Skip to content

SIEM integration

wiki auto updater edited this page Jun 10, 2024 · 6 revisions

Integration with SIEM systems (>= v1.6.0)

You can configure OpenSnitch to send intercepted events to third-party SIEM solutions.

Firstly, configure a logger (only syslog is supported as of v1.6.0):

/etc/opensnitch/default-config.json

    "Server": {
        "Address": "unix:///tmp/osui.sock",
        "LogFile": "/var/log/opensnitchd.log",
        "Loggers": [
            {
                "Name": "syslog",
                "Server": "127.0.0.1:514",
                "Protocol": "udp",
                "Format": "rfc5424",
                "Tag": "opensnitchd"
            }
        ]
    },
    (...)

syslog logger possible fields and values:

Option Description
Name Name that identifies the logger: syslog, remote or remote_syslog
Server Server address. Leave it empty to log events to the local daemon
Protocol Only applicable if Server is not empty
Format possible values: rfc3164, rfc5424, csv or json. RFC5424 will log events witht the format KEY=VALUE
Tag Optional tag to identify events in the syslog. If empty, syslog will use the name of the daemon

After modify the configuration, restart OpenSnitch.

Now you should see the events on your SIEM, for example:

image

image

Howto configure OpenSnitch with Grafana+Loki+promtail+syslog-ng

  1. Unzip this file opensnitch-grafana-siem.zip

    The setup is based on the following example, so all the commands to set it up applies: https://github.com/grafana/loki/tree/main/examples/getting-started

    Docs: https://grafana.com/docs/loki/latest/getting-started/

  2. Enter into the directory where the docker-compose.yaml is and execute:

    # docker-compose up -d
    siem_minio_1 done
    siem_write_1 done
    siem_read_1 done
    siem_gateway_1 done
    siem_grafana_1 done
    siem_promtail_1 done
    syslog-ng done
    
  3. Add logger configuration as explained above to send events to 127.0.0.1 on port 514:

    "Server": {
        (...)
        "Loggers": [
            {
                "Name": "syslog",
                "Server": "127.0.0.1:514",
                "Protocol": "udp",
                "Format": "rfc5424",
                "Tag": "opensnitchd"
            }
        ]
    },
  1. Restart opensnitch: # service opensnitch restart
  2. Execute docker ps and verify that nginx, grafana, promtail, syslog-ng and loki are running.
  3. Open a web browser and open 127.0.0.1:3000 . Login with admin:admin
  4. Go to Configuration -> Data Sources -> click on Test, and verify that the Data source is connected and labels found
  5. Go to Explore -> select Loki in the combo box and expand the "Log browser" dropdown box. There should be a label named "opensnitch"
  6. Click on it, and execute the query to list the events collected.

The zip file contains a dashboard.json. Hover the mouse over the + icon, click on Import and paste the content of the file.

Then you can open the dashboard and monitorized the events.

Howto configure OpenSnitch with ElasticSearch + LogStash + Kibana

  1. Unzip this file opensnitch-elasticstack-siem.zip

    The setup is based on the following example, so all the commands to set it up applies: https://github.com/grafana/loki/tree/main/examples/getting-started

    Note: The example is modified to use versions 8.7.1 instead of 5.4. To review the changes execute from that directory git diff .

    Docs: https://www.elastic.co/guide/en/logstash/current/plugins-inputs-tcp.html https://www.elastic.co/guide/en/logstash/current/plugins-inputs-udp.html

  2. Enter into the directory where the docker-compose.yml is and execute:

    # docker-compose up -d
    Recreating docker-elk-elasticsearch_logstash_1 ...
    Recreating docker-elk-elasticsearch_logstash_1 ... done
    Recreating docker-elk-syslog_logstash_1 ...
    Recreating docker-elk-syslog_logstash_1 ... done
    Recreating docker-elk-kibana_logstash_1 ...
    Recreating docker-elk-kibana_logstash_1 ... done
  3. Add the logger configuration as explained above to send events to 127.0.0.1 on port 3333:

    "Server": {
        (...)
        "Loggers": [
            {
                "Name": "remote",
                "Server": "127.0.0.1:3333",
                "Protocol": "tcp",
                "Format": "json",
                "Tag": "opensnitchd"
            }
        ]
    },
  1. Restart opensnitch: # service opensnitch restart

  2. Execute docker ps and verify that elasticsearch, logstash and kibana are running.

    If everything went fine, LogStash should be receiving events like this one (docker logs -f -n 100 <container id>) :

         {
         "@timestamp" => 2023-07-19T13:49:54.546806822Z,
           "document" => {
               "Type" => 0,
               "Rule" => "000-allow-domains",
             "Action" => "allow",
              "Event" => {
                     "protocol" => "udp",
                       "dst_ip" => "9.9.9.9",
                 "process_args" => [
                     [0] "/usr/bin/firefox-esr"
                 ],
         (...)
         }
    
  3. Open a web browser and head to 127.0.0.1:5601.

  4. You'll need to create a Data View with a pattern to match a Data Stream, for example: logs-*

image

  1. Click on the left Menu -> Analytics -> Discover, to view collected events:

image

  1. To create a dashboard to visualize the data, go to Analytics -> Dashboard -> Create Dasboard

image

Notes

  • Configure data retention policy to reduce the size of the DB:

    Management -> Data -> Index Lifecycle Policies -> Delete phase

Troubleshooting Elastic stack

  • Verify that the TCP ports 3333 and 9200 are open:

    ~ $ ss -lptn | grep -E "(3333|9200)"
      tcp   LISTEN 0      1024                            [::ffff:127.0.0.1]:3333                   *:*    users:(("java",pid=3712866,fd=107))
      tcp   LISTEN 0      4096                                             *:9200                   *:*    users:(("java",pid=3712294,fd=412))

    You should be able to connect: ~ $ telnet 127.0.0.1 3333

  • If it's not open, analyze LogStash and Elasticsearch container logs: ~ $ docker logs -f -n 100 ec4e3b0t7d87

    There should be a log line like this one in Logstash: [2023-07-19T13:40:11,945][INFO ][logstash.inputs.tcp ][main][cbc1d83a3460288f8b2c2a0399fe2b85eab0199a0a58318f75a4f931f9175f9e] Starting tcp input listener {:address=>"127.0.0.1:3333", :ssl_enable=>false}

    Also review elasticsearch/data/ directory permissions, and be sure that the user that started the container can write there.

  • If you cannot connect to ports 3333 / 9200, disable opensnitch's System firewall from the GUI, or set Enable to false in /etc/opensnitchd/system-fw.json and try again.

Clone this wiki locally