Security Onion is what #SIEM @securityonion #dfir #infosec

It’s been a while since I have written a post. I need to write something so I figured I’d write about what takes up most of my days… Honestly, a lot has happened in my personal life. I got married, purchased a house and I’m expecting a baby. So it doesn’t take much imagination to guess where my free time has gone.

I have also branched out beyond disk based forensics to SIEM (or Security Information and Event Management) using a production called Security Onion. I have a networking and Linux background so the concepts weren’t at all foreign to me.  It took a while to getting my head around it though. The layers of integrated products built on top of Security Onion took a lot more time to learn than I expected. What I learned was that when you are new to it you will fail, repeatedly at first.

What drew us in were a couple of things we needed. #1 it’s free, #2 it scales and #3 it uses Logstash/Elastic/Kibana so it’s flexible and json friendly.

Security Onion has been around a long time, nearly 10 years based on the first blog post on the Security Onion blog back in 2008… But, what really made it interesting to us was the impending switch to Logstash/Elastic/Kibana.

Since I started the implementations it has moved from experimental to production with Kibana. With the full switch away from Elsa to Kibana it has allowed flexibility that you expect from Elastic. Also helpful, new releases come out regularly… I find that to be a sign of a strong and active community behind the project.

The documentation is decent if you understand the product well. The google groups are only modestly helpful however and a lot of the learning requires trial and error along with a strong Linux, Syslog, networking and Elastic understanding.

Anyway, if you are doing Security Onion stuff and want to connect feel free to ping me on Twitter. I am still learning and can use all the help I can get. If there is a Slack group out there let me know!