NST or SecurityOnion for log analysis?



  • i was thinking of installing a VM to run NetworkSecurityToolkit or SecurityOnion and have pfsense forward its logs to the VM for analysis/study. this is a home environment.

    anyone used either of these for pfsense log analysis and/or recommend one over the other?



  • Never used any of them but SecurityOnion looks better.

    In the past I've used Graylog as a syslog server for log analysis/search and it worked well, but I'm not sure if it has all the features you're wanting.


  • Netgate Administrator

    Mmm, I've never used NST but I wasn't even aware of it until now. Most use SecurityOnion for this I would say.

    Steve

    Edit: Omitted a whole word!



  • @skorzen said in NST or SecurityOnion for log analysis?:

    Never used any of them but SecurityOnion looks better.

    In the past I've used Graylog as a syslog server for log analysis/search and it worked well, but I'm not sure if it has all the features you're wanting.

    I read other threads here about fw log analysis and graylog appeared a lot, along with splunk and zabbix. a bit overwhelming as new ventures usually are.

    now that you mention it too, I went ahead and installed a graylog VM to test out. as this is for my home use I'm thinking I want to keeps checks on vulnerabilities & bandwidth usage for now. if I can get those battened down, then maybe real-time alerts too. to make use of some of the tools NST or SecurityOnion has for tracking those issues.

    did graylog initial install come default with fw & system log analysis tools or did you install certain plugins/addon's to facilitate that?

    thanks for reply



  • @stephenw10 said in NST or SecurityOnion for log analysis?:

    Mmm, I've never used NST but I wasn't even aware of it until now. Most use Security for this I would say.

    Steve

    they both have NetworkMiner, which when landing on its webpage to DL NetworkMiner it had links to NST and SecurityOnion. that was how I heard about it.

    just glancing at it, SecurityOnion has a boatload of various db's for logging along with various parsers. I can see why most would make use of it in this regard.

    i'll experiment a bit with both and see how it goes. appreciate your input.



  • I have used SecurityOnion for excellent results. I set it up as an ESXi VM and then mirrored the traffic from two different WAN ports to it as well as two different physical LANs. Very helpful with pcaps and analysis in near-real time, which is what I was mostly using it for.

    Easy to download, setup, and start working with. I will use it again if the occasion arises, I still have the VM floating around somewhere...



  • @bxueye4 said in NST or SecurityOnion for log analysis?:

    @skorzen said in NST or SecurityOnion for log analysis?:

    Never used any of them but SecurityOnion looks better.

    In the past I've used Graylog as a syslog server for log analysis/search and it worked well, but I'm not sure if it has all the features you're wanting.

    I read other threads here about fw log analysis and graylog appeared a lot, along with splunk and zabbix. a bit overwhelming as new ventures usually are.

    now that you mention it too, I went ahead and installed a graylog VM to test out. as this is for my home use I'm thinking I want to keeps checks on vulnerabilities & bandwidth usage for now. if I can get those battened down, then maybe real-time alerts too. to make use of some of the tools NST or SecurityOnion has for tracking those issues.

    did graylog initial install come default with fw & system log analysis tools or did you install certain plugins/addon's to facilitate that?

    thanks for reply

    Hi,

    I've actually just used it to store and read/display firewall/switch logs and warn for any particular regex in those logs. It's very easy to use and their dashboards were elegant.

    Kind regards,



  • @tim-mcmanus said in NST or SecurityOnion for log analysis?:

    I have used SecurityOnion for excellent results. I set it up as an ESXi VM and then mirrored the traffic from two different WAN ports to it as well as two different physical LANs. Very helpful with pcaps and analysis in near-real time, which is what I was mostly using it for.

    Easy to download, setup, and start working with. I will use it again if the occasion arises, I still have the VM floating around somewhere...

    glad to hear it worked well. i plan on mirroring too. the VM installed on its own SSD easy enough and seems ready to go. that's as far as i've gotten, will drill down into it soon.

    thx



  • @skorzen said in NST or SecurityOnion for log analysis?:

    @bxueye4 said in NST or SecurityOnion for log analysis?:

    @skorzen said in NST or SecurityOnion for log analysis?:

    Never used any of them but SecurityOnion looks better.

    In the past I've used Graylog as a syslog server for log analysis/search and it worked well, but I'm not sure if it has all the features you're wanting.

    I read other threads here about fw log analysis and graylog appeared a lot, along with splunk and zabbix. a bit overwhelming as new ventures usually are.

    now that you mention it too, I went ahead and installed a graylog VM to test out. as this is for my home use I'm thinking I want to keeps checks on vulnerabilities & bandwidth usage for now. if I can get those battened down, then maybe real-time alerts too. to make use of some of the tools NST or SecurityOnion has for tracking those issues.

    did graylog initial install come default with fw & system log analysis tools or did you install certain plugins/addon's to facilitate that?

    thanks for reply

    Hi,

    I've actually just used it to store and read/display firewall/switch logs and warn for any particular regex in those logs. It's very easy to use and their dashboards were elegant.

    Kind regards,

    good to hear. all thumbs up from users of SO so far.



  • @bxueye4 said in NST or SecurityOnion for log analysis?:

    @tim-mcmanus said in NST or SecurityOnion for log analysis?:

    I have used SecurityOnion for excellent results. I set it up as an ESXi VM and then mirrored the traffic from two different WAN ports to it as well as two different physical LANs. Very helpful with pcaps and analysis in near-real time, which is what I was mostly using it for.

    Easy to download, setup, and start working with. I will use it again if the occasion arises, I still have the VM floating around somewhere...

    glad to hear it worked well. i plan on mirroring too. the VM installed on its own SSD easy enough and seems ready to go. that's as far as i've gotten, will drill down into it soon.

    thx

    Remember to set the VM NIC to promiscuous so you actually see traffic.