'Re: [EXTERNAL] [security-onion] S02 Logstash Parsing'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    Re: [EXTERNAL] [security-onion] S02 Logstash Parsing
From:       Doug Burks <doug.burks () securityonionsolutions ! com>
Date:       2021-03-29 10:13:38
Message-ID: CAJ+hwWBZOhg66tgrX-fAp5FHLtiz6K221b48zgcYJA0zfsNXCQ () mail ! gmail ! com
[Download RAW message or body]

If you have questions about the new Security Onion 2 platform, please use
our new Github Discussions page instead of this Google Group:
https://securityonion.net/discuss

Thanks!

On Fri, Mar 26, 2021 at 3:55 PM 'Josh' via security-onion <
security-onion@googlegroups.com> wrote:

> 
> As we work on migrating to SO2 we're currently trying to get logs /
> functions up and running ASAP and then working on Elasticsearch pipeline
> ingestion.
> 
> We'd like for the meantime to use the logstash confs we had in place.
> 
> Following:
> https://docs.securityonion.net/en/2.3/logstash.html#logstash-parsing
> 
> 1. I updated the minion for the heavy forwarder adding
> logstash:
> pipelines:
> search:
> config:
> - custom/custom_logstash_conf.jinja
> 
> 2. Placed the conf in
> /opt/so/saltstack/local/salt/logstash/pipelines/config/custom/
> 
> 3. Did an so-elastic-restart
> 
> 4. Not sure if of interest, but the "local" dir on the heavy forwarder is
> empty.
> 
> Logs are not being parsed. I don't think I'm missing anything additional
> in the docs. Thanks in advance!
> 
> 
> --
> Please keep in mind that Security Onion 16.04 reaches End Of Life soon!
> 
> https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html
> ---
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onion+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/security-onion/a654f1d5-faab-49ac-a7ab-c88cbf7cffb3n%40googlegroups.com
>  <https://groups.google.com/d/msgid/security-onion/a654f1d5-faab-49ac-a7ab-c88cbf7cffb3n%40googlegroups.com?utm_medium=email&utm_source=footer>
>                 
> .
> 


-- 
Doug Burks
Founder and CEO
Security Onion Solutions, LLC

-- 
Please keep in mind that Security Onion 16.04 reaches End Of Life soon!
https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html
--- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To view this \
discussion on the web visit \
https://groups.google.com/d/msgid/security-onion/CAJ%2BhwWBZOhg66tgrX-fAp5FHLtiz6K221b48zgcYJA0zfsNXCQ%40mail.gmail.com.



[Attachment #3 (text/html)]

<div dir="ltr"><div dir="ltr">If you have questions about the new Security Onion 2 \
platform, please use our new Github Discussions page instead of this Google \
Group:<br><a href="https://securityonion.net/discuss">https://securityonion.net/discuss</a><br><br>Thanks!<br></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 26, 2021 at 3:55 PM \
&#39;Josh&#39; via security-onion &lt;<a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br><div>As we work on \
migrating to SO2 we&#39;re currently trying to get logs / functions up and running \
ASAP and then working on Elasticsearch pipeline \
ingestion.</div><div><br></div><div>We&#39;d like for the meantime to use the \
logstash confs we had in place.</div><div><br></div><div>Following:</div><div><a \
href="https://docs.securityonion.net/en/2.3/logstash.html#logstash-parsing" \
target="_blank">https://docs.securityonion.net/en/2.3/logstash.html#logstash-parsing</a></div><div><br></div><div>1. \
I updated the minion for the heavy forwarder adding</div><div>logstash:<br>   \
pipelines:<br>       search:<br>           config:<br>               - \
custom/custom_logstash_conf.jinja</div><div><br></div><div>2. Placed the conf in \
<span><span>/opt/so/saltstack/local/salt/logstash/pipelines/config/custom/</span></span></div><div><span><span><br></span></span></div><div><span><span>3. \
Did an so-elastic-restart</span></span></div><div><span><span><br></span></span></div><div><span><span>4. \
Not sure if of interest, but the &quot;local&quot; dir on the heavy forwarder is \
empty. <br></span></span></div><div><span><span><br></span></span></div><div><span><span>Logs \
are not being parsed. I don&#39;t think I&#39;m missing anything additional in the \
docs. Thanks in advance!</span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div>


<p></p>

-- <br>
Please keep in mind that Security Onion 16.04 reaches End Of Life soon!<br>
<a href="https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html" \
target="_blank">https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html</a><br>
                
--- <br>
You received this message because you are subscribed to the Google Groups \
&quot;security-onion&quot; group.<br> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion+unsubscribe@googlegroups.com" \
target="_blank">security-onion+unsubscribe@googlegroups.com</a>.<br> To view this \
discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/a654f1d5-faab-49ac-a7ab-c88cbf7cffb3n%40googlegroups.com?utm_medium=email&amp;utm_source=footer" \
target="_blank">https://groups.google.com/d/msgid/security-onion/a654f1d5-faab-49ac-a7ab-c88cbf7cffb3n%40googlegroups.com</a>.<br>
 </blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" \
class="gmail_signature"><div dir="ltr"><div>Doug Burks<br>Founder and CEO<br>Security \
Onion Solutions, LLC</div></div></div></div>

<p></p>

-- <br />
Please keep in mind that Security Onion 16.04 reaches End Of Life soon!<br />
<a href="https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion. \
html">https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html</a><br \
                />
--- <br />
You received this message because you are subscribed to the Google Groups \
&quot;security-onion&quot; group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion+unsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br \
/> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/CAJ%2BhwWBZOhg66tgrX-fAp5FHLtiz \
6K221b48zgcYJA0zfsNXCQ%40mail.gmail.com?utm_medium=email&utm_source=footer">https://gr \
oups.google.com/d/msgid/security-onion/CAJ%2BhwWBZOhg66tgrX-fAp5FHLtiz6K221b48zgcYJA0zfsNXCQ%40mail.gmail.com</a>.<br \
/>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic