SOC Logs

Standard Security Onion Console (SOC) logs can be found at /opt/so/log/soc/.

SOC Auth Logs

SOC auth is handled by Kratos and you can read more about that at https://github.com/ory/kratos. SOC auth logs can be found at /opt/so/log/kratos/. To look for successful SOC logins, you can run the following:

sudo zgrep "Identity authenticated successfully and was issued an Ory Kratos Session Cookie" /opt/so/log/kratos/*

Those logs should be ingested into Elasticsearch and available for searching in Dashboards, Hunt, and Kibana. Both Dashboards and Hunt have pre-defined queries for SOC auth logs.

_images/soc-logins.png

identity_id

Once you see the auth logs, you will notice that the login is logged as identity_id. You can find your desired identity_id as follows, replacing USERNAME@DOMAIN.COM with your desired SOC username:

echo "select * from identities;" | sudo sqlite3 /opt/so/conf/kratos/db/db.sqlite |grep USERNAME@DOMAIN.COM | cut -d\| -f1