Skip to main content

Streaming Reporting Data on OPNsense

Reporting data can be transmitted to external systems for more empowered reporting and analytics, in addition to being locally stored. Examples of such systems include Zenarmor's recently implemented central reporting and third-party systems such as SIEM, SOAR, XDR, and NDR products. You may easily stream reporting data to organization central reporting database or your external Elasticsearch and Syslog servers.

IMPORTANT NOTE

The Stream Reporting Data feature is not available for the Free & Home Editions. To gain the benefit of the Stream Reporting Data feature, you must have either the SOHO or Business Zenarmor subscriptions. For more information, see the plans & pricing.

tip

IPDR files are located under /usr/local/sensei/output/active/temp folder. They should be examined if you wish to integrate the information into a SIEM server.

Streaming Reporting Data to Central Database

For SSE and higher editions, organization reporting data are streamed to central reporting database hosted on cloud by default. Zenarmor allows you to disable this feature and store your reporting data only localy.

You may enable or disable streaming reporting data to central database functionality by following the next steps.

  1. Click Zenarmor on your OPNsense UI.

  2. Click Settings menu on the left-hand sidebar.

  3. Click Streaming Data menu under Reporting & Data.

  4. Switch on/off Streaming Reporting Data to your organization's central reporting database for consolidated reporting and analytics option.

    Streaming Reporting Data

    Figure 1. Streaming Reporting Data

Streaming Reporting Data to External Elasticsearch

If you have an existing Elasticsearch database deployed on your network or in the cloud, you may stream your Zenarmor reporting data to that database server in addition to the local Elasticsearch database if you selected the local database option during installation.

To start streaming your reporting data to an external Elasticsearch database, you may follow the next steps:

  1. Click Zenarmor on your OPNsense UI.

  2. Click Settings menu on the left-hand sidebar.

  3. Click Streaming Data menu under Reporting & Data.

  4. Click Stream Reporting Data to External Elasticsearch toggle bar. This will open Stream Reporting Data to External Elasticsearch configuration pane. Streaming Reporting Data to An External ECS Database

    Figure 2. Streaming Reporting Data to An External ECS Database

  5. Enter the External Elasticsearch URL.

  6. Type the username for your Elasticsearch database into the External Elasticsearch Username field.

  7. Type the password for your Elasticsearch database into the External Elasticsearch Password field.

  8. Click on the Save & Enable button. When reporting data is streamed externally, your data will be stored on both the local and remote Elasticsearch databases.

You can now update external elasticsearch database configuration by changing the options depending on your need and clicking on the Update button.

Updating External ECS Configuration

Figure 3. Updating External ECS Configuration

info

The Stream Reporting Data to External Elasticsearch feature allows you to keep a local copy of the reporting database while streaming to an external database if you installed a local Elasticsearch database during the installation of Zenarmor. If you decide to only use an external Elasticsearch database without keeping a local copy after the installation of Zenarmor, see how to configure Remote Elasticsearch Database after Installation.

info

Remote Elasticsearch database support is compatible with version 8.9.x to 8.17.1 of Elasticsearch.

Streaming Reporting Data to a Syslog Server

Your log data may be streamed to an external Syslog server for centralized reporting.

To stream Zenarmor reporting data to a Syslog server you may follow next steps:

  1. Click Zenarmor on your OPNsense UI.

  2. Click Settings menu on the left-hand sidebar.

  3. Click Streaming Data menu under Reporting & Data.

  4. Click Stream Reporting Data to Syslog toggle bar. This will open Stream Reporting Data to Syslog configuration pane.

    Streaming Reporting Data to Syslog

    Figure 4. Streaming Reporting Data to Syslog

  5. Enter the Syslog Server IP address in Stream Reporting Data to Syslog pane.

  6. Enter the Syslog Server Port (the default port is 514).

  7. Select the Protocol that can be either TCP or UDP to use for streaming data .

  8. Finally, select the data which will be streamed to Syslog. The following options are available for Indexes:

    • Connections
    • Web
    • DNS
    • TLS
    • Alerts

  9. Click Save & Enable button to start streaming to your Syslog server.

You can now update Syslog server configuration by changing the options depending on your need and clicking on the Update button.

Updating Syslog Server Configuration

Figure 5. Updating Syslog Server Configuration

Here is a video that will guide you through the Zenarmor® integration with Wazuh SIEM using Syslog:

Stop Streaming Reporting Data to a Syslog Server

You may easily stop streaming reporting data to your Syslog server by following next steps:

  1. Click Zenarmor on your OPNsense UI.
  2. Click Settings menu on the left-hand sidebar.
  3. Click Streaming Data menu under Reporting & Data.
  4. Click Disable button in Stream Reporting Data to Syslog pane.
Last updated on by Zenarmor