Thursday, March 16, 2017

Towards ELK on Security Onion: A Technology Preview

UPDATED 2018/04/09! We've released a newer version!

Over the last few years, we've had lots of folks ask for ELK (Elasticsearch, Logstash, and Kibana) on Security Onion.  The time has come to begin working towards ELK on Security Onion!

In the grand tradition of "release early, release often", we're releasing a very early Technology Preview of what ELK on Security Onion might look like.  This Technology Preview consists of a script that will take a Security Onion VM in Evaluation Mode and convert it from ELSA to ELK.  We're releasing this now because we want to get your feedback as early as possible in this project.

Special thanks to Justin Henderson for his Logstash configs and installation guide!

Special thanks to Phil Hagen for all his work on SOF-ELK!

Warnings and Disclaimers

  • If this breaks your system, you get to keep both pieces!
  • This script is a work in progress and is in constant flux.
  • This script is intended to build a quick prototype proof of concept so you can see what our ultimate ELK configuration might look like.  This configuration will change drastically over time leading up to the final release.
  • Do NOT run this on a system that you care about!
  • Do NOT run this on a system that has data that you care about!
  • This script should only be run on a TEST box with TEST data!
  • This script is only designed for standalone boxes and does NOT support distributed deployments.
  • Use of this script may result in nausea, vomiting, or a burning sensation.

Bring on the ELK
Enough disclaimers?  Let's do this!

Start with a disposable TEST VM with the following minimum requirements:

  • 2 CPU cores
  • 4GB RAM
  • 20GB virtual hard drive
  • (1) management interface with full Internet access
  • (1) sniffing interface (separate from management interface)
  • Security Onion ISO image installed
  • Setup ran in Evaluation Mode

Download the script:
Run the script with sudo privileges:
sudo bash
Please read through all the WARNINGS and DISCLAIMERS and ONLY proceed if you agree.

The script will take at least 10 minutes depending on the speed of your hardware and Internet connection.

After a minute or two, you should be able to access Kibana via the following URL:

You should see our new Security Onion login window.  Enter the same credentials that you use to login to Sguil and Squert.  This login window will provide single sign on for both Kibana and CapMe to allow seamless pivoting to full packet capture!

Once logged into Kibana, you will automatically start on our Overview dashboard and you will see links to other dashboards as well.  These dashboards are designed to work at 1024x768 screen resolution in order to maximize compatibility.

As you search through the data in Kibana, you should see Bro logs, syslog, and Snort alerts.  Logstash should have parsed out most fields in most Bro logs and Snort alerts.

Notice that the search panels at the bottom of the dashboards display the source_ip and destination_ip fields with hyperlinks.  These hyperlinks will take you to a dashboard that will help you analyze the traffic relating to that particular IP address.

UID fields are also hyperlinked.  This hyperlink will start a new Kibana search for that particular UID.  In the case of Bro UIDs this will show you all Bro logs related to that particular connection.

Each log entry also has an _id field that is hyperlinked.  This hyperlink will take you to CapMe, allowing you to request full packet capture for any arbitrary log type!  This assumes that the log is for tcp or udp traffic that was seen by Bro and Bro recorded it correctly in its conn.log.  CapMe should try to do the following:

  • retrieve the _id from Elasticsearch
  • parse out timestamp
  • if Bro log, parse out the CID, otherwise parse out src IP, src port, dst IP, and dst port
  • query Elasticsearch for those terms and try to find the corresponding bro_conn log
  • parse out sensor name (hostname-interface)
  • send a request to sguild to request pcap from that sensor name

Previously, in Squert, you could pivot from an IP address to ELSA.  That pivot has been removed and replaced with a pivot to ELK.

Using wget to download the script

Running the script as root with "sudo bash"


Thanks to Justin Henderson and Phil Hagen!


Instructions at end of script

New Security Onion login window (use your existing Sguil/Squert credentials) provides single sign on for both Kibana and CapMe

Overview Dashboard contains graphs and links to other dashboards

All of our dashboards include a search panel at the bottom so you can quickly drill into details

Indicator Dashboard is great for seeing the most interesting data types for a particular IP address

Notices Dashboard shows Bro Notices

NIDS Dashboards shows NIDS alerts from Snort or Suricata 
Bro_conn Dashboard allows you to slice and dice Bro's conn.log

Bro_dns Dashboard allows you to slice and dice Bro's dns.log

Bro_http Dashboard allows you to slice and dice Bro's http.log

Bro_ssl Dashboard allows you to slice and dice Bro's ssl.log

Scrolling down the Bro_http Dashboard, we see raw logs with hyperlinks to pivot to further information

Clicking the source IP address in the previous screenshot takes us to the Indicator Dashboard for the source IP

Clicking the destination IP address takes us to the Indicator Dashboard for the destination IP

Clicking the uid field takes us to the Indicator Dashboard for the Bro connection ID

Clicking the _id hyperlink takes us to CapMe to retrieve full packet capture for that stream

We're releasing this now because we want to get your feedback as early as possible in this project.  Please try it out and send your feedback to our mailing list:

What do you think?

What works well?

What needs to be improved?

Any questions or other comments?

Thanks in advance for any and all feedback!

UPDATE 2017-03-16 Fixed link to Justin Henderson's github repo

UPDATE 2017-06-01 Renamed github repo from elk-test to elastic-test

UPDATE 2017-06-03 Added link to Technology Preview 2

UPDATE 2017-07-28 Changed TP2 link to point to TP3

UPDATE 2017-09-16 Changed TP3 link to point to ALPHA

UPDATE 2017-11-01 Changed ALPHA link to point to BETA

UPDATE 2017-11-30 Changed BETA link to point to BETA 2

UPDATE 2017-12-18 Changed BETA 2 link to point to BETA 3

Search This Blog

Featured Post

Sneak Peek: New Detections Feature coming in Security Onion 2.4.70!

Our latest video is a sneak peek at a NEW feature coming to our FREE and OPEN Security Onion platform in the upcoming 2.4.70 release! This n...

Popular Posts

Blog Archive