Security Onion

Security Onion is a intrusion detection and network monitoring tool.

Before You Begin

Security Onion has Snort built in and therefore runs in the same instance. You need to configure Security Onion to send syslog so that InsightIDR can ingest it.

To configure syslog for Security Onion:

  1. Stop the Security Onion service.
  2. Find the syslog-ng conf file.
  3. Change the destination d_net and log lines in the configuration file to look like following:
text
1
# Send the messages to an other host
2
#
3
destination d_net { udp("_collector_ip_address_" port(_listening_port_defined_in_InsightPlatform)); };
4
5
....
6
7
# All messages send to a remote site
8
#
9
log { source(s_syslog); destination(d_net); };

You can read additional documentation about Security Onion here: https://github.com/Security-Onion-Solutions/security-onion/wiki/ThirdPartyIntegration.

How to Configure This Event Source in InsightIDR

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the IDS icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Select Listen for Syslog and enter the port you used in the configuration file. Specify a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  8. Click Save.