At my previous $ayjob we were using ElasticSearch+Logstash+Kibana (https://www.elastic.co/” target=”_blank”>ELK) but no one was owning the solution. This left a lot of gaps and maintenance issues that needed many working hours to bring back usefulness and working functionality.
What you trade for in using Sumo Logic (simplicity, no-maintenance, available everywhere, and money) you pay for in time (which is also money and you get to run all of your own infrastructure) when you use ELK. This comparison is exactly why sometimes it is worth looking at commercial software over open-source.
Out of the box, https://www.sumologic.com/” target=”_blank”>Sumo Logic has pre-built dashboards for many common items that administrators, developers, and security folks would like to see, ready to install and start displaying data in an insightful way.
Let’s look at Cisco ASA parsing (though on my blog I have focused on the Fotinet Fortigate security devices) between someone doing it via ELK and how I’ve done it at my day-job with Sumo Logic.
Larry Smith, Jr. write a blog post that includes the JSON object required to build the dashboard and a screenshot of same. Clicking the picture will take you to his blog post directly.
http://everythingshouldbevirtual.com/cisco–asa–logstash–parsing” target=”_blank”>https://www.geekandi.com/wp–content/uploads/2015/07/larry–smith–jr–asa–dashbaord–ss–300×145.png” alt=”larry-smith-jr-asa-dashbaord-ss” width=”300″ height=”145″ />
Sumo Logic dashboard has much of the same information though displayed slightly differently.
https://www.geekandi.com/wp–content/uploads/2015/07/dayjob–cisco–asa–dashboard–2.png“>https://www.geekandi.com/wp–content/uploads/2015/07/dayjob–cisco–asa–dashboard–2–300×237.png” alt=”” width=”300″ height=”237″ />
But the difference in time is huge! Both solutions need a syslog destination to point the firewall at. For ELK you’d use a Logstash ingestion endpoint into your ES storage network. For Sumo Logic you’d have a collector running on either Windows or Linux. Either way you’d need to listen for UDP (default, can do TCP if you wish) and classify the logs as coming from a Cisco ASA device.
For Sumo Logic, start to finish:
- set up a Windows or Linux host to run the collector and install the collector (Java VM)
- configure syslog port with a defined category (web interface or via static configuration on host)
- start ingestion of the data (configure syslog client on Cisco ASA)
- add the ‘app’ to your dashboards making sure to use the category you chose above (via web interface)
- view the resulting dashboards (via web interface)
With ELK (only supports Linux-based hosts):
- set up ElasticSearch (single node or cluster, you decide, though I’d suggest setting up the clustered edition for highly availability)
- secure ElasticSearch (use their commercial Shield application/plugin or run behind a reverse, authenticated proxy
- install Logstash on a Linux host (Java VM)
- configure syslog port with tagging Logstash host (files in /etc/logstash* by default, included in Mr. Smith’s blog post)
- set up Kibana – natively or via reverse proxy (decide on installation on Logstash host or distinct host) and secure it (using reverse proxy) (Java VM, Ruby, etc)
- set up dashboard in Kibana to display the information you are looking for but unfortunately this is not included in Mr. Smith’s blog post – this exercise can take 5 minutes or 5 hours
I have done both and I’d rather put time into Sumo Logic if only because it is so much faster to complete leaving time for other, more fruitful labors.