-
Notifications
You must be signed in to change notification settings - Fork 522
ConnectingtoSguil
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/ConnectingtoSguil.
This article will show how to connect to the Sguil server to view security alerts in real-time.
To directly connect to a Sguild server one must possess a working Sguil client. Sguil may not be easy or available for install on certain operating systems. Because of this I recommend installing SecurityOnion in a virtual machine on your workstation and use that to connect to sguild on your production SecurityOnion instance.
For this section I will be using VMware Fusion on OSX.
Install SecurityOnion in a Virtual Machine and configure the network adapter to use NAT mode (easiest) by going to your VM's settings. This will work if you have per-IP/host ACL's too since the same IP address will be used.
Now double-click the Sguil desktop icon to launch the Sguil client.
Fill in the IP address or DNS name of the SecurityOnion server and apply your credentials.
Then select the sensors to monitor and finally click Start Sguil.
Double-click the Sguil icon on the desktop of your SecurityOnion server.
Set the Sguil Host to localhost, enter your credentials, and then click OK.
After, choose which sensors you would like to monitor for this sguil session and then click Start Sguil.
This method requires SSH and an X11 server installed on the machine from which you will be connecting from.
If you're using OSX install the XQuartz package, Windows try ciXwin, Linux and BSD family use Xorg.
Connect to the SecurityOnion server via SSH while passing the X11 forwarding option ( -X ).
ssh -X user@nsm
Once logged in as the normal user open the sguil client application. The display will be sent to your machine using the X11 protocol over SSH.
sguil.tk
Since we're only forwarding the application window, we're connected locally i.e. as if we were sitting at the server's console. Because of this we can use localhost as the Sguild Host.
Once logged in we will be able to select which sensors we would like to monitor.
Finally, select Start Sguil. Now you can view the alerts in real-time, perform advanced SQL queries, and pivot into a number of applications like Wireshark, Kibana, and NetworkMiner.
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs