Forward Node vs Search Node vs Manager Node #11268
Replies: 1 comment
-
|
Was your initial test just a manager node and a forward node (but no search nodes)? If so, then please see this note at https://docs.securityonion.net/en/2.3/architecture.html#distributed:
If you have a manager node, one or more search nodes, and one or more forward nodes, where exactly are you checking for data from the forward node? Have you checked SOC Alerts (https://docs.securityonion.net/en/2.3/alerts.html) to see if there are any NIDS alerts from Suricata? Have you checked SOC Dashboards (https://docs.securityonion.net/en/2.3/dashboards.html) to see if there is any network metadata (either from Zeek or Suricata)? Also take a look at this troubleshooting checklist as it may help: |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
I am standing up Security Onion in my enterprise environment (Distributed) and I am definitely learning in trial by fire. I successfully set up a Management Node and am able to add Search nodes and Forward Nodes to the grid but despite seeing LOTS of traffic in tcpdumps, nothing is displaying in Kibana with the regular sensor (Forward Node). I did verify a monitor port was configured to forward the proper traffic to the sensor interfaces on said node. Now, I set up a Search node (with no monitor port from our core switch) and I see LOTS of traffic displaying in Kibana but its host-based and not network-based which makes sense. Since I am learning as I go, I guess what I am looking for is what should be my proper set up for an enterprise environment? I assumed it would be one master one and the rest would be forward (sensors) with span ports connected to each but now I am wondering if I should use Search Nodes instead of Forward nodes. Thoughts?
Beta Was this translation helpful? Give feedback.
All reactions