top of page
GK

Security Onion SIEM Setup

Updated: May 17


Security information and event management, SIEM for short, is a solution that helps organizations detect, analyze, and respond to security threats before they harm business operations.

Skills covered

This tutorial will show you how to create a Security Onion virtual machine in a VirtualBox environment, Network and IP configuration and then setting up some montoring of security logs in part 2.



Intro

Security Onion is a Linux distribution designed for network security monitoring, intrusion detection, and log management. It provides a comprehensive platform for network security professionals to monitor and analyze network traffic in real-time, detect potential threats, and respond effectively to security incidents. With its integrated suite of open-source tools and utilities, Security Onion offers a powerful solution for organizations seeking to enhance their cybersecurity posture. Whether you're a seasoned security analyst or a novice practitioner, Security Onion simplifies the complexities of network security monitoring, allowing you to focus on protecting your network assets effectively.



Download and setup a virtual machine

Download SecuritOnion ISO and verify with Get-FileHash

https://securityonionsolutions.com/software which will send you over to the Github page:



Download the ISO, then run Get-FileHash powershell command to confirm the file hasn't been tampered with, use the following command and adjust file name as needed:


Get-FileHash .\securityonion-2.4.60-20240320.iso

Setup the distribution in Virtual Box


In this guide i'm setting up "Eval" the differences between Eval and Standalone are


Eval

  • Evaluation Mode is recommended for first-time users or standalone VMs.

  • Ideal for quickly evaluating Security Onion

  • Will automatically configure most details of your system

  • Configures Snort and Bro to monitor one network interface

  • NOT intended for a production deployment


Standalone

  • Production Mode is recommended for production deployments as it gives you more control over the details of your system and allows you to build a distributed deployment.

  • Build a new master server or connect to an existing master server

  • Enable or disable network sensor services

  • Store logs locally or forward to master server



The the Eval hardware configuration I used:

12GB RAM, 4 CPU's and a 200GB disk and 2 Network Cards (NICs)




Enable two network card in the settings, use Bridged Adapter on Adapter 1 and 2, you may also use NAT network depending on your setup.




Detailed information regarding hardware setup and requirements can be found here:


 

Boot up and start the Installation and configuration


Start the new Security Onion virtual machine and select "yes" to the installation regarding partitions, then your be prompted to set a Admin account and password.



Once completed, Press Enter to reboot and login with the username and password created earlier:

And continue with the prompts for network connected installation and set a hostname, I kept mine as the default.


Then select a network card for the management interface


Proceed in assigning an available static IP address in your LAN host range with your CIDR mask or if you have a DHCP server select that option.


In my case my subnet is

255.255.255.0 so the IP address and CIDR mask is myspareipaddress/24




Then your gateway, continue with the obvious prompts and your email address, password and for the web interface access I selected to connect via an IP.


Then select to have the installation available via the web interface, for this I typed in my main PC IP address.



Installation screenshots


Installation Completed!


Once installed put the fixed IP address into a browser to access the web interface.


Use the email address and password from earlier and now you have the main console.












To check everything is running you can run this from the linux terminal:


sudo so-status


 


















Issues during this process:


After the installation it produced this error message, I rebooted the machine by typing shutdown -r which seem to resolve.


I used sudo tail /root/errors.log to check the error log file also.


Further reading can be found on the official site or drop me a message.



Part 2 - Configuring Security Onion (coming soon)







682 views

Recent Posts

See All

Comments


bottom of page