Remote syslog not working
-
I'm banging my head against the wall trying to setup remote syslog, sending to my "Security Onion" VM.
On the SO VM syslog-ng is listening on port 514
heisenberg@SO:/var$ sudo netstat -lnptu | grep syslog
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 32649/syslog-ng
udp 0 0 0.0.0.0:514 0.0.0.0:*I allowed both UDP/TCP for troubleshooting purposes. From another machine on the same subnet I am able to perform a successful telnet test, but from using the "test port" feature of pfSense it reports back "Connection Failed".
My SO VM is running in Virtualbox on a Linux MINT host using a bridged connection on a dedicated NIC.
Has anybody had any luck setting up a similar configuration?
-
For SO did you open up the port etc in UFW?
-
Yes, I actually opened both TCP and UDP from anywhere for troubleshooting purposes
Status: active
To Action From
– ------ ----
22/tcp ALLOW Anywhere
514/udp ALLOW Anywhere
514/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
514/udp (v6) ALLOW Anywhere (v6)
514/tcp (v6) ALLOW Anywhere (v6) -
The strange thing is that I don't believe the data is reaching Security Onion. I can telnet to 514 from another box on my LAN while running tcpdump on SO's eth0 interface and see activity. Performing a "Test Port" or ping from pfSense fails. All machines are on the same LAN. Seriously frustrating!
-
I'm starting to think the problem is with Virtualbox. A simple ping test from pfSense works successfully to the physical hosts on my network. But pinging the IP assigned to the SO guest fails. I just started running Virtualbox on a Linux host recently so I'm not sure if there is something that I need to configure on a bridged connection to allow incoming traffic.
-
I started cycling through different adapter names while the SO VM remained running (eno1, enp1s0) and my tcpdump is now detecting activity on Port 514.
I started ELSA and checked various locations. The only activity that I see is on the loopback address (127.0.0.1) How do I see syslog in ELSA?
-
Are you using the latest SO release. I assume that it has the pfSense log parser code for the applicable pfSense version you are using. I would submit a question in their forum.
https://groups.google.com/forum/#!forum/security-onion
-
I am running the latest versions of both SO (v.14.04.5.2) & pfSense (v.2.3.3).
@BBCAN177 did you have to change settings in any config file or should ELSA be able to automatically detect the source?]I posed a question in the SO forums. Pending response.
Thx