How to email PDF, CSV, XLS reports from Security Onion

Introduction

If you are running the Elastic Stack based Security Onion for intrusion detection and enterprise security monitoring, have you heard the good news? Skedler Reports has released its latest version with support for the security onion environment. The focus of this blog post will be how to email PDF, CSV, XLS reports from the Elastic Stack used in Security Onion.

What is Security Onion?

If you’ve never heard about Security Onion before, it is a Linux distro for intrusion detection, Network Security Monitoring, and log management. It’s based on Ubuntu and contains Snort, Bro, OSSEC, Sguil, Squert, and many other security tools. Security Onion is a platform that allows you to monitor your network for security alerts. Elasticsearch includes Logstash, Kibana, Snort, Suricata, Bro, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools.
Source: Security Onion website

security-onion

Why Skedler Reports for Security Onion?

Skedler Reports offers the most powerful, flexible and easy-to-use data monitoring solution that companies use to exceed customer SLAs, achieve compliance, and empower internal IT and business leaders. By using Skedler Reports, you can enjoy the following benefits:

  • Simple installation, quick configuration, faster deployment
  • Send visually appealing, personalized reports
  • Report setup takes less than 5 minute
  • Send PDF, XLS, CSV, HTML reports on-demand or periodically via email or #slack
  • Help users see and understand data faster with customized mobile & print-ready reports

 

Step-by-Step Instruction for Adding Reports to Security Onion

If you haven’t already downloaded Skedler Reports, please download it from www.skedler.com. You can also install Skedler as a docker. Please review the documentation to install Skedler.

 

 

Configure Skedler Reports Settings for Elk Stack on Security Onion

After installation, when you launch Skedler Reports for the first time, the Settings page is displayed. You can access Basic and Advanced settings.

Basic Setup – Data Source

Basic Setup - Data Source

You can configure the Data Source details required for Skedler report generation.

Basic Setup - Data Source

Select the Datasource as ”ELK Stack”.

Enter the name of the Datasource as ”SecurityOnion_DataSource”.

Enter the Elasticsearch URL instance in the Elasticsearch URL field. By default, the field is set with the “http://localhost:9200” value.

Enter the Kibana URL instance for Skedler report generation in the Kibana URL field. By default, the field is set with the “http://localhost:5601” value.
Enter the Kibana index in the Kibana Index field. By default, the field is set with .kibana value

kibana-index

Select the Authentication Type from the drop-down as Security Onion.

Enter the security username and password for Elasticsearch in the Elasticsearch Admin Username and Elasticsearch Admin Password field and for Kibana in the Kibana Admin Username and Kibana Admin Password respectively. Click “Test and Save” to test and save the Datasource configuration.

Notification Channel

kibana-index

To proceed to the Notification Channels step, I’ll click the next button at the bottom. For Notification Channel Configuration, I will choose a channel as Mail. Next, I’ll name this Channel “SecurityOnion_Mail”. I’ll choose Supported Service as Others.

Then I’ll configure the SMTP connection by specifying the Outgoing Server, Port, Senders Email, Password, and Admin Email. Click “Test and Save” to test and save the Notification configuration.

Schedule Reports

Then I’ll click Create a Report. The first step is the Report Details.

Report Details

Report-Details

I’ll name this report “Security Onion Overview” This is what will appear in the subject line of the report email. Next, I’ll choose my data source as SecurityOnion_DataSource. I’ll choose Dashboard as a type. Next, I need to select the Dashboard to be used for generating reports. I’ll choose the Overview. If needed, I could choose a filter, but I’ll leave this as No FIlter. For Time Range, I’ll choose This Week.

To proceed to the Report Design step, I’ll click next at the top.

Report Design

Report-Design

I’ll choose PDF as the file format I want to receive and I’ll choose the Default Template as the Template with Smart Layout as Layout. I’ll also include an Excel report by checking this box.

Schedule Details

Schedule -Details

Clicking Next takes me to the Schedule step, where I’ll choose to receive reports Daily at the beginning of the day. I could also choose to have reports sent only on weekdays. To save changes I’ll click Schedule.

Distribute

Schedule-Details

I’ll proceed to the last step: Distribute. From the drop-down, I’ll choose Mail Channel. Here I’ll enter the email recipient, add a CC or BCC if needed, and I can keep the default message or edit it. The report schedule is finished, so I’ll click Save and Exit.

Schedule

I now see my Security Onion Overview at the top of my reports list. To download the PDF and Excel report I can click this icon. Under Actions, I can edit the schedule, and I can email the report immediately if I don’t want to wait until the scheduled time.

Now I’ve successfully set up automated daily Security Onion Overview reports to the customer’s use.

Summary

This blog was a very quick overview of how to email PDF, CSV, XLS reports from Security Onion. If you have any more questions, please contact us.