Quite the responses, thanks!
Here are my thoughts.
I saw your post Doug, and on some of our projects we can use Security
Onion w/Bro and ELSA, but in this case it must be a RHEL based
solution. The solution Stephen R. demod with the Kibana approach [1]
is pretty nice. But it brought an issue to my attention. It appears
that Logstash needs to startup listening on a different port, 9292. Im
wondering if I missed something or why Kibana wouldnt simply run as a
plugin or additional module under apache on port 443. We are in
a highly regulated network, and if I stand up an Apache server
(where all the Bro logs are going to be placed), and the Apache server
is listening on a non secure (!443) port such as 9292, then it
causes flags to be thrown up everywhere and always kills my project.
Additional thoughts on that?
To set this straight...logstash itself doesn't listen on any port unless configured to do so. The Elasticsearch engine behind it does, you'd need to have the backend Elasticsearch engine able to listen on port 9200, and your client workstation will need to be able to connect to it on that port. As for Kibana, it works just fine with any current Apache install.
Stephen H, not a nit-pick at all, great post! =) My method for moving
the logs from all the seensors to a central collector at this point
are still in the works. My best route is probably to use rsync. The
problem I have right now is that Bro logs and extracted files have 600
permissions when they are created. The cause is simply the umask for
root on the servers, which is set to 077. Since the servers are
configured (correctly) to not allow SSH by root, then my rsync
proposal also died since all the files are accessible by root only.
Also, Im unable to change the umask of root (regulations not know
how) so short of creating an every minute chmod 644 cronjob, Im
scratching my head on how to get the logs over to the collector/
apache server.
Rsyslog on my sensors have been excellent to pipe to a listening Logstash instance (high ports mean I can run as standard user). Conversely, you can use a cheesy hack of "sudo /usr/bin/tail -f conn.log
logger -d -n remote.syslog.ip -P <logstash port> -u /tmp/ignored".
This worked as I was getting my rsyslog instance able to read the conn.log file. Since rsyslog is running as root it's able to read the bro files.
You make an excellent point though " The downside is that this can
require quite the large amount of infrastructure… and the only way
to find out exactly how much your environment will need is to build it
and see. It also requires that you keep up to date in knowledge on 3
pieces of software and how they interact…"
The knowledge and infrastructure count / increase is a large
flag that will prohibit that endeavor (but great to know about).
Both you, John L., and Will H. indicate Splunk though as your
solution which gives me another option. But I have the same
"question about ingestion" =) How did you get the logs from the
multiple sensors to the "ingestion / collector server"? Rsync, SCP,
owner / permission issues? Im interested for sure. But.....the cost is
a big no-no as well. As Will H. indicated the cost can go up based on
usage, I do need a truly open-source free solution, so I am now
leaning back to ElasticSearch / LogStash unless I missed something.
Paul H. , you get to use FreeBSD... <drool>... Man do I miss FreeBSD!
Give me packages or give me death, haha. Ever since we were forced to
use RHEL I miss it more and more! But to your comments, this sentence
really caught my attention: "...the logs are sent to a collector via
syslog-ng.." Then you said "There, they are written to disk where they
are read by logstash and sent to elasticsearch". Since Im leaning in
the Logstash / ElasticSearch method, based on above thoughts, can you
share a bit more on how you set up the syslog-ng, logstash,
elasticsearch? That seems to be really close to meeting my
requirement. Im assuming you installed them as source and set them in
the rc.conf to enabled YES to startup on boot. Im more interested in
the details of the conf files on with what arguments the daemons
start up and especially how you were able to get the syslog-ng piece
working between the sensor and the collector.
[1] http://www.appliednsm.com/parsing-bro-logs-with-logstash/ [7]
orig_bytes, orig_ip_bytes, resp_bytes, and resp_ip_bytes using the logstash entries from the above link are not treated as integers, so you'll need this in your filter entry in your logstash.conf:
mutate {
convert => [ "resp_bytes", "integer" ]
convert => [ "resp_ip_bytes", "integer" ]
convert => [ "orig_bytes", "integer" ]
convert => [ "orig_ip_bytes", "integer" ]
}
Let me know if you need any assistance...I have a full working complete set up of a single backend host running logstash/elasticsearch/kibana, with a syslog server piping firewall hits to it, and an IDS piping Bro's conn log, and snort IDS logs to it.
James