Suricata with ELSA Enterprise logging set up guide¶
ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. It also includes tools for assigning permissions for viewing the logs as well as email based alerts, scheduled queries, and graphing.
Features:
High-volume receiving/indexing (a single node can receive > 30k logs/sec, sustained)
Full Active Directory/LDAP integration for authentication, authorization, email settings
Instant ad-hoc reports/graphs on arbitrary queries even on enormous data sets
Dashboards using Google Visualizations
Email alerting, scheduled reports
Plugin architecture for web interface
Distributed architecture for clusters
Ships with normalization for some Cisco logs, Snort/Suricata, Bro, and Windows via Eventlog-to-Syslog or Snare
http://code.google.com/p/enterprise-log-search-and-archive/
This guide has two purposes:
1. To set up logging with ELSA and Suricata running on different boxes¶
192.168.1.91 - Suricata box - sensor
192.168.1.101 - ELSA log server
2. To set up logging with ELSA if you have Suricata and ELSA on the same box.¶
In this tutorial we use Suriacta 1.4beta1, Ubuntu LTS 12.04 and the latest ELSA.
This tutorial assumes you have Suricata, ELSA installed and you are using syslog-ng (apt-get install syslog-ng)!
If you need help or a guide how to do that:
ELSA - http://code.google.com/p/enterprise-log-search-and-archive/wiki/Quickstart
Suricata - Suricata Installation
To set up logging with ELSA and Suricata running on different boxes¶
In your suricata yaml (on 192.168.1.91 - suri box - sensor):
Step 1¶
- syslog: enabled: yes # reported identity to syslog. If omitted the program name (usually # suricata) will be used. identity: "snort" facility: local7 #level: Info ## possible levels: Emergency, Alert, Critical, ## Error, Warning, Notice, Info, Debug)
So the identity :"snort" is used so that the alerts are automatically parsed as an IDS type of events, based on the Snort IDS Class available in ELSA.
There is no need to mention that you should also have the fast.log enabled - for the purposes of verification and troubleshooting if needed.
Step 2¶
Now in the syslog-ng.conf (on the 192.168.1.91 - suri box - sensor), make sure you have the following changed/added:
source s_src { unix-dgram("/dev/log"); internal(); file("/proc/kmsg" program_override("kernel")); udp(); }; ...... destination logserver_elsa { udp("192.168.1.101" port(514)); }; log { source(s_src); filter(f_local7); destination(logserver_elsa); }; ........ filter f_local7 { facility(local7); };
Step 3¶
In the sylog-ng.conf (on the 192.168.1.101 - elsa log server), make sure that this is available, if not add it in:
source s_src { unix-dgram("/dev/log"); internal(); file("/proc/kmsg" program_override("kernel")); }; # If you wish to get logs from remote machine you should uncomment # this and comment the above source line. # #source s_net { tcp(ip(127.0.0.1) port(1000) authentication(required) encrypt(allow)); }; source src { udp(ip(192.168.1.91) port(514)); }; parser p_db { db-parser("/usr/local/elsa/node/conf/patterndb.xml"); }; template t_db_parsed { template("$R_UNIXTIME\t$SOURCEIP\t$PROGRAM\t${.classifier.class}\t${.classifier.rule_id}\t$MSGONLY\t${i0}\t${i1}\t${i2}\t${i3}\t${i4}\t${i5}\t${s0}\t${s1}\t${s2}\t${s3}\t${s4}\t${s5}\n"); }; destination d_program { program("/usr/local/elsa/node/indexer.pl" template(t_db_parsed)); }; log { source(src); parser(p_db); destination(d_program); };
Step 4¶
Restart sylog-ng on both machines - and you should see the alerts accumulating in ELSA.
sudo service syslog-ng restart
NOTE:
Please find attached and available the two sylog-ng.conf files,
you can download them for better understanding and troubleshooting if you need to.
To set up logging with ELSA if you have Suricata and ELSA on the same box.¶
Again make sure you have syslog-ng loging enabled in Suricata:
Step 1¶
- syslog: enabled: yes # reported identity to syslog. If ommited the program name (usually # suricata) will be used. identity: "snort" facility: local7 #level: Info ## possible levels: Emergency, Alert, Critical, ## Error, Warning, Notice, Info, Debug)
After you have ELSA and Suricata installed all you need to do is add the following in our syslog-ng.conf:
Step 2¶
source s_suricata { unix-dgram("/dev/log"); internal(); file("/proc/kmsg" program_override("kernel")); }; parser p_db { db-parser(file("/opt/elsa/node/conf/patterndb.xml")); }; destination d_elsa { program("perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf" template(t_db_parsed)); }; template t_db_parsed { template("$R_UNIXTIME\t$HOST\t$PROGRAM\t${.classifier.class}\t$MSGONLY\t${i0}\t${i1}\t${i2}\t${i3}\t${i4}\t${i5}\t${s0}\t${s1}\t${s2}\t${s3}\t${s4}\t${s5}\n"); }; log { source(s_suricata); destination(d_elsa); };
Restart syslog-ng:
sudo service syslog-ng restart
For ease of implementation and guiding please find attached the syslog-ng.config
(Stand-alone-syslog-ng.com , actual configuration used with the Security Onion distribution,
that you would need to make the changes above should you decide to use it).
Peter Manev