AWS Load Balancer (LB) Health Checks Failing

[DoughnutPeach]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

cloud

Hardware Specs

Exceeds minimum requirements

CPU

32

RAM

16

Storage for /

100GB

Storage for /nsm

300GB

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

I have successfully deployed my distributed grid (on AWS). Everything works fine in my testing - I duplicated network traffic mirror sessions and targetted my Forward Node's Sniffing ENI directly.

For production, I would like to deploy my Forward Node behind an AWS Network Load Balancer. Is there any Wiki or README on how to do this?

I have tried 2 ways:

1. Defining my target group by instance (Forward Node EC2) - This can't work because it only allows me to select my management interface (the primary NIC).
2. Defining my target group by ENI network interface (here I used the sniffing interface) - This fails the health checks required by the Network Load Balancer.

Wondering if anyone has managed to make this work? Thanks in advance!

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[DoughnutPeach]

Update :

Seems like targeting by ENI (sniffing interface) will fail the health check BUT the logs are still appearing in Elasticsearch and NSM alerts are being triggered.

Is this appropriate behaviour?

Also, is there anyway to forcefully pass the health check? I've tried spinning up a temporary HTTP server on port 80, with LB health check on TCP/80, but it is still failing.

Ideally I would like to both pass the health check and get the traffic in. Any help?

[InfosecGoon]

This has worked in the past for getting those AWS load balancer health checks to work:

Copy /opt/so/saltstack/default/salt/nginx/etc/nginx.conf to /opt/so/saltstack/local/salt/nginx/etc/nginx.conf, then update with this additional stanza, putting the server's local IP address in the appropriate spot:

(I tucked it in after line 91 between the 80 redirect and the 443 default server)

          server $SERVER_IP_GOES_HERE {
              listen 443 ssl http2;
              location /health {
                  access_log off;
                  add_header 'Content-Type' 'text/plain';
                  return 200 "healthy\n";
             }
         }

And flipped the url_base back to the fqdn. This allows the healthcheck to pass when hit on ip and then the ssl flow (+ redirects) can happen through the alb.