Distributed Deployment | How to differentiate different host with identical IP address coming from different Forward Nodes

[HBW77777]

Version

2.4.20

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

8

RAM

32

Storage for /

1T

Storage for /nsm

80%

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi
I have a distributed deployment with the intent of having multiple Forward Nodes (in different offices). The challenge that I have is that most of the offices utilizes same RFC1918 address space (192.168.X.X/24).

How can I differentiate which host(s) are coming from which office (or Forward Nodes) from the perspective of SecOnion Kibana page?

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[ross-tsc]

The events coming from different forward nodes will be tagged up as such in kibana/SO. In the 'host.name' field, events from forward node A will have 'forward node A' and so on. On the 'Alerts' page you can also filter by sensor etc.