Wazuh to Elastic Agent migration for SO 2.4

[KhorZL]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

128

Storage for /

100

Storage for /nsm

12T

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I am migrating from my old SO 2.3 to the latest SO 2.4.30. Specifically, I'm working on the Sensor node migration.

Previously, Wazuh Agents would stream logs to the Wazuh Manager on the SO Sensor node. Thus, we only catered for one on-prem server that works for both HIDS and NIDS, and the individual endpoints do not have direct connection to the SO Manager. We currently do no have capacity to add another server to run a separate Elastic Fleet node.

With these limitations in mind, any advice on how we can proceed with the migration towards Elastic Agents? I understand that in the latest Security Onion, Elastic Agents on endpoints are designed to directly stream logs to the Manager. What should I do if this isn't possible, and only the Sensor node has direct connection to the Manager? Is it possible to forward Elastic logs through the Sensor?

A few ideas came to mind:

1. Run so-logstash on the Sensor and stream Elastic Agent logs through the SO Sensors and to the Manager.
2. Continue running so-wazuh on the new SO Sensor and write custom pipelines to ingest these logs into Elasticsearch.

Any advice / tips would be really appreciated! Thanks!

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[KhorZL]

Still no luck in figuring a way out. Any help?

For my sensor, I currently have an on-prem server with specs exceeding the minimum (12TB, 128GB RAM). This is because we are expecting high traffic volume from the endpoints in the network. On this server, I have a 10GB Dual Port NIC.

My question is:
Is there any way for me to run both Sensor+Fleet node on this server? Would virtualization work?

[defensivedepth]

The only nodes that run Elastic Fleet are the Manager & Fleet Node. The Fleet Node was designed for this specific situation. Forward nodes do not run Elastic Fleet.

There are a couple different setups that you could do:

• Forward Node + Fleet Node on-prem.
• Forward Node on-prem, Fleet Node/s hosted externally

How many endpoints on-prem that will have the Elastic Agent installed?

[defensivedepth]

To be clear: how much? Mbs/Gbs etc

[KhorZL]

We are looking at an average of 3-6.5Gbs

[TOoSmOotH]

Keep in mind the output of these nodes still need to connect to the manager or receiver nodes.

[KhorZL]

Hoping to get your advice on this @TOoSmOotH @defensivedepth

Would it be possible to install a Forward Node then docker pull the containers required for a Fleet Node?
Mainly:

• so-elastic-fleet
• so-logstash

Will this allow me to run both Forward and Fleet functions on the same server?

[defensivedepth]

Unfortunately it is not that simple. Elastic Fleet requires quite a bit more configuration than that.