In a Security Onion Distributed Model, Where are Packet Captures Stored that are Taken by the Forward Node?

[BlueSkyGreenWater]

I'm trying to adequately size our environment's storage to accommodate plenty of saved network captures. But I can't figure out where packet captures are stored for a Distributed deployment (Forward Node, Manager Node, and Search Node).

It's not clear in the documentation if packet captures, performed via the Forward Node, are sent to the Search Node, via Filebeat, like all logs generated by other components running on the Forward Node (such as Suricata and Zeek). If I dig further into Stenographer, which buffers captured packets to disk, the documentation says Stenographer writes to /nsm/pcap/. But it doesn't say to which system it's writing to. Are packet captures written locally to /nsm/pcap/ on the Forward Node itself or are they sent to the Search Node and written to /nsm/pcap/ there?

https://docs.securityonion.net/en/2.3/architecture.html#distributed

https://docs.securityonion.net/en/2.3/stenographer.html#stenographer

Thanks in advance for your help!

[dougburks]

From https://docs.securityonion.net/en/2.4/hardware.html#forward-node-sensor:

A forward node runs sensor components only, and forwards metadata to the manager node. All PCAP stays local to the sensor, and is accessed through use of an agent.

I've updated https://docs.securityonion.net/en/2.4/architecture.html as follows:

A forward node forwards alerts and logs from Suricata and Zeek via Elastic Agent to Logstash on the manager node, where they are stored in Elasticsearch on the manager node or a search node (if the manager node has been configured to use a search node). Full packet capture recorded by Stenographer remains on the forward node itself.

[BlueSkyGreenWater]

Thank you Doug. That’s a big help!