Sunday, 26 April 2015

ArcSight Security-Onion and Snort combo

I was playing around with Arcsight Express building a small test lab and thought to intergrate my Security Onion box with it so I can feed in the Snort logs. The Security-Onion box has 2 NICs, eth0 for management and eth1 is SPANed to monitor the network traffic. ArcSight Express is not the latest (4.0) but at least I used the latest connector (7.x..x.something). The simplest way to do this is with a Syslog connector, I installed mine on the ArcSight box itself since its not going to have a massive load going through it.

First things first, Barnyard2 needs to send the right logs to syslog-ng so we need to edit the confic file that is used for the monitoring interface and commend out the original "output alert_syslog" entry.

vi /etc/nsm/seconion-eth1/barnyard2-1.conf
and add:
output alert_syslog: sensor_name seconion-eth1-1, local, LOG_LOCAL6 LOG_ALERT, operation_mode default
after we save and exit we need to apply the configuration by issuing:
nsm --sensor --restart --only-barnyard2
the next part is configuring syslog to send logs to our ArcSight box, so we need to edit the syslog-ng config and add a filter and a destination.
vi /etc/syslog-ng/syslog-ng.conf
and add in the appropiriate places (replace the xxx with your ArcSight box'es IP)
filter f_local6 { facility(local6); };
destination d_net { tcp("" port(514) log_fifo_size(1000)); };
log { source(s_syslog); filter(f_local6); destination(d_net); };
and apply the changes by restarting the service
service syslog-ng restart

At the ArcSight side, run the installer, and select "Syslog Deamon" as your connector type and leave port 514 and change protocol to TCP.The rest should be standard like any other connector installation.

The result should be:

More later :)


  1. Excellent thank you Nikolaos, only thing to note is .... LOG_LOCAL6 LOG_ALERT, operation_mode default is all one one line in the barnyard2.conf gents (website did a word wrap).