06.06.2023

Setup SIEM system on Debian

Get a broad understanding of management and control of the SIEM system, setup and maintenance, which can help upgrade the effectiveness and speed of reaction to cyber—incidents and provide a high—security mode for your information system. Get knowledge about the type of architecture building with SIEM for small and medium businesses. Explore more features of controlling cyber—incidents, based on correlation analysis and risk management methods.

Cloud Servers from $5 / moIntel Xeon Gold 6254 3.1 GHz CPU, SLA 99,9%, 100 Mbps channel

SIEM system

SIEM (Security Event Management + Security Information Management) — systems that monitor information systems, analyze real—time security events originating from network devices, information security tools, IT services, design and application infrastructure, and help detect information security incidents. Problems of detecting incidents in corporate networks:

security tools, servers and network devices create millions of events, terabytes of logs;
it is ineffective to respond to all IB incidents: 50—95% of them are false positives on the SPI;
data from a single means of protection does not reveal complex and targeted attacks;
the events are scattered across different systems and dozens of reports
regulatory requirements in the field of information security.

Setup SIEM system

Before installing any software, we need to update the index and package on Debian:

sudo apt update && sudo apt upgrade -y

Screenshot №1 — Update package

Next stage: install the required packages.

sudo apt-get install suricata

Screenshot №2 — Installation

Configure Suricata

sudo nano /etc/suricata/suricata.yaml

Screenshot №3 — Open config

In the configuration file, set the appropriate network interface for Suricata to monitor:

default-log-dir: /var/log/suricata/
...
af-packet:
- interface: enp0s5

Screenshot №4 — Change interface

Note: Replace "enp0s5" with your network interface name, you can use the command below:

ifconfig

Screenshot №5 — Check your config

Save and close the configuration file. Start Suricata in IDS mode:

sudo suricata -c /etc/suricata/suricata.yaml -i enp0s5 --init-errors-fatal

Screenshot №6 — Check status

Verify that Suricata is running by checking its log files:

tail -f /var/log/suricata/fast.log

As a result output system will look like a string with information about your settings, if you don't enter any value, you receive an appropriate answer.

SIEM system conclusion

In conclusion, setting up an open—source SIEM system on Debian is a crucial step towards enhancing the security of information systems for small and medium businesses. SIEM systems help detect potential security incidents by monitoring and analysing real-time security events. However, detecting incidents in corporate networks can be challenging due to the high volume of events generated by various security tools and devices. With a properly configured SIEM system, businesses can effectively manage cyber incidents based on correlation analysis and risk management methods, thus providing a high—security mode for their information system.