Security Onion + PFsense

Hello everyone,
Ive set up SO within a VM and installed using the iso. I can log in without issue see alerts, dashboards, etc.
On my pfsense, im running Suricata. I have the following settings enabled.

I have allowed my pfsense IP to send syslogs to security onion and running a tcpdump i see messages being received at least.

The problem is after generating some bad traffic i do not see any alerts coming up within my console. Traffic is blocked on pfsense but nothing within the Alerts tab.

syslog events are increasing so for sure syslogs are being sent to SO.

I am not sure that SO can parse the alert data from pfsense.

Gotcha. Just confused with the tool because i have the logs sent to SO , specifically i see the logs in Kibana. But at this point its no different than Graylog as all it is just my logs - parased.
I was hoping that the pcaps can be sent to SO and investigated that way unless im doing this wrong.

To get full ingestion you should be using a port tap and have SO listening on that tap.


What Tom said Tap North South , East West. Most run SO on separate box as opposed to VM.