Use Snort 3 log in Opensearch

OpenSearch
1

OpenSearch 2.9.0
Dashboard 2.9.0
Ubuntu 22.04

Hi everyone,

I’ve installed Snort 3 as an IPS on my Ubuntu machine and now, I would want to use OpenSearch as a SIEM. I’ve downloaded OpenSearch and Dashboard, there are now running in a minimum configuration (I can access from a distant machine) but there is no data to see.
It’s here that I have some trouble. I am a little bit lost in the configuration of OpenSearch. Snort 3 is writing alerts logs in several files. I would want that Opensearch takes those log files and analyse them in real time to do data visualisation and to generate statistics, email notifications…

I understood that I need plugins like opensearch-observability to generate notifications, alerts, etc… from data. But to pass this data (snort logs) to opensearch, do I need a plugin too ? How can I do to see my snort logs in Opensearch dashboard ?

Thank you for your help

2

You need an ingestion tool to ingest all of the logs into OpenSearch, there are so many tools can be used, such as Fluent-bit, Logstash, Filebeat, Data-prepper etc. See this page about how to use Fluent-bit: OpenSearch - Fluent Bit: Official Manual.

3

Thanks a lot ! I’m going to see that right now

4

Hi !
So I try the installation with Logstash to ingest snort’s logs but I encounter some configuration issues.
I installed OpenSearch and OpenSearch Dashboard by following this guide : https://www.howtoforge.com/how-to-install-opensearch-on-debian-11/
I installed Logstach from the OpenSearch website (https://artifacts.opensearch.org/logstash/logstash-oss-with-opensearch-output-plugin-8.6.1-linux-x64.tar.gz) so with the plugin opensearch-outpput integrate.

Logstash work in a minimum configuration. For example with the argument “-e input { stdin {} } output { stdout {} }” it’s working. It’s also working when I put log files in input. The problem come when I try to configure the output to Opensearch.

I first tried with the following configuration :slight_smile:

output {
  opensearch {
    hosts => ["https://192.168.200.1:9200"]
    user => "admin"
    password => "xxxxx"
    index => "logstash-logs"
  }
}

But I got an error wich seams to indicate there is a certificate problem :

[2023-07-28T10:12:29,086][WARN ][logstash.outputs.opensearch][main] Attempted to resurrect connection to dead OpenSearch instance, but got an error {:url=>"https://admin:xxxxxx@192.168.200.1:9200/", :exception=>LogStash::Outputs::OpenSearch::HttpClient::Pool::HostUnreachableError, :message=>"OpenSearch Unreachable: [https://admin:xxxxxx@192.168.200.1:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}

During the OpenSearch installation, I created differents certificates so I tried different combination with lines about certificate :

ssl => true/false
ssl_certificate_verification => true/false
cacert => "path/to/the/admin/certificate/created/during/the/opensearch/installation/.crt"

But none of them works (maybe I just missed the one which is working…).
Given the installation I’ve made, what should by the configuration that I need in my logstash pipeline ?

Here are some info about my installation :
hostname : snort3
fqdn : snort3.hwdomain.lan
IP : 192.168.200.1

Please tell me if you need more informations to answer to my question.
Thanks for your help !

5

You can add the following settings to the output.opensearch section of your logstash config file:

ssl => true
ssl_certificate_verification => false

, this will disable ssl certificate verification.

6

Thank you, it does remove the certificate error. But since we don’t use certificate verification, does that mean the seurity of the installation is impacted ?

7

Yes, the security will be impacted, but maybe not a big issue if logstash and OpenSearch are in the same private network.

8

Ok great it’s the case in my environnement.
Thank you for your help