Sonicwall to HELK

[mother2110]

HELK is up and running fine. I have winlogbeat sending syslogs to the server, How would I go about sending logs from a Sonicwall to HELK? Any instructions out there? I cannot seem to find any,

[priamai]

Filebeat has a Sonicwall module: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-sonicwall.html What you could do is to simply install Filebeat, configure the module and point into the ES of the HELK deployment. I am not familiar with Sonicwall systems but if you then have to do some correlation or filtering you will have to use the Kafka stream and/or the Logstash for that. I suggest you try the simple path first Filebeat -> ES and look at the log then decide what correlations or filtering you want to do downstream.

[priamai]

I believe you will also need to modify this: https://github.com/Cyb3rWard0g/HELK/blob/master/docker/helk-logstash/scripts/logstash-entrypoint.sh Andd your SonicWall into a pipeline folder and reference that into this config file: https://github.com/Cyb3rWard0g/HELK/blob/master/docker/helk-logstash/config/pipelines.yml You will also need to write a script to add the Filebeat SonicWall templates into ES. Will be happy to follow your process.

[mother2110]

Thanks for the responses. I am completely new to ES and HELK. This may take me awhile.

[mother2110]

Thanks