[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [EXTERNAL] [security-onion] S02 Logstash Parsing
From: Doug Burks <doug.burks () securityonionsolutions ! com>
Date: 2021-03-29 10:13:38
Message-ID: CAJ+hwWBZOhg66tgrX-fAp5FHLtiz6K221b48zgcYJA0zfsNXCQ () mail ! gmail ! com
[Download RAW message or body]
If you have questions about the new Security Onion 2 platform, please use
our new Github Discussions page instead of this Google Group:
https://securityonion.net/discuss
Thanks!
On Fri, Mar 26, 2021 at 3:55 PM 'Josh' via security-onion <
security-onion@googlegroups.com> wrote:
>
> As we work on migrating to SO2 we're currently trying to get logs /
> functions up and running ASAP and then working on Elasticsearch pipeline
> ingestion.
>
> We'd like for the meantime to use the logstash confs we had in place.
>
> Following:
> https://docs.securityonion.net/en/2.3/logstash.html#logstash-parsing
>
> 1. I updated the minion for the heavy forwarder adding
> logstash:
> pipelines:
> search:
> config:
> - custom/custom_logstash_conf.jinja
>
> 2. Placed the conf in
> /opt/so/saltstack/local/salt/logstash/pipelines/config/custom/
>
> 3. Did an so-elastic-restart
>
> 4. Not sure if of interest, but the "local" dir on the heavy forwarder is
> empty.
>
> Logs are not being parsed. I don't think I'm missing anything additional
> in the docs. Thanks in advance!
>
>
> --
> Please keep in mind that Security Onion 16.04 reaches End Of Life soon!
>
> https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html
> ---
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onion+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/security-onion/a654f1d5-faab-49ac-a7ab-c88cbf7cffb3n%40googlegroups.com
> <https://groups.google.com/d/msgid/security-onion/a654f1d5-faab-49ac-a7ab-c88cbf7cffb3n%40googlegroups.com?utm_medium=email&utm_source=footer>
>
> .
>
--
Doug Burks
Founder and CEO
Security Onion Solutions, LLC
--
Please keep in mind that Security Onion 16.04 reaches End Of Life soon!
https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html
---
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To view this \
discussion on the web visit \
https://groups.google.com/d/msgid/security-onion/CAJ%2BhwWBZOhg66tgrX-fAp5FHLtiz6K221b48zgcYJA0zfsNXCQ%40mail.gmail.com.
[Attachment #3 (text/html)]
<div dir="ltr"><div dir="ltr">If you have questions about the new Security Onion 2 \
platform, please use our new Github Discussions page instead of this Google \
Group:<br><a href="https://securityonion.net/discuss">https://securityonion.net/discuss</a><br><br>Thanks!<br></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 26, 2021 at 3:55 PM \
'Josh' via security-onion <<a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br><div>As we work on \
migrating to SO2 we're currently trying to get logs / functions up and running \
ASAP and then working on Elasticsearch pipeline \
ingestion.</div><div><br></div><div>We'd like for the meantime to use the \
logstash confs we had in place.</div><div><br></div><div>Following:</div><div><a \
href="https://docs.securityonion.net/en/2.3/logstash.html#logstash-parsing" \
target="_blank">https://docs.securityonion.net/en/2.3/logstash.html#logstash-parsing</a></div><div><br></div><div>1. \
I updated the minion for the heavy forwarder adding</div><div>logstash:<br> \
pipelines:<br> search:<br> config:<br> - \
custom/custom_logstash_conf.jinja</div><div><br></div><div>2. Placed the conf in \
<span><span>/opt/so/saltstack/local/salt/logstash/pipelines/config/custom/</span></span></div><div><span><span><br></span></span></div><div><span><span>3. \
Did an so-elastic-restart</span></span></div><div><span><span><br></span></span></div><div><span><span>4. \
Not sure if of interest, but the "local" dir on the heavy forwarder is \
empty. <br></span></span></div><div><span><span><br></span></span></div><div><span><span>Logs \
are not being parsed. I don't think I'm missing anything additional in the \
docs. Thanks in advance!</span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div>
<p></p>
-- <br>
Please keep in mind that Security Onion 16.04 reaches End Of Life soon!<br>
<a href="https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html" \
target="_blank">https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html</a><br>
--- <br>
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion+unsubscribe@googlegroups.com" \
target="_blank">security-onion+unsubscribe@googlegroups.com</a>.<br> To view this \
discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/a654f1d5-faab-49ac-a7ab-c88cbf7cffb3n%40googlegroups.com?utm_medium=email&utm_source=footer" \
target="_blank">https://groups.google.com/d/msgid/security-onion/a654f1d5-faab-49ac-a7ab-c88cbf7cffb3n%40googlegroups.com</a>.<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" \
class="gmail_signature"><div dir="ltr"><div>Doug Burks<br>Founder and CEO<br>Security \
Onion Solutions, LLC</div></div></div></div>
<p></p>
-- <br />
Please keep in mind that Security Onion 16.04 reaches End Of Life soon!<br />
<a href="https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion. \
html">https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html</a><br \
/>
--- <br />
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion+unsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br \
/> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/CAJ%2BhwWBZOhg66tgrX-fAp5FHLtiz \
6K221b48zgcYJA0zfsNXCQ%40mail.gmail.com?utm_medium=email&utm_source=footer">https://gr \
oups.google.com/d/msgid/security-onion/CAJ%2BhwWBZOhg66tgrX-fAp5FHLtiz6K221b48zgcYJA0zfsNXCQ%40mail.gmail.com</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic