Network Syslog -> Syslog-ng -> SaganThe logs are still received by ELSA of course, but now the Sagan rules can inspect the log as well. Next edit the /usr/local/etc/sagon.conf Download and install the Sagan rules in /usr/local/etc/sagan-rules. Once Sagan is configured make and install barnyard2. Barnyard2 is used to read the unified2 output of Sagan and send any alerts to ELSA. It could also be used to send alerts to Sguil and Snorby if required. Configure the /usr/local/etc/barnyard2.conf Barnyard2 to send syslog alerts via the local syslog mechanism which means these must be sent to syslog-ng to be viewed in ELSA. Edit the syslog-ng.conf file again and add the following. Now I have this
Network Syslog -> Syslog-ng -> Saganand
Sagan Alerts -> barnyard2 -> Syslog-ng -> ELSAAdd a startup script for Sagan and barnyard2 in /etc/init.d/: ELSA has a parser for the output but it may require a node and web update.
The alerts from Sagan are properly parsed in ELSA and fully searchable.
Create a graph showing Sagan events grouped by signature.
Using the snort class and interface=sagan makes it easy to view just Sagan alerts in ELSA.
Looking at the host for the Sagan alerts makes it easy to find the log entries that caused the Sagan alert.
Add a dashboard for Sagan in ELSA
This dashboard can be imported into ELSA by cut 'n' paste into the import dashboard box in ELSA.
Enjoy ELSA with Sagan!