May 25, 2023
Updated June 6, 2023

Setup SIEM system on Debian

Debian Networks Security

Get a broad understanding of management and control of the SIEM system, setup and maintenance, which can help upgrade the effectiveness and speed of reaction to cyber—incidents and provide a high—security mode for your information system. Get knowledge about the type of architecture building with SIEM for small and medium businesses. Explore more features of controlling cyber—incidents, based on correlation analysis and risk management methods.

SIEM system

SIEM (Security Event Management + Security Information Management) — systems that monitor information systems, analyze real—time security events originating from network devices, information security tools, IT services, design and application infrastructure, and help detect information security incidents. Problems of detecting incidents in corporate networks:

  • security tools, servers and network devices create millions of events, terabytes of logs;
  • it is ineffective to respond to all IB incidents: 50—95% of them are false positives on the SPI;
  • data from a single means of protection does not reveal complex and targeted attacks;
  • the events are scattered across different systems and dozens of reports
  • regulatory requirements in the field of information security.

Setup SIEM system

Before installing any software, we need to update the index and package on Debian:

sudo apt update && sudo apt upgrade -y
Screenshot №1 — Update package

Next stage: install the required packages.

sudo apt-get install suricata
Screenshot №2 — Installation

Configure Suricata

sudo nano /etc/suricata/suricata.yaml
Open config
Screenshot №3 — Open config

In the configuration file, set the appropriate network interface for Suricata to monitor:

default-log-dir: /var/log/suricata/
- interface: enp0s5
Change interface
Screenshot №4 — Change interface

Note: Replace "enp0s5" with your network interface name, you can use the command below:

Check your config
Screenshot №5 — Check your config

Save and close the configuration file. Start Suricata in IDS mode:

sudo suricata -c /etc/suricata/suricata.yaml -i enp0s5 --init-errors-fatal
Check status
Screenshot №6 — Check status

Verify that Suricata is running by checking its log files:

tail -f /var/log/suricata/fast.log

As a result output system will look like a string with information about your settings, if you don't enter any value, you receive an appropriate answer.

SIEM system conclusion

In conclusion, setting up an open—source SIEM system on Debian is a crucial step towards enhancing the security of information systems for small and medium businesses. SIEM systems help detect potential security incidents by monitoring and analysing real-time security events. However, detecting incidents in corporate networks can be challenging due to the high volume of events generated by various security tools and devices. With a properly configured SIEM system, businesses can effectively manage cyber incidents based on correlation analysis and risk management methods, thus providing a high—security mode for their information system.

5 out of 5
Аverage rating : 5
Rated by: 1
19703 Claymont 2093 Philadelphia Pike #2345, USA
+1 302 425-97-76
700 300
700 300

You might also like...

We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.