Remote syslog not working



  • I'm banging my head against the wall trying to setup remote syslog, sending to my "Security Onion" VM.

    On the SO VM syslog-ng is listening on port 514

    heisenberg@SO:/var$ sudo netstat -lnptu | grep syslog
    tcp        0      0 0.0.0.0:514            0.0.0.0:*              LISTEN      32649/syslog-ng
    udp        0      0 0.0.0.0:514            0.0.0.0:*

    I allowed both UDP/TCP for troubleshooting purposes. From another machine on the same subnet I am able to perform a successful telnet test, but from using the "test port" feature of pfSense it reports back "Connection Failed".

    My SO VM is running in Virtualbox on a Linux MINT host using a bridged connection on a dedicated NIC.

    Has anybody had any luck setting up a similar configuration?


  • Moderator

    For SO did you open up the port etc in UFW?



  • Yes, I actually opened both TCP and UDP from anywhere for troubleshooting purposes

    Status: active

    To                        Action      From
    –                        ------      ----
    22/tcp                    ALLOW      Anywhere
    514/udp                    ALLOW      Anywhere
    514/tcp                    ALLOW      Anywhere
    22/tcp (v6)                ALLOW      Anywhere (v6)
    514/udp (v6)              ALLOW      Anywhere (v6)
    514/tcp (v6)              ALLOW      Anywhere (v6)



  • The strange thing is that I don't believe the data is reaching Security Onion. I can telnet to 514 from another box on my LAN while running tcpdump on SO's eth0 interface and see activity. Performing a "Test Port" or ping from pfSense fails. All machines are on the same LAN. Seriously frustrating!



  • I'm starting to think the problem is with Virtualbox. A simple ping test from pfSense works successfully to the physical hosts on my network. But pinging the IP assigned to the SO guest fails. I just started running Virtualbox on a Linux host recently so I'm not sure if there is something that I need to configure on a bridged connection to allow incoming traffic.



  • I started cycling through different adapter names while the SO VM remained running (eno1, enp1s0) and my tcpdump is now detecting activity on Port 514.

    I started ELSA and checked various locations. The only activity that I see is on the loopback address (127.0.0.1) How do I see syslog in ELSA?


  • Moderator

    Are you using the latest SO release. I assume that it has the pfSense log parser code for the applicable pfSense version you are using. I would submit a question in their forum.

    https://groups.google.com/forum/#!forum/security-onion



  • I am running the latest versions of both SO (v.14.04.5.2) & pfSense (v.2.3.3).
    @BBCAN177 did you have to change settings in any config file or should ELSA be able to automatically detect the source?]

    I posed a question in the SO forums. Pending response.

    Thx