Fleet Node Integration? #11893
-
|
We are preparing to move our environment over to SO 2.4. I would like to take advantage of the fleet node for this deployment, so that we can collect logs directly from within certain networks without having to route them to the manager. Unfortunately, during the setup of the fleet standalone node, it only prompted to configure a single interface, which is the management interface. There are 2 more interfaces on this node but they are "blank" (no IP config applied). I don't see anything in the documentation about dropping an interface on another network for the collection of logs and such or how to configure those interfaces or the firewall for them using either so commands or the new admin config interface of the web gui. I'm concerned about just manually editing anything on a security onion node without a better understanding of how it is supposed to be managed. What's the appropriate strategy for this? We deployed the SO "back-end" nodes (manager/search/recievers) on a different network this time, operating on the assumption that we could use a Fleet Standalone node in a similar manner as the way a forward node is deployed to monitor traffic on a different network (we have 4 forward nodes in this new deployment all working great). Thanks for any help with this! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
You should be fine to manually IP those NICs. Just need to make sure that those networks can resolve + reach the Fleet Server URLs. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks Defensivedepth! /Learn Rocky Linux Networking https://docs.rockylinux.org/guides/network/basic_network_configuration/ Testing... Now... When I change the fleet server hosts to the URLS needed to hit those interfaces, it keeps reverting back to the original grid defaults. I'm sure I'm supposed to be editing this somewhere else, but I can't find where in the docs.
I need the Agent to deploy with the correct list. |
Beta Was this translation helpful? Give feedback.
-
|
Yes, those settings are managed by Security Onion. You can add custom FQDNs: Custom FQDNs will be added to that list and the agent installer will be regenerated. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks so much defensivedepth! The agents are now finding the fleet node interface. Events/logs are arriving! |
Beta Was this translation helpful? Give feedback.
Yes, those settings are managed by Security Onion. You can add custom FQDNs:
https://docs.securityonion.net/en/2.4/elastic-fleet.html#custom-fqdn-url
Custom FQDNs will be added to that list and the agent installer will be regenerated.