Skip to content

Exporting Alerts to ELK

Overview

Elasticsearch allows users to capture data that is sent from Sophos Linux Sensor (SLS) in JSON format. Kibana also allows users to select the way they want to visualize the data coming from SLS,  enabling users to build interactive dashboards based on needs. In this ELK walkthrough, we will use a simple deployment scenario of SLS deployed to a non-containerized Linux production server.

This article will also address how Filebeat, which is a lightweight shipper for forwarding and centralizing log data can be used to ingest alerts from SLS into an ELK Stack. In addition, we will also cover sending alert data to ELK via webhook from SLS.

Requirements

Note

It's very important that before performing any of these steps in the article users have SLS running in their environment.  See Installing Sophos Linux Sensor.

Configuring SLS to log Alerts

We will be configuring SLS to log alert data to a file called /var/log/sophos-alerts.json with a simple program blacklist which will generate an alert every time users run the program wget.

  1. Edit /etc/sophos/runtimedetections-rules.yaml using your preferred text editor. Add the following lines:

    alert_output:
    outputs:
        - type: file
        enabled: true
        name: /var/log/sophos-alerts.json
    
    Wget Program Blacklist:
    policy: program
    enabled: true
    alertMessage: Unauthorized Program Execution
    priority: High
    rules:
    - match programName == "*/wget"
    - default ignore
    comments: Alert on usage of the wget command
    
  2. Restart SLS. It's recommended to restart when changes are made to the sensor configuration.

    sudo systemctl restart sophoslinuxsensor
    

Exporting SLS Alerts to Filebeat

Now that SLS has been configured to log alerts users can proceed with exporting the alerts to Filebeat. Using the Elastic's Filebeat users can ingest Alerts from SLS into the ELK Stack.

  1. Add the following lines to /etc/filebeat/filebeat.yml:

    filebeat.inputs:
    - type: log
    paths:
        - /var/log/sophos-alerts.json
    json.keys_under_root: true
    json.add_error_key: true
    

    This won't only ingest alerts but will also parse the JSON data for you so that the individual top-level alert fields are easily indexed.

  2. Restart Filebeat. Any alerts generated on the server should now show up in your Elastic deployment.

  3. Create a test alert.

    To generate an alert with our example policy, run a wget command on your server. User should see a resulting alert for Unauthorized Program Execution.

Exporting SLS Alerts directly to Elasticsearch

With Elasticsearch users can automatically search and retrieve data using the Elasticsearch API. Elasticsearch will allow users to store, search and analyze data coming from SLS at near real time. This article assumes that users already have Elasticsearch running.

  1. Edit /etc/sophos/runtimedetections-rules.yaml using preferred text editor. Add the following content:

    alert_output:
    outputs:
        - type: webhook
        enabled: true
        url: http://elasticservice.customer.com:9200/sophos-alerts/documents
        headers:
            "Content-Type": "application/json"
    
    Wget Program Blacklist:
    policy: program
    enabled: true
    alertMessage: Unauthorized Program Execution
    priority: High
    rules:
    - match programName == "*/wget"
    - default ignore
    comments: Alert on usage of the wget command
    

    This won't only ingest alerts but will also parse the JSON data for you so that the individual top-level alert fields are easily indexed. Any alerts generated on the server should now show up in your Elastic deployment.

  2. Create a test alert.

    To generate an alert with our example policy, run a wget command on your sensor server. User should see a resulting alert for Unauthorized Program Execution.

Visualizing SLS Alerts on Kibana

Using Kibana users can visualize the logs coming from SLS. Kibana provides a visual interface that allows users to detect, monitor behaviors and build dashboards thereby providing visibility for understanding and analyzing alerts coming from SLS.

From the previous steps covered in this article, and assuming that users have Kibana set up to consume or ingest alert data coming from either Filebeat and/or Elastisearch, users are able to see the test alert that is generated using our example policy when wgetis executed on their server.

If you haven't created an index, do the following:

  1. On your Kibana dashboard navigate to Settings > Elasticsearch > Index Management.
  2. Create an index called sophos-alerts.
  3. On the next page, select Timestamp (this will depend on your preference).

After the sophos-alerts index has been created, you can manipulate the data and decide from the available fields what your organization want to visualize. We also recommend that users add in their field description, linage,uuid, policy_type etc.