May 133 min read

Security Onion SIEM Setup

Updated: May 17

Security information and event management, SIEM for short, is a solution that helps organizations detect, analyze, and respond to security threats before they harm business operations.

Skills covered

This tutorial will show you how to create a Security Onion virtual machine in a VirtualBox environment, Network and IP configuration and then setting up some montoring of security logs in part 2.

Intro

Security Onion is a Linux distribution designed for network security monitoring, intrusion detection, and log management. It provides a comprehensive platform for network security professionals to monitor and analyze network traffic in real-time, detect potential threats, and respond effectively to security incidents. With its integrated suite of open-source tools and utilities, Security Onion offers a powerful solution for organizations seeking to enhance their cybersecurity posture. Whether you're a seasoned security analyst or a novice practitioner, Security Onion simplifies the complexities of network security monitoring, allowing you to focus on protecting your network assets effectively.

Download and setup a virtual machine

Download SecuritOnion ISO and verify with Get-FileHash

https://securityonionsolutions.com/software which will send you over to the Github page:

Download the ISO, then run Get-FileHash powershell command to confirm the file hasn't been tampered with, use the following command and adjust file name as needed:

Get-FileHash .\securityonion-2.4.60-20240320.iso

Setup the distribution in Virtual Box

In this guide i'm setting up "Eval" the differences between Eval and Standalone are

Eval

Evaluation Mode is recommended for first-time users or standalone VMs.
Ideal for quickly evaluating Security Onion
Will automatically configure most details of your system
Configures Snort and Bro to monitor one network interface
NOT intended for a production deployment

Standalone

Production Mode is recommended for production deployments as it gives you more control over the details of your system and allows you to build a distributed deployment.
Build a new master server or connect to an existing master server
Enable or disable network sensor services
Store logs locally or forward to master server

The the Eval hardware configuration I used:

12GB RAM, 4 CPU's and a 200GB disk and 2 Network Cards (NICs)

Enable two network card in the settings, use Bridged Adapter on Adapter 1 and 2, you may also use NAT network depending on your setup.

Detailed information regarding hardware setup and requirements can be found here:

https://docs.securityonion.net/en/2.4/hardware.html#hardware

Boot up and start the Installation and configuration

Start the new Security Onion virtual machine and select "yes" to the installation regarding partitions, then your be prompted to set a Admin account and password.

Once completed, Press Enter to reboot and login with the username and password created earlier:

And continue with the prompts for network connected installation and set a hostname, I kept mine as the default.

Then select a network card for the management interface

Proceed in assigning an available static IP address in your LAN host range with your CIDR mask or if you have a DHCP server select that option.

In my case my subnet is

255.255.255.0 so the IP address and CIDR mask is myspareipaddress/24

Then your gateway, continue with the obvious prompts and your email address, password and for the web interface access I selected to connect via an IP.

Then select to have the installation available via the web interface, for this I typed in my main PC IP address.