ELSA with Sagan

Sagan is essentially a snort-like rule based detection engine for log data. Sagan is very easy to integrate with ELSA. All the logs sent to ELSA can be examined by Sagan rules. Every rule that fires produces an alert which is passed into ELSA. Sagan is easy to configure, build and install I just followed the instructions here. As barnyard2 will be used to take the unified2 output from Sagan I built Sagan without native database support. Create a Sagan user, the directories and set the permissions. The Sagan user will be used by barnyard2 and Sagan. Configure syslog-ng to send events via the sagan.fifo to Sagan. Edit the /usr/local/syslog-ng-3.2.4/etc/syslog-ng.conf on ELSA to add the configuration that sends all the inbound logs through Sagan. This configuration sends all logs received over the network to Sagan via the fifo. Now we have
Network Syslog -> Syslog-ng -> Sagan
The logs are still received by ELSA of course, but now the Sagan rules can inspect the log as well. Next edit the /usr/local/etc/sagon.conf Download and install the Sagan rules in /usr/local/etc/sagan-rules. Once Sagan is configured make and install barnyard2. Barnyard2 is used to read the unified2 output of Sagan and send any alerts to ELSA. It could also be used to send alerts to Sguil and Snorby if required. Configure the /usr/local/etc/barnyard2.conf Barnyard2 to send syslog alerts via the local syslog mechanism which means these must be sent to syslog-ng to be viewed in ELSA. Edit the syslog-ng.conf file again and add the following. Now I have this
Network Syslog -> Syslog-ng -> Sagan
and
Sagan Alerts -> barnyard2 -> Syslog-ng -> ELSA
Add a startup script for Sagan and barnyard2 in /etc/init.d/: ELSA has a parser for the output but it may require a node and web update.

The alerts from Sagan are properly parsed in ELSA and fully searchable.
Create a graph showing Sagan events grouped by signature.
Using the snort class and interface=sagan makes it easy to view just Sagan alerts in ELSA.
Looking at the host for the Sagan alerts makes it easy to find the log entries that caused the Sagan alert.
Add a dashboard for Sagan in ELSA
This dashboard can be imported into ELSA by cut 'n' paste into the import dashboard box in ELSA.

Enjoy ELSA with Sagan! 





Comments

  1. Andy, thanks for this wonderful howto. I've got everything working with ELSA r639 except that it's not parsing the interface name out of the logs sent by barnyard2. Have you run into any problems with the newer builds of ELSA?

    ReplyDelete
  2. Hi Benjamin,
    Have you got this in the barnyard2.conf
    config interface: sagan

    # enable printing of the interface name when alerting.
    # IMPORTANT CONFIGURE ALERT_WITH_INTERFACE_NAME for Sagan as the ELSA parser needs it.
    config alert_with_interface_name

    If you have, show me what you are getting in ELSA. There is a thread on the ELSA group you could post what you are seeing to.
    Kind regards,
    Andy

    ReplyDelete
  3. I'm the author of Sagan. This is really awesome stuff!

    ReplyDelete
  4. I'm the primary developer of Sagan. Just wanted to say that this is really awesome stuff!

    ReplyDelete

Post a Comment

Popular posts from this blog

Password Cracking with CUDA 2 ways

Netflow analysis with SiLK - Part 1 Installation

Installing Security Onion IDS/NSM on vSphere 5 with SPAN traffic from a Cisco switch