Security Onion - ELK

Update Security Onion - ELK

Do the following to allow access to the API port via Security Onion's built-in Firewall.

To allow access to the API port

1. Run the so-allow command.
2. Choose option e.
3. Enter the director's ip address.

Update the Validation Platform

Prerequisites

Information to gather before you start:

1. Host and port used for Security Onion - ELK.
2. Identify whether the protocol is HTTP or HTTPS for connections .
3. Identify or create the credentials to access Security Onion.

Configuration

To add the Security Onion - ELK integration

1. Go to Settings > Integrations.

2. Click Add Integration > Security Onion - ELK.

   

   Security Onion ELK Integration

3. Enter information for the Host, Port, Username, and Password.

4. Expand Advanced options.

   

   Security Onion ELK Field mappings

5. Review the field name mappings and update as necessary. Default mappings exist for Snort and Bro.

   1. You can use standard UNIX wildcards in the Index name, allowing you to match several index files (for example, snort-* matches snort-123 and snort-abc).

   2. Inputs are enclosed by square brackets [].
   3. Inputs point to the path location (["_id"]).
   4. Nested locations should be enclosed in one set of brackets, encompassed in quotes, and separated by commas (["_source","src_ip"] ).
6. Add a new Index and configure those fields, if necessary.

7. Modify the Query Interval and Event Time Adjustment, if necessary.

8. (Optional) Select Discover network devices automatically.

9. (Optional) Assign a Name.

10. (Optional) Choose Yes to save suspicious events.

11. Click Submit.

Verify connectivity

To verify connectivity to Security Onion - ELK

Click Test to verify that:

• The Director can communicate with Security Onion - ELK with the host, port, and credentials provided.