CEF

If you have devices on your network that can send logs in CEF format, you can send those logs to Security Onion. To get those CEF logs into Elasticsearch, you’ll need to add the Elastic integration for CEF and then configure the Security Onion firewall to allow the remote device to send its logs.

Add the CEF integration

First, add the Elastic integration for CEF.

Note

For more information about the CEF integration, please see https://www.elastic.co/docs/reference/integrations/cef.

  1. Go to Elastic Fleet, click the Agent policies tab, and then click the desired policy (for example so-grid-nodes_general).

  2. Click the Add integration button.

  3. Search for cef and then click on the Common Event Format (CEF) integration.

  4. The Elastic Integration page will show an overview of the CEF Integration. Review all information on the page and then click the Add Common Event Format (CEF) button.

  5. On the Add Common Event Format (CEF) integration screen, disable the options labeled Collect CEF application logs (input: logfile) and Collect CEF application logs (input: tcp). Make sure that Collect CEF application logs (input: udp) is enabled and then change the Syslog Host setting from localhost to 0.0.0.0. The Syslog Port should be set to 9003 by default. Click the Save and continue button and then click Save and deploy changes.

Allow CEF logs through firewall

Next, allow the traffic from the CEF host through the firewall to the CEF integration port.

Note

The following instructions assume that this is the first firewall change you have made and therefore refer to customhostgroup0 and customportgroup0. If those have already been used, you can select the next available hostgroup and portgroup.

  1. Navigate to Administration –> Configuration.

  2. At the top of the page, click the Options menu and then enable the Show advanced settings option.

  3. On the left side, go to firewall, select hostgroups, and click the customhostgroup0 group. On the right side, enter the IP address of the CEF host and click the checkmark to save.

  4. On the left side, go to firewall, select portgroups, select the customportgroup0 group, and then click udp. On the right side, enter your desired listener port (9003 by default) and click the checkmark to save.

  5. On the left side, go to firewall, select role, and then select the node type that will receive the CEF logs. Then drill into chain –> INPUT –> hostgroups –> customhostgroup0 –> portgroups. On the right side, enter customportgroup0 and click the checkmark to save.

  6. If you would like to apply the rules immediately, click the SYNCHRONIZE GRID button under the Options menu at the top of the page.

CEF dashboard

Once all configuration is complete, you should be able to go to Dashboards and select the CEF dashboard to see your iptables logs.