I'm setting up Security Onion to play with Bro, but I want to send the logs to an additional SIEM in addition to ELK (which is installed on Security Onion by default). The wiki sends you here, which redirects you here. That page just says that if I want to add a destination, I add it to /etc/syslog-ng/syslog-ng.conf. So I did:
destination d_elsa { program("sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh" template(t_db_parsed)); };
destination d_logstash { tcp("127.0.0.1" port(6050) template("$(format-json --scope selected_macros --scope nv_pairs --exclude DATE --key ISODATE)\n")); };
destination remote { udp("192.168.1.55" port(514)); };
The top two lines are put there by the standard Security Onion installation, and my additional line is the third line. But that does not work. I tried using a name other than just "remote". I tried tcp and udp. Not only is my other SIEM not seeing it, I even tried tcpdump and that's coming up empty. I've searched everywhere and I don't see any other options. Thoughts?
You need to include the new destination in a log statement.
syslog-ng has three basic objects: sources (that receive messages), destinations (that send/store messages somewhere), and log statements that connect the sources to the destinations