Skip to content

SIEM integration

Jump to bottom
wiki auto updater edited this page May 18, 2022 · 6 revisions

Integration with SIEM systems (>= v1.6.0)

You can configure OpenSnitch to send intercepted events to third-party SIEM solutions.

Firstly, configure a logger (only syslog is supported as of v1.6.0):

/etc/opensnitch/default-config.json

    "Server": {
        "Address": "unix:///tmp/osui.sock",
        "LogFile": "/var/log/opensnitchd.log",
        "Loggers": [
            {
                "Name": "syslog",
                "Server": "127.0.0.1:514",
                "Protocol": "udp",
                "Format": "rfc5424",
                "Tag": "opensnitchd"
            }
        ]
    },
    (...)

syslog logger possible fields and values:

Option Description
Name Name that identifies the logger: syslog
Server Server address. Leave it empty to log events to the local daemon
Protocol Only applicable if Server is not empty
Format possible values: rfc5424,csv . RFC5424 will log events witht the format KEY=VALUE
Tag Optional tag to identify events in the syslog. If empty, syslog will use the name of the daemon

After modify the configuration, restart OpenSnitch.

Now you should see the events on your SIEM, for example:

image

image

Howto configure OpenSnitch with Grafana+Loki+promtail+syslog-ng

  1. Unzip this file opensnitch-grafana-siem.zip

    The setup is based on the following example, so all the commands to set it up applies: https://github.com/grafana/loki/tree/main/examples/getting-started

    Docs: https://grafana.com/docs/loki/latest/getting-started/

  2. Enter into the directory where the docker-compose.yaml is and execute:

    # docker-compose up -d
siem_minio_1 done
siem_write_1 done
siem_read_1 done
siem_gateway_1 done
siem_grafana_1 done
siem_promtail_1 done
syslog-ng done

  3. Add logger configuration as explained above to send events to 127.0.0.1 on port 514:

    "Server": {
        (...)
        "Loggers": [
            {
                "Name": "syslog",
                "Server": "127.0.0.1:514",
                "Protocol": "udp",
                "Format": "rfc5424",
                "Tag": "opensnitchd"
            }
        ]
    },
  1. Restart opensnitch: # service opensnitch restart
  2. Execute docker ps and verify that nginx, grafana, promtail, syslog-ng and loki are running.
  3. Open a web browser and open 127.0.0.1:3000 . Login with admin:admin
  4. Go to Configuration -> Data Sources -> click on Test, and verify that the Data source is connected and labels found
  5. Go to Explore -> select Loki in the combo box and expand the "Log browser" dropdown box. There should be a label named "opensnitch"
  6. Click on it, and execute the query to list the events collected.

The zip file contains a dashboard.json. Hover the mouse over the + icon, click on Import and paste the content of the file.

Then you can open the dashboard and monitorized the events.

Please help us make this wiki better.

How to submit changes: https://github.com/evilsocket/opensnitch/blob/wiki/README.md

  1. Installation
    1. Dependencies and how it works
  2. Getting started
    1. Events window
      1. Themes
    2. Process monitor dialog
    3. Pop-up dialogs
  3. Configuration
    1. Monitor method: audit
    2. Monitor method: eBPF
    3. Rules
      1. Best practices
    4. Rules editor
      1. Rules examples
    5. System rules
      1. System rules legacy
    6. Block lists, ads|malware|...
    7. Nodes
      1. Authentication
      2. Configuration examples
      3. Generating TLS certificates
    8. SIEM integration
      1. Grafana + Loki + Promtail
      2. ElasticSearch + LogStash + Kibana
  4. Compilation
    1. Cross-compilation for arm
    2. Building packages with pbuilder
  5. GUI translations
    1. Adding, updating and installing translations
  6. FAQs and common errors
    1. Known problems
      1. GUI known problems
      2. daemon known problems
      3. General
    2. FAQs
    3. Why OpenSnitch does not intercept application XXX
  7. Examples OpenSnitch in action
Clone this wiki locally