Other Supported Logs¶
We include Elasticsearch ingest parsers for several log types that don’t have Filebeat modules.
Example: pfSense¶
Security Onion includes Elasticsearch ingest parsers for pfSense firewall logs. Simply run so-allow as described in the Syslog section and then configure your pfSense firewall to send syslog to the IP address of your Security Onion box. If you are using pfSense 2.6.0 or higher, make sure that Log Message Format
is set to BSD (RFC 3164, default)
. You should then be able to see your firewall logs using the Firewall
query in Dashboards or Hunt.
Example: RITA¶
Security Onion includes Elasticsearch ingest parsers for RITA logs. To enable this support, add the following in the relevant Salt minion pillar and then restart Filebeat on the minion(s):
rita:
enabled: True
This will enable the following Filebeat inputs:
/nsm/rita/beacons.csv
/nsm/rita/exploded-dns.csv
/nsm/rita/long-connections.csv
/nsm/rita/open-connections.csv
If you are installing Filebeat on a non-Security Onion node or your filenames differ, you will need to copy the Filebeat configuration from /opt/so/saltstack/default/salt/filebeat/etc/filebeat.yml
to /opt/so/saltstack/local/salt/filebeat/etc/filebeat.yml
(or modify on the non-Security Onion node in the normal Filebeat configuration file) and emulate the path/filename accordingly.
Once ingested into Security Onion, you should be able to search for RITA logs in Dashboards or Hunt using event.module:rita | groupby event.dataset
.
Summary¶

Connections¶

DNS¶

Beacon¶
