Report generation and Event Log collection


#1

Hi,
Am a newbie to RockNSM and have managed to get it installed on VMWorkstation to review as a possible SIEM/LEM instead of a commercial offering which also appears to use Kibana as the frontend. So far it looks great and loads very quickly!

But i’m wondering whether RockNSM could also be used for Log Collections from Syslog and Windows Event forwarding by using Logstash as well as having the ability to generate reports on the dashboards or visualisations to save reports for auditing, etc?

I’m also new to the ELK stack as well, so apologies if it may be an obvious question.

Out of my own curiosity, I’ve looked into roughly how RockNSM works, and looks like there are “plugins” used for the Suricata, Bro and FSF parts and wonder whether something similar would also need to be created to add the additional features?

This is really to have a central management console to review information from the whole network on top of “tapping” the network, but to have information directly sent also to the RockNSM servers (such as firewall syslogging, etc)?


#2

No problem, we all start as newbs and I still am…

Sorry for late response, I wanted to answer this as best I could.

As of right now, RockNSM is “not” of out of the box supporting syslog or WEF (windows event logs) – however, we are working on this exact thing and is in the pipeline for release - I do not have a date, but probably in one of the next few releases.

Also however, this is not to say you could do something exactly like you mentioned by adding few plugins and changing up the pipeline a bit – there is also another way to approach this – you could install HELK, one of the projects we dearly love and one of us helps Roberto, for windows WEF collection https://github.com/Cyb3rWard0g/HELK
we could then do a “cross-cluster” search – single pane of glass but search both Rock and HELK

if you would like to discuss further thenI would be glad to help.

Cheers,
Nate Guagenti
@neu5ron