-
Version2.4.90 Installation MethodSecurity Onion ISO image Descriptionconfiguration Installation TypeDistributed Locationairgap Hardware SpecsMeets minimum requirements CPU8 RAM500 Storage for /1TB Storage for /nsm1TB Network Traffic Collectionspan port Network Traffic Speeds1Gbps to 10Gbps StatusNo, one or more services are failed (please provide detail below) Salt StatusNo, there are no failures LogsYes, there are additional clues in /opt/so/log/ (please provide detail below) Detail
My Sensor Nodes are getting traffic from SPAN ports. Guidelines
|
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 5 replies
-
Depending on how many devices will be sending syslog data an option might be setting up a receiver node to specifically handle ingesting the syslog data. https://docs.securityonion.net/en/2.4/architecture.html#receiver-node For ingesting syslog you will need to open the firewall for the node intended to receive the syslog data (receiver node if you set one up as mentioned above) https://docs.securityonion.net/en/2.4/syslog.html For differentiating log sources data sent from syslog should include a hostname field showing device that is sending the logs. |
Beta Was this translation helpful? Give feedback.
-
Go it!
So send the Cisco Syslogs to the Manager Node but with a different port configured in the Cisco Integrations – is there this right? If so, that is GREAT, I fully understand that will bring me full circle with having a completely configured Distributed environment. Thanks guys! Y’all rock for this Tool. It makes my life so easier now using SO.
From: Jorge Reyes ***@***.***>
Sent: Thursday, September 19, 2024 12:24 PM
To: Security-Onion-Solutions/securityonion ***@***.***>
Cc: Ismail Mccowin ***@***.***>; Author ***@***.***>
Subject: Re: [Security-Onion-Solutions/securityonion] Advice for Forwarding Logs to Security Onion (Discussion #13643)
EXTERNAL EMAIL
The first flow you stated is correct. You add the cisco integration to for example your managers "fleet_server" policy. Then you configure your cisco device to send logs to your managers ip and to the port specified in the configuration of the cisco integration. I would recommend you change your cisco device to send logs to the manager on a different port than 514.
If you send logs to port 514 there is already a syslog integration that will be listening for those logs, but won't correctly parse them like the cisco specific integration will.
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/Security-Onion-Solutions/securityonion/discussions/13643*discussioncomment-10695530__;Iw!!HUqgN_M!uNCX8I3QTfwrsuOwh41pP8G23dKpCauDXqB08H5W1MITZmNJryrIITzDsTG3eU0osRWd-HlF3HoKYc8VuVuN0bgXDx0$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BJKYMZA6ZA2OTYM3F4AMFTDZXL3BDAVCNFSM6AAAAABN6VYZX2VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTANRZGU2TGMA__;!!HUqgN_M!uNCX8I3QTfwrsuOwh41pP8G23dKpCauDXqB08H5W1MITZmNJryrIITzDsTG3eU0osRWd-HlF3HoKYc8VuVuNg7bbmWo$>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
…----------------------------------------------------------------------
The contents of this email are intended only for the recipient(s) listed above. If you are not the intended recipient, you are directed not to read, disclose, distribute, or otherwise use this transmission. If you have received this email in error, please notify the sender immediately and delete the transmission. Delivery of this message is not intended to waive any applicable privileges.
|
Beta Was this translation helpful? Give feedback.
Depending on how many devices will be sending syslog data an option might be setting up a receiver node to specifically handle ingesting the syslog data. https://docs.securityonion.net/en/2.4/architecture.html#receiver-node
For ingesting syslog you will need to open the firewall for the node intended to receive the syslog data (receiver node if you set one up as mentioned above) https://docs.securityonion.net/en/2.4/syslog.html
For differentiating log sources data sent from syslog should include a hostname field showing device that is sending the logs.