Host Visibility

When you logged into Security Onion Console (SOC), you may have seen some host logs from Wazuh. Security Onion can also consume many other kinds of host logs as well. You can send logs to Security Onion via your choice of either osquery, Beats, Wazuh, or Syslog:

  • Choose osquery if you want some live response actions and maybe light log transport. A good example here is a roaming laptop where log volume is low and you might want to send its logs to a dedicated FleetDM node in the DMZ.
  • Choose Wazuh if you want HIDS functionality and log transport. However, please be aware that Wazuh will not be included in the upcoming Security Onion 2.4.
  • Choose Beats for dedicated log transport. Examples would be high volume domain controllers or Windows Event Collectors.
  • Choose Syslog if you can’t install an agent but the device supports sending standard syslog. Examples include firewalls, switches, routers, and other network devices.

For Windows endpoints, you can optionally augment the standard Windows logging with Sysmon and/or Autoruns. Those additional logs can then be transported by whatever mechanism you chose above.