Data Center: Add EdgeRouter logs to Security Onion

By | November 10, 2016

After seting up Security Onion as my home data center IDS (see I started to integrate monitoring of other resources to it. The first idea was to add the monitoring of my EdgeMax routers.
Security Onion has a syslog-ng service that is able to receive client syslog data. Then we can visualize this data in Elsa and do searches much more easy.

STEP 1: Redirect EdgeMax based router log to Security Onion

On Edgerouter start the CLI and execute:

set system syslog host facility all level notice

Where is the IP of the Security Onion management interface.

STEP 2: Allow access to syslog

On the Security Onion VM execute in a shell so-allow and add access for my EdgeRouter POE:

gvoina@gvoina-VirtualBox:~$ sudo so-allow 
This program allows you to add a firewall rule to allow connections from a new IP address.

What kind of device do you want to allow?

[a] - analyst - ports 22/tcp, 443/tcp, and 7734/tcp
[l] - syslog device - port 514
[o] - ossec agent - port 1514/udp
[s] - Security Onion sensor - 22/tcp, 4505/tcp, 4506/tcp, and 7736/tcp

If you need to add any ports other than those listed above,
you can do so using the standard 'ufw' utility.

For more information, please see the Firewall page on our Wiki:

Please enter your selection (a - analyst, l - syslog, o - ossec, or s - Security Onion sensor):
Please enter the IP address of the syslog you'd like to allow to connect to port(s) 514:
We're going to allow connections from to port(s) 514.

Here's the firewall rule we're about to add:
sudo ufw allow from to any port 514

To continue and add this rule, press Enter.
Otherwise, press Ctrl-c to exit.

Rule added
Rule has been added.

Here is the entire firewall ruleset:
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22,443,7734/tcp            ALLOW
1514/udp                   ALLOW
1514/udp                   ALLOW
1514/udp                   ALLOW
514                        ALLOW
22/tcp (v6)                ALLOW       Anywhere (v6)

STEP 3: Start Elsa and check the log entries

Start Elsa from Security Onion VM and look under Host Logs.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.