This is another article about doing useful things with a Turris-Omnia.
Recently Turris updated the packages for the Turris Omnia router to add the ability to run a Suricata instance. This is only the Suricata service an no management or log analysis tools.
Looking around for relatively easy to use log analysis tools for Suricata, I came across this article about using Logstash, Kibana and Elasticsearch. There didn't appear to be any simple way to install these as in LXC container on the Omnia since the debs mentioned assume you're running on x86_64. It may be possible to build the environment from scratch since it does primarily depends on Java but that was beyond what I was hoping to do.
To get this solution to work with minimal fuss, it's better to push the logs to a host running x86_64. Since this was going on a server with many other services on it, the ELKS environment will be placed into an LXC container.
There will be three parts to this article.
First, sending the Suricata logs from the Turris Omnia to a different host Second, creating an LXC on Jessie and how to see the logs from the Host O/S Third, set up an ELKS instance in the LXC
Sending Suricata logs from Turris Omnia to an external host
The Suricata instance on Omnia logs to /var/log/suricata which is in RAM. Those logs go away when the router reboots. One way to save the logs is to set the log location to persistent storage.
This article outlines how to get your Suricata logs from the Omnia to a central log server. However, the intent is not to have syslog-ng do the parsing of the logs as in the article, but to have the logs parsed by Logstash and Kibana. Only some of the information in that article will be used.
The section on "Configuring syslog-ng on Turris Omnia" outlines how to send the logs from the Omnia. Since the syslog-ng server is running Debian, the configuration file directory resides at "/etc/syslog-ng/conf.d/" and I created a suricata.conf file there:
filter f_omnia { host(192.168.4.1); }; source s_suricata { tcp( ip("0.0.0.0") port(5514) ); }; destination d_suricata { file("/var/log/remote/eve.json" template("${MSG}\n") ); }; log { source(s_suricata); filter(f_omnia); destination(d_suricata); };
Once you've restarted syslog-ng on both the Omnia and your syslog-ng server, you should start seeing "/var/log/remote" starting to fill up with Suricata logs.
Set up an LXC container with a host linked directory
There are some limitations to using LXC on Jessie, mostly relating to setting up networking. This article does a great job on how to set this up. Instead of creating a Sid container, I just created another Jessie container:
sudo MIRROR=http://httpredir.debian.org/debian lxc-create -n jessie-elk64 -t debian -- -r jessie -a amd64
This article also mentions how to mount your home directory within the container. Since this container is only going to be running an ELKS instance, we only want the "/var/log/remote" directory. To make it easier in the next section it will be mounted at "/var/log/suricata" in the container. Edit "/var/lib/lxc/jessie-elk64/config" to add the follwing line at the bottom.
lxc.mount.entry = /var/log/remote/ var/log/suricata/ none ro,bind 0.0
Installing ELKS will continue in the next article.