Installing the Security Onion App#

Using the Security Onion App#

The Security Onion App helps you to collect log data from popular open-source threat hunting and security monitoring solutions. You can use the provided Resource Sets to find and alert on unexpected or possibly malicious activity.

What Type of Data does Security Onion Ingest?#

The Security Onion App collects data directly from logs on the Security Onion node:

To ingest these resources, create a token, then use the securityonion option in the Linux Host Monitoring configuration script app. For more about exploring this data, see Security Onion App.

Setup#

Installing the Security Onion App for Observe#

Install the Security Onion App for Observe using the App section under Workspace Setting.

Creating a Token#

Create a Security Onion token to ingest your logs into Observe.

  1. Under the Connections section of the App Details page, select Create Security Onion Token and follow the prompts.

  2. Follow the HTTP Endpoint ingestion guidance to test sending data into Observe using this token.

  3. Run the Linux Host Monitoring configuration script with the securityonion option to send log data into Observe using this token.

  4. Review the Security Onion Resource Sets and Dashboards to confirm that the data processes correctly.

Changing the Datastream#

The Security Onion App uses the Default datastream for polled data and resource set creation. To select another datastream, use the Configuration tab of the App Details page.

Sending Data#

You should run the Linux Host Monitoring configuration script on the Security Onion nodes that you want to monitor.

If you only want to collect the logs, then only use the securityonion option in the Linux Host Monitoring configuration scriptapp. That installs the td-agent-bit onto the node with (configuration for log file collection from the /nsm directory.

You may also choose to use the linux option, which adds system performance monitoring. In addition to td-agent-bit, Telegraf and osquery also installs and configures on the node. To use this data with Observe, install the Host Monitoring App as well.

For more about exploring this data, see Security Onion App.

You have now configured the Security Onion app and ready to use this data in Observe.