Custom FTP Syslog and Alerts in SOC Console

[Wilks2222]

Hi,
I am fairly new to Security Onion, have years of experience in Arcishgt, Qradar and some logstash parsing. Anyway I just stood up a standalone instance of Security Onion and I am onboarding some syslogs from a custom FTP server. To do this I used so-allow ->syslog and configured it to accept logs 514 UDP. I can see the logs within Kibana and very little parsing is occuring. My quesiton is will actual Security Events show up in the Event SOC Console with only partial parsing? Will they even show up at all if I parse these logs? I gues my main ask is, is this the best way to get these logs to trigger potential Alerts in the SOC Console?

<14>Nov 21 18:40:13 TEST-FTP CrushFTP.log:POST|11/21/2022 18:40:12.498|[HTTPS:29741_60179:test_user:10.10.10.1] WROTE: HTTP/1.1 200 OK
<14>Nov 21 18:40:13 TEST-FTP CrushFTP.log:POST|11/21/2022 18:40:12.482|[HTTPS:29741_60128_4JS:test_user:10.10.10.1] READ: random:0.16804361943121893
<14>Nov 21 18:40:13 TEST-FTP CrushFTP.log:POST|11/21/2022 18:40:12.434|[HTTPS:29741_60128_4JS:test_user:10.10.10.1] READ: POST /WebInterface/function/ HTTP/1.1

Thanks

[dougburks]

Once you have parsed the logs, one option might be to use Playbook to define criteria for alerts:
https://docs.securityonion.net/en/2.3/playbook.html