[PacketFence-users] Sending Security Onion alerts to PacketFence

Mon, 09 May 2016 10:07:35 -0700 

Hi,

We have SecurityOnion (using Suricata) and PacketFence working well on our 
network.  I'm currently trying to send the alerts from the Security Onion 
server to the PacketFence server.  I've followed the instructions within the 
Administration Guide (Chapter 13 - We're using PF version 5.7) But I can't seem 
to get the alerts to be shown in PacketFence.  Does anyone have any ideas where 
I can start trying to solve this issue?  I've changed the syslog-ng.conf on the 
SecurityOnion server to log to a file to prove it works (Every alert shows in 
the file) but when I set it to send to the PacketFence server nothing appears 
to happen. There seems to be an outgoing connection from the Security Onion 
server to our PacketFence server;

Output of netstat -peanut;

udp        0      0 127.0.0.1:52444         127.0.0.1:514           ESTABLISHED 
989        20594       1641/ossec-csyslogd
udp        0      0 192.168.XXX.231:57654   192.168.XXX.232:514     ESTABLISHED 
0          13027154    8498/syslog-ng
udp        0      0 0.0.0.0:514             0.0.0.0:*                           
0          13027150    8498/syslog-ng

But I don't seem to get an equivalent connection on the PacketFence server side;

udp        0      0 0.0.0.0:514                 0.0.0.0:*                       
        0          699304     3167/rsyslogd

So I assume the port is just listening.

I've checked that on the PacketFence server I've modified the rsyslog.conf, and 
created the securityonion_ids.conf, and made sure the alerting pipe exists.  
Also configured a new syslog parser through the GUI and created alerts (In this 
case to alert on any P2P traffic, which Security Onion shows that we have 
approx. 150 incidents a day)

Does anyone have any pointers where I can start digging to solve this?

Many thanks

Darren Morgan
Systems Manager
Oundle School


This email is sent from either Oundle School or Laxton Junior School for The 
Corporation of Oundle School and is intended only for the addressee named 
above.  The Corporation of Oundle School is a Charity incorporated under Royal 
Charter RC000396 and charity number 309921.  www.oundleschool.org.uk
 Scanned by iCritical.


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to