Security Onion 2.4 in a 3+ node VMware vCenter cluster #11646
-
Version2.4.20 Installation MethodSecurity Onion ISO image Descriptionconfiguration Installation TypeStandalone Locationon-prem with Internet access Hardware SpecsExceeds minimum requirements CPU6 RAM24 Storage for /250 Storage for /nsm250 Network Traffic Collectionspan port Network Traffic Speeds1Gbps to 10Gbps StatusYes, all services on all nodes are running OK Salt StatusNo, there are no failures LogsNo, there are no additional clues DetailI know that this is inherent on at least VMware vCenter systems with Distributed Switching where you can't sniff or PCAP outside of the host that the machine doing the sniffing/PCAPing is on (even with promiscuous mode enabled on the port group). In the alerts in the SOC you only see systems from the host where the Security Onion VM resides. Has anyone found a way around this? Make X number of separate machines (X is the number of hosts you have) and pin them to each host with a VM/Host rule? Or something else altogether? Guidelines
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
I installed it as a distribution with a dedicated manager, one search node, and 3 forward nodes. I then created an affinity rule in vCenter to always keep the 3 forward node VM's on separate hosts. I tested it out by using NMAP to 3 different VM's on 3 different hosts and SO caught them all. So this is a way to set it up for those that want to use it in their vCenter environment. |
Beta Was this translation helpful? Give feedback.
I installed it as a distribution with a dedicated manager, one search node, and 3 forward nodes. I then created an affinity rule in vCenter to always keep the 3 forward node VM's on separate hosts. I tested it out by using NMAP to 3 different VM's on 3 different hosts and SO caught them all. So this is a way to set it up for those that want to use it in their vCenter environment.