Help with Monitoring Alerts and Logs in Security Onion (Distributed Setup)

[abcd123chamara]

Hi everyone,

I'm new to Security Onion and recently set up a distributed deployment with receiver, manager, search, and sensor nodes. I’ve been trying to understand how to effectively monitor alerts and troubleshoot some issues. I have a few questions I hope someone can help with:

1. Where can I view the raw packet/message related to a triggered alert?
   I want to dig into the raw data that triggered an alert. Where can I find that in Security Onion?

2. How do I verify if an alert is a false positive or true positive by using logs?
   Is there a recommended way to correlate alerts with log data to validate them?

3. Kibana Error: "Application not found" when clicking "Show Logs Explorer"
   In the Kibana "Observability" section, I see a "Show logs explorer" option, but clicking it gives an "Application not found" error.
   
   Has anyone else faced this? How do I fix it?

4. Can someone explain a simple workflow for monitoring alerts in Security Onion?
   Like, what tabs/tools should I regularly use to keep an eye on alerts?

5. Can we customize dashboards in Kibana or other parts of Security Onion?
   I’d like to tailor dashboards to show exactly what I need—are customizations supported?

6. Which interface is best to use for monitoring alerts?
   Should I focus on the “Alerts” tab, “Dashboards,” “Hunt,” or “Kibana”? Which one gives the most useful view for ongoing monitoring?

Thanks in advance for any help or suggestions! I’m eager to learn and get this setup working effectively.

[dougburks]

Where can I view the raw packet/message related to a triggered alert?
I want to dig into the raw data that triggered an alert. Where can I find that in Security Onion?

From https://docs.securityonion.net/en/2.4/pcap.html:

How do I verify if an alert is a false positive or true positive by using logs?
Is there a recommended way to correlate alerts with log data to validate them?

Click the alert, click Actions, click Correlate. From https://docs.securityonion.net/en/2.4/alerts.html#actions:

Kibana Error: "Application not found" when clicking "Show Logs Explorer"
In the Kibana "Observability" section, I see a "Show logs explorer" option, but clicking it gives an "Application not found" error.
16210309-a6cc-4d64-92ee-18e663a3a273
Has anyone else faced this? How do I fix it?

Most of our users do not use Kibana Observability. If you really need to use this feature, then you may need to enable it as shown in the Kibana Features section of our documentation. From https://docs.securityonion.net/en/2.4/kibana.html#features:

Can someone explain a simple workflow for monitoring alerts in Security Onion?
Like, what tabs/tools should I regularly use to keep an eye on alerts?

From https://docs.securityonion.net/en/2.4/introduction.html#workflow:

Can we customize dashboards in Kibana or other parts of Security Onion?
I’d like to tailor dashboards to show exactly what I need—are customizations supported?

From https://docs.securityonion.net/en/2.4/kibana.html#kibana-dashboards:

Which interface is best to use for monitoring alerts?
Should I focus on the “Alerts” tab, “Dashboards,” “Hunt,” or “Kibana”? Which one gives the most useful view for ongoing monitoring?

We recommend our SOC Alerts interface:
https://docs.securityonion.net/en/2.4/alerts.html