opt_out">https://groups.google.com/groups/opt_out</a>.<br \
/> <br />
<br />
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic