Remote syslog not working

Heisenberg1977 · Mar 5, 2017, 1:20 AM

I'm banging my head against the wall trying to setup remote syslog, sending to my "Security Onion" VM.

On the SO VM syslog-ng is listening on port 514

heisenberg@SO:/var$ sudo netstat -lnptu | grep syslog
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 32649/syslog-ng
udp 0 0 0.0.0.0:514 0.0.0.0:*

I allowed both UDP/TCP for troubleshooting purposes. From another machine on the same subnet I am able to perform a successful telnet test, but from using the "test port" feature of pfSense it reports back "Connection Failed".

My SO VM is running in Virtualbox on a Linux MINT host using a bridged connection on a dedicated NIC.

Has anybody had any luck setting up a similar configuration?

BBcan177 · Mar 5, 2017, 1:40 PM

For SO did you open up the port etc in UFW?

Heisenberg1977 · Mar 5, 2017, 3:32 AM

Yes, I actually opened both TCP and UDP from anywhere for troubleshooting purposes

Status: active

To Action From
– ------ ----
22/tcp ALLOW Anywhere
514/udp ALLOW Anywhere
514/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
514/udp (v6) ALLOW Anywhere (v6)
514/tcp (v6) ALLOW Anywhere (v6)

Heisenberg1977 · Mar 5, 2017, 3:30 AM

The strange thing is that I don't believe the data is reaching Security Onion. I can telnet to 514 from another box on my LAN while running tcpdump on SO's eth0 interface and see activity. Performing a "Test Port" or ping from pfSense fails. All machines are on the same LAN. Seriously frustrating!

Heisenberg1977 · Mar 5, 2017, 3:40 AM

I'm starting to think the problem is with Virtualbox. A simple ping test from pfSense works successfully to the physical hosts on my network. But pinging the IP assigned to the SO guest fails. I just started running Virtualbox on a Linux host recently so I'm not sure if there is something that I need to configure on a bridged connection to allow incoming traffic.

Heisenberg1977 · Mar 5, 2017, 5:06 AM

I started cycling through different adapter names while the SO VM remained running (eno1, enp1s0) and my tcpdump is now detecting activity on Port 514.

I started ELSA and checked various locations. The only activity that I see is on the loopback address (127.0.0.1) How do I see syslog in ELSA?

BBcan177 · Mar 5, 2017, 1:40 PM

Are you using the latest SO release. I assume that it has the pfSense log parser code for the applicable pfSense version you are using. I would submit a question in their forum.

https://groups.google.com/forum/#!forum/security-onion

Heisenberg1977 · Mar 5, 2017, 5:34 PM

I am running the latest versions of both SO (v.14.04.5.2) & pfSense (v.2.3.3).
@BBCAN177 did you have to change settings in any config file or should ELSA be able to automatically detect the source?]

I posed a question in the SO forums. Pending response.

Thx