• Tested on standalone install of Security Onion, but should work using forward nodes, with filebeat.yml pointed to master server. Currently monitors /nsm/bro/extracted.

• wget https://raw.githubusercontent.com/weslambert/securityonion-strelka/master/install_strelka && sudo chmod +x install_strelka && sudo ./install_strelka

OR

Manually install using the following steps:

• Install Strelka
  git clone https://github.com/target/strelka.git /opt/strelka/
cd /opt/strelka/ && docker build -t so-strelka .

• Download Security Onion stuff
  cd ~ && git clone https://github.com/weslambert/securityonion-strelka.git

• Make dirs and set perms
  mkdir -p /var/log/strelka/ /etc/strelka
chown -R 1001:1001 /var/log/strelka /etc/strelka

• Strelka config files
  cp securityonion-strelka/etc/dirstream.yml /etc/strelka

• Copy Strelka Docker start/stop/restart/files
  cp securityonion-strelka/usr/sbin/so-* /usr/sbin/

• Install Filebeat
  curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.4.2-amd64.deb
dpkg -i filebeat-6.4.2-amd64.deb

• Copy filebeat.yml and modify to point to Logstash instance
  cp securityonion-strelka/etc/filebeat/filebeat.yml /etc/filebeat/

• Start Filebeat and enable at boot
  service filebeat start
systemctl enable filebeat.service

• If storage node or standalone, copy Logtash config files
  cp securityonion-strelka/etc/logstash/* /etc/logstash/custom/
so-logstash-restart

• Run Strelka
  so-strelka-start

View the logs:

In Kibana, navigate to Discover and type the following in the search field: tags:strelka

(May have to refresh field list under Management -> Index Patterns)