StormShield SNS Integration for Elastic

The StormShield SNS integration for Elastic enables you to collect and analyze security events and system logs from Stormshield Network Security (SNS) firewalls. By ingesting these logs into the Elastic Stack, you can monitor network activity, detect threats in real-time, and maintain detailed audit trails for compliance.

This integration is compatible with the following third-party vendor systems:

• Stormshield Network Security (SNS) firewalls running the unified firmware base.
• SNS v4.x, which is the primarily documented and tested version for these log formats.

This integration collects logs from Stormshield SNS firewalls by receiving syslog data over udp or tcp. You deploy an Elastic Agent on a host that is configured as a syslog receiver. Once the agent is configured to listen on the appropriate port, you set up your Stormshield devices to forward logs to that agent. The agent then forwards the events to your Elastic deployment, where they are parsed and mapped to the Elastic Common Schema (ECS) for analysis and visualization.

The StormShield SNS integration collects a variety of security and system events from SNS instances. Each data stream provides specific insights into network activity:

• Firewall logs: These provide detailed records of filter and NAT policy decisions, including source and destination IP addresses, ports, and protocols.
• Audit and administrative logs: These capture events related to administrative logins, configuration changes through serverd, and system-level operations.
• Alarm logs: These contain security-specific alerts generated by the SNS Intrusion Prevention System (IPS) and detection engines.
• Traffic statistics: These ingest periodic statistics to monitor bandwidth usage and application performance.
• log data stream: This collects Stormshield logs using the UDP or TCP protocols.

Integrating StormShield SNS logs with the Elastic Stack provides visibility into your network security posture and operational health. You can use this integration for the following:

• Security monitoring and threat detection: Use firewall and alarm logs to identify unauthorized access attempts and detect threats identified by the SNS IPS.
• Compliance and auditing: Maintain a searchable record of administrative actions and configuration changes to meet regulatory requirements.
• Network performance analysis: Use traffic statistics to visualize bandwidth usage and optimize network throughput.
• Incident investigation: Correlate SNS logs with other data sources in Elastic to accelerate root-cause analysis during security incidents.

To collect data from your Stormshield SNS appliance, you'll need the following components and configurations:

Before you begin, ensure you have these vendor-specific requirements:

• Root or full administrator credentials for the Stormshield Network Security web administration interface.
• Network connectivity between the SNS appliance and the host where you've installed Elastic Agent.
• Open syslog ports on any intermediate firewalls, such as the default 514 for UDP or 601 for TCP.
• The static IP address or FQDN of the host running the Elastic Agent.
• No additional license is required for standard syslog forwarding (note: Stormshield Log Supervisor (SLS) requires a separate license, but this integration uses standard syslog).

You'll also need the following Elastic Stack components:

• An active Elastic Agent installed and enrolled in a policy.
• Reachability from the SNS appliance to the host running the Elastic Agent on the configured syslog port.
• An Elastic Stack user with permissions to manage integrations and Fleet policies.

You'll need to install Elastic Agent. For more details, check the Elastic Agent installation instructions. You can install only one Elastic Agent per host.

Elastic Agent is required to receive syslog data over UDP or TCP and ship the data to Elastic, where the events are processed using the integration's ingest pipelines.

To configure Stormshield Network Security (SNS) to forward logs to the Elastic Agent, follow these steps:

1. Log in to the Stormshield Network Security web administration interface.
2. Navigate to the CONFIGURATION tab.
3. Go to NOTIFICATIONS > LOGS - SYSLOG - IPFIX.
4. In the Syslog section, make sure the service is enabled by switching the status to ON.
5. Select a Profile slot to edit (e.g., Profile 1).
6. In the Syslog server field, select or create a host object corresponding to the Elastic Agent host.
7. Enter the Port number matching your Elastic Agent configuration (e.g., 514 for UDP or 601 for TCP).
8. Select the Protocol (UDP or TCP) that matches your integration input.
9. Choose the Format: RFC5424 is recommended for modern logging, though Legacy (BSD) is also supported.
10. In the Advanced properties section, enable the specific log families you want to send. Make sure Filter Policy, Administration, System, and Alarms are active.
11. Click Apply to save the syslog configuration.

1. Navigate to Configuration > Security policy > Filter - NAT.
2. Identify the security rules for which you want to collect logs.
3. Double-click a rule to open its properties.
4. Go to the Action menu or the General tab.
5. Set the Log level to Standard (connection log).
6. Click OK and then click Apply at the top of the interface to deploy the policy change.

• Stormshield SNS Syslog Configuration
• Stormshield SNS Log Configuration Documentation
• FireMon - Stormshield Device Configuration Guide

To set up the integration in Kibana, follow these steps:

1. In Kibana, navigate to Management > Integrations.
2. Search for and select Stormshield SNS.
3. Click Add Stormshield SNS.
4. Configure the inputs based on your Stormshield SNS configuration.

Choose the setup instructions below that match your configuration.

This input collects Stormshield logs using the UDP protocol.

Under Advanced Options, you can configure the following optional parameters:

This input collects Stormshield logs using the TCP protocol.

Under Advanced Options, you can configure the following optional parameters:

5. Follow the prompts to add the integration to an Elastic Agent policy.
6. Save and deploy the integration.

Once you've completed the configuration, verify that data is flowing correctly.

Perform the following actions on your Stormshield device to generate logs:

• Generate web traffic: From a client workstation behind the Stormshield firewall, browse several external websites to generate Filter and NAT logs.
• Generate administrative audit: Log out and log back into the Stormshield web administration interface to trigger an administration event.
• Generate configuration event: Enter configuration mode, make a minor change (such as a rule description), save it, and exit to trigger a serverd log.
• Trigger alarm: If a test environment is available, attempt a restricted access pattern (such as an Nmap scan) to trigger an intrusion detection alarm.

To verify the data in Kibana:

1. Navigate to Analytics > Discover.
2. Select the logs-* data view.
3. Enter the following KQL filter in the search bar: data_stream.dataset : "stormshield.log"
4. Verify logs appear and expand an entry to confirm the presence of fields like event.dataset, source.ip, and message.
5. Navigate to Analytics > Dashboards and search for "Stormshield SNS" to view pre-built visualizations.

For help with Elastic ingest tools, you can check the common problems documentation.

If you're having trouble getting data from your Stormshield SNS appliance into the Elastic Stack, you can check the following common issues:

• No data is being collected: You should verify that the syslog port configured on your Stormshield SNS appliance exactly matches the Listen Port setting in your Elastic integration, such as 514 or 601.
• Connection refused or timeout: You'll need to ensure that any firewalls or network access control lists (ACLs) between your SNS appliance and the Elastic Agent host allow traffic on the configured port. You should also check the local firewall on the host machine.
• Logs only appearing from the local host: If you've set the Listen Address to localhost, you'll need to change it to 0.0.0.0 so the Agent can receive logs from your SNS appliance over the network.
• Protocol mismatch: You must ensure that both the SNS appliance and the Elastic Agent are configured to use the same protocol. If you've set one to TCP and the other to UDP, they won't be able to communicate.
• Parsing errors or missing data: You should verify that the syslog Format on your SNS appliance is set to RFC5424. If you see _syslog_parse_failure tags in your logs, the format might be mismatched.
• TCP message splitting issues: If you're using TCP, you should check that the framing setting in your integration (like rfc6587) matches the output configuration of your SNS appliance.
• Missing specific log types: If you aren't seeing specific logs like filter or alarm events, you should verify that you've enabled the specific log families in the Advanced properties section of your SNS syslog profile. You'll need to ensure that families like Filter Policy, Administration, System, and Alarms are set to active.

To ensure optimal performance in high-volume security environments, you should consider these transport, data volume management, and scaling strategies:

• Transport and collection: This integration supports both UDP and TCP. While UDP offers lower overhead for high-volume environments, it doesn't guarantee delivery. For critical security auditing where log integrity is paramount, use TCP to ensure the Elastic Agent receives every event, though this adds connection overhead.
• Advanced input configuration: For high-volume UDP traffic, you can tune the read_buffer setting under Custom UDP Options to prevent packet loss at the operating system level. Increasing this buffer allows the system to handle bursts of incoming syslog data more effectively.
• Data volume management: To manage high data volumes, configure the SNS appliance to forward only necessary event families. Limit Filter Policy logs to high-risk rules rather than logging all traffic. Avoid forwarding debug-level logs to minimize the load on the ingest pipeline and storage. Use the processors configuration to drop redundant fields at the source before they are sent to Elasticsearch.
• Elastic Agent scaling: For high-throughput environments processing thousands of events per second, deploy dedicated Elastic Agents on high-performance hosts. If volume exceeds the capacity of a single agent, distribute traffic across multiple agents using a network load balancer to ensure high availability and horizontal scaling.

For more information on architectures that can be used for scaling this integration, check the Ingest Architectures documentation.

These inputs can be used with this integration:

ssl.enabled: true
ssl.certificate: "/path/to/server.crt"
ssl.key: "/path/to/server.key"
ssl.certificate_authorities: ["/path/to/ca.crt"]
ssl.client_authentication: "optional"
		

You'll find events from Stormshield SNS logs in the log data stream. This data stream includes logs of the following types: traffic, filter, protection, and system events.

You'll find a list of all exported fields in the following table:

The following is a sample event for the log data stream:

{
    "@timestamp": "2024-03-08T10:14:08.000Z",
    "agent": {
        "ephemeral_id": "fbc0ca2c-7300-45ce-84b1-6ece2bc46905",
        "id": "e0b60804-99ad-435e-865c-35384901d186",
        "name": "elastic-agent-45518",
        "type": "filebeat",
        "version": "8.14.1"
    },
    "data_stream": {
        "dataset": "stormshield.log",
        "namespace": "65295",
        "type": "logs"
    },
    "ecs": {
        "version": "8.17.0"
    },
    "elastic_agent": {
        "id": "e0b60804-99ad-435e-865c-35384901d186",
        "snapshot": false,
        "version": "8.14.1"
    },
    "event": {
        "agent_id_status": "verified",
        "dataset": "stormshield.log",
        "ingested": "2024-09-18T14:01:36Z",
        "original": "id=firewall time=\"2024-03-08 10:14:08\" fw=\"stormy-1\" tz=+0000 startime=\"2024-03-08 10:14:08\" error=0 user=\"admin\" address=192.168.197.1 sessionid=1 msg=\"PKI SEARCH scope=local type=ca\" logtype=\"server\"",
        "start": "2024-03-08T10:14:08.000Z",
        "timezone": "+00:00"
    },
    "input": {
        "type": "tcp"
    },
    "log": {
        "source": {
            "address": "172.27.0.3:40024"
        },
        "syslog": {
            "appname": "serverd",
            "facility": {
                "code": 1,
                "name": "user-level"
            },
            "hostname": "stormy-1",
            "priority": 13,
            "severity": {
                "code": 5,
                "name": "Notice"
            },
            "version": "1"
        }
    },
    "message": "PKI SEARCH scope=local type=ca",
    "observer": {
        "name": "stormy-1",
        "type": "firewall",
        "vendor": "Stormshield"
    },
    "related": {
        "user": [
            "admin"
        ]
    },
    "stormshield": {
        "fw": "stormy-1",
        "logtype": "server",
        "metadata": {
            "address": "192.168.197.1",
            "error": "0",
            "id": "firewall",
            "sessionid": "1"
        },
        "startime": "2024-03-08 10:14:08",
        "time": "2024-03-08 10:14:08"
    },
    "tags": [
        "preserve_original_event",
        "forwarded"
    ],
    "user": {
        "name": "admin"
    }
}
		

You'll find additional details about Stormshield SNS logs in these official resources:

• Stormshield SNS Log Configuration Documentation
• Stormshield Official Website

This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.

← →

×

×

×