Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    NST or SecurityOnion for log analysis?

    General pfSense Questions
    4
    10
    794
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BxuEyE4 last edited by

      i was thinking of installing a VM to run NetworkSecurityToolkit or SecurityOnion and have pfsense forward its logs to the VM for analysis/study. this is a home environment.

      anyone used either of these for pfsense log analysis and/or recommend one over the other?

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User last edited by

        Never used any of them but SecurityOnion looks better.

        In the past I've used Graylog as a syslog server for log analysis/search and it worked well, but I'm not sure if it has all the features you're wanting.

        B 1 Reply Last reply Reply Quote 0
        • stephenw10
          stephenw10 Netgate Administrator last edited by stephenw10

          Mmm, I've never used NST but I wasn't even aware of it until now. Most use SecurityOnion for this I would say.

          Steve

          Edit: Omitted a whole word!

          B 1 Reply Last reply Reply Quote 0
          • B
            BxuEyE4 @Guest last edited by

            @skorzen said in NST or SecurityOnion for log analysis?:

            Never used any of them but SecurityOnion looks better.

            In the past I've used Graylog as a syslog server for log analysis/search and it worked well, but I'm not sure if it has all the features you're wanting.

            I read other threads here about fw log analysis and graylog appeared a lot, along with splunk and zabbix. a bit overwhelming as new ventures usually are.

            now that you mention it too, I went ahead and installed a graylog VM to test out. as this is for my home use I'm thinking I want to keeps checks on vulnerabilities & bandwidth usage for now. if I can get those battened down, then maybe real-time alerts too. to make use of some of the tools NST or SecurityOnion has for tracking those issues.

            did graylog initial install come default with fw & system log analysis tools or did you install certain plugins/addon's to facilitate that?

            thanks for reply

            ? 1 Reply Last reply Reply Quote 0
            • B
              BxuEyE4 @stephenw10 last edited by

              @stephenw10 said in NST or SecurityOnion for log analysis?:

              Mmm, I've never used NST but I wasn't even aware of it until now. Most use Security for this I would say.

              Steve

              they both have NetworkMiner, which when landing on its webpage to DL NetworkMiner it had links to NST and SecurityOnion. that was how I heard about it.

              just glancing at it, SecurityOnion has a boatload of various db's for logging along with various parsers. I can see why most would make use of it in this regard.

              i'll experiment a bit with both and see how it goes. appreciate your input.

              1 Reply Last reply Reply Quote 0
              • T
                tim.mcmanus last edited by

                I have used SecurityOnion for excellent results. I set it up as an ESXi VM and then mirrored the traffic from two different WAN ports to it as well as two different physical LANs. Very helpful with pcaps and analysis in near-real time, which is what I was mostly using it for.

                Easy to download, setup, and start working with. I will use it again if the occasion arises, I still have the VM floating around somewhere...

                B 1 Reply Last reply Reply Quote 0
                • ?
                  A Former User @BxuEyE4 last edited by

                  @bxueye4 said in NST or SecurityOnion for log analysis?:

                  @skorzen said in NST or SecurityOnion for log analysis?:

                  Never used any of them but SecurityOnion looks better.

                  In the past I've used Graylog as a syslog server for log analysis/search and it worked well, but I'm not sure if it has all the features you're wanting.

                  I read other threads here about fw log analysis and graylog appeared a lot, along with splunk and zabbix. a bit overwhelming as new ventures usually are.

                  now that you mention it too, I went ahead and installed a graylog VM to test out. as this is for my home use I'm thinking I want to keeps checks on vulnerabilities & bandwidth usage for now. if I can get those battened down, then maybe real-time alerts too. to make use of some of the tools NST or SecurityOnion has for tracking those issues.

                  did graylog initial install come default with fw & system log analysis tools or did you install certain plugins/addon's to facilitate that?

                  thanks for reply

                  Hi,

                  I've actually just used it to store and read/display firewall/switch logs and warn for any particular regex in those logs. It's very easy to use and their dashboards were elegant.

                  Kind regards,

                  B 1 Reply Last reply Reply Quote 0
                  • B
                    BxuEyE4 @tim.mcmanus last edited by

                    @tim-mcmanus said in NST or SecurityOnion for log analysis?:

                    I have used SecurityOnion for excellent results. I set it up as an ESXi VM and then mirrored the traffic from two different WAN ports to it as well as two different physical LANs. Very helpful with pcaps and analysis in near-real time, which is what I was mostly using it for.

                    Easy to download, setup, and start working with. I will use it again if the occasion arises, I still have the VM floating around somewhere...

                    glad to hear it worked well. i plan on mirroring too. the VM installed on its own SSD easy enough and seems ready to go. that's as far as i've gotten, will drill down into it soon.

                    thx

                    T 1 Reply Last reply Reply Quote 0
                    • B
                      BxuEyE4 @Guest last edited by

                      @skorzen said in NST or SecurityOnion for log analysis?:

                      @bxueye4 said in NST or SecurityOnion for log analysis?:

                      @skorzen said in NST or SecurityOnion for log analysis?:

                      Never used any of them but SecurityOnion looks better.

                      In the past I've used Graylog as a syslog server for log analysis/search and it worked well, but I'm not sure if it has all the features you're wanting.

                      I read other threads here about fw log analysis and graylog appeared a lot, along with splunk and zabbix. a bit overwhelming as new ventures usually are.

                      now that you mention it too, I went ahead and installed a graylog VM to test out. as this is for my home use I'm thinking I want to keeps checks on vulnerabilities & bandwidth usage for now. if I can get those battened down, then maybe real-time alerts too. to make use of some of the tools NST or SecurityOnion has for tracking those issues.

                      did graylog initial install come default with fw & system log analysis tools or did you install certain plugins/addon's to facilitate that?

                      thanks for reply

                      Hi,

                      I've actually just used it to store and read/display firewall/switch logs and warn for any particular regex in those logs. It's very easy to use and their dashboards were elegant.

                      Kind regards,

                      good to hear. all thumbs up from users of SO so far.

                      1 Reply Last reply Reply Quote 0
                      • T
                        tim.mcmanus @BxuEyE4 last edited by

                        @bxueye4 said in NST or SecurityOnion for log analysis?:

                        @tim-mcmanus said in NST or SecurityOnion for log analysis?:

                        I have used SecurityOnion for excellent results. I set it up as an ESXi VM and then mirrored the traffic from two different WAN ports to it as well as two different physical LANs. Very helpful with pcaps and analysis in near-real time, which is what I was mostly using it for.

                        Easy to download, setup, and start working with. I will use it again if the occasion arises, I still have the VM floating around somewhere...

                        glad to hear it worked well. i plan on mirroring too. the VM installed on its own SSD easy enough and seems ready to go. that's as far as i've gotten, will drill down into it soon.

                        thx

                        Remember to set the VM NIC to promiscuous so you actually see traffic.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post