Set Up Security Information and Event Management (SIEM)

Posted January 20Jan 20

You are reading Part 54 of the 57-part series: Harden and Secure Linux Servers. [Level 6]

This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.

To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.

Security Information and Event Management (SIEM) tools collect, analyze, and correlate logs from multiple sources, providing a centralized view of security events. A SIEM system helps:

✅ Detect security threats in real-time by analyzing system logs.
✅ Aggregate logs from multiple sources (servers, firewalls, databases, cloud services).
✅ Support compliance with PCI-DSS, HIPAA, GDPR, ISO 27001 by logging security events.
✅ Provide forensic analysis capabilities after a security incident.

🔹 By setting up a SIEM, you can quickly detect and respond to security threats before they cause harm.

How to Deploy and Configure a SIEM System

1. Choose a SIEM Solution

There are several SIEM solutions, both open-source and commercial:

🔹 Open-Source SIEM Tools:

ELK Stack (Elasticsearch, Logstash, Kibana) – Highly customizable log analysis system.
Wazuh – SIEM, HIDS, and log monitoring in one.
Graylog – Scalable log management with alerting and dashboards.

🔹 Commercial SIEM Solutions:

Splunk Enterprise Security – AI-driven security analytics.
AlienVault OSSIM (by AT&T) – Unified threat detection and SIEM.
IBM QRadar – Advanced threat intelligence and SIEM.

2. Install and Configure a SIEM System

Option 1: Deploy ELK Stack for SIEM (Open-Source)

The ELK Stack consists of:
📌 Elasticsearch – Stores and indexes logs.
📌 Logstash – Collects and processes logs.
📌 Kibana – Visualizes and analyzes log data.

Step 1: Install Elasticsearch, Logstash, and Kibana

sudo apt update && sudo apt install -y elasticsearch logstash kibana

Step 2: Configure Logstash to Collect Logs

Edit the Logstash configuration file:

sudo nano /etc/logstash/conf.d/logstash.conf

Add:

input {
  file {
    path => "/var/log/auth.log"
    type => "syslog"
  }
}
filter {
  grok {
    match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:host} %{DATA:program}: %{GREEDYDATA:msg}" }
  }
}
output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
  }
  stdout { codec => rubydebug }
}

Save and restart Logstash:

sudo systemctl restart logstash

Step 3: Enable Kibana for Log Analysis

sudo systemctl start kibana

Visit http://localhost:5601 in a browser to access Kibana and visualize logs.

Option 2: Install Wazuh SIEM for Threat Detection

Wazuh combines SIEM, intrusion detection, and compliance monitoring.

Step 1: Install Wazuh Server

curl -sO https://packages.wazuh.com/4.x/wazuh-install.sh
sudo bash wazuh-install.sh --wazuh-server

Step 2: Install Wazuh Agent on a Monitored Server

curl -sO https://packages.wazuh.com/4.x/wazuh-install.sh
sudo bash wazuh-install.sh --wazuh-agent

Step 3: Configure Wazuh Agent to Forward Logs

Edit agent configuration:

sudo nano /var/ossec/etc/ossec.conf

Modify:

<remote>
  <connection>secure</connection>
  <port>1514</port>
</remote>

Restart the Wazuh agent:

sudo systemctl restart wazuh-agent

🔹 Now, Wazuh will send security logs and alerts to the SIEM dashboard.

3. Configure Log Collection for SIEM

A. Enable System Logging to SIEM

Modify /etc/rsyslog.conf to forward logs to the SIEM server:

*.* @siem-server-ip:514

Restart rsyslog:

sudo systemctl restart rsyslog

B. Forward Firewall Logs to SIEM (UFW Example)

Edit /etc/ufw/ufw.conf:

LOGLEVEL=full

Send logs to SIEM:

tail -f /var/log/ufw.log | nc siem-server-ip 514

4. Set Up SIEM Alerts for Security Events

A. Detect Multiple Failed SSH Login Attempts

Create a rule in ELK or Wazuh:

{
  "query": {
    "match_phrase": {
      "message": "Failed password"
    }
  },
  "alert": {
    "email": {
      "to": "security@company.com",
      "subject": "Multiple Failed SSH Login Attempts",
      "body": "Suspicious login attempts detected on server."
    }
  }
}

B. Detect Suspicious Network Activity (Port Scanning)

Use Wazuh or Logstash to flag repeated connection attempts:

{
  "query": {
    "match_phrase": {
      "message": "nmap scan detected"
    }
  },
  "alert": {
    "action": "block_ip"
  }
}

🔹 Now, the SIEM will automatically detect and alert on security threats.

5. Regularly Review and Respond to Security Events

A. Review Security Logs in SIEM Dashboard

Use Kibana or Wazuh to filter logs for suspicious activity:

grep "unauthorized access" /var/log/auth.log

B. Automate Incident Response

Configure SIEM integrations with fail2ban to automatically block attackers:

fail2ban-client set sshd banip 192.168.1.100

C. Generate Weekly Security Reports

To generate compliance reports:

oscap xccdf eval --profile cis --report report.html /usr/share/xml/scap/ssg-ubuntu1804-xccdf.xml

🔹 Regular reports help monitor security trends over time.

Best Practices for SIEM Deployment

✅ Use a centralized SIEM solution to aggregate logs across infrastructure.
✅ Monitor logs from all critical sources (firewalls, SSH, databases, web servers).
✅ Set up real-time alerts for failed logins, brute-force attempts, and unusual activity.
✅ Regularly analyze logs and fine-tune detection rules to reduce false positives.
✅ Automate response actions to block threats as soon as they are detected.

By implementing a SIEM system, you gain real-time security visibility, detect threats early, and ensure compliance, helping you protect your Linux infrastructure from cyberattacks.

Quote

Sign In