Which node type to use for a remote site with central Manager node?

[tsmith-spscc]

Version

2.4.70

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

24

RAM

192

Storage for /

1 TB

Storage for /nsm

40 TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I'm looking for advice on which node type I should set up at a remote site connected via IPSec tunnel and a secondary MPLS connection. My main site has a distributed setup with a Manager, Search and Forward node. I have a single physical server available to me at the remote site and I'd like to capture logs from local servers as well as capture north/south network traffic for the remote site via a SPAN port. However, I do not want to effectively send all of the network traffic from the remote site back to the primary site in order to capture and analyze it in Security Onion.

I've seen a few discussions from previous versions of Security Onion that touched on this a little bit, but nothing comprehensive. Any advice is appreciated. Thanks.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

If you build a forward node at the remote site, then it will consume traffic from the SPAN port and do the analysis itself. Full packet capture remains on the forward node. The only thing sent from the forward node to the manager is the Suricata alerts and Zeek metadata and this is a much smaller amount of data than the original network traffic. For more information, please see:
https://docs.securityonion.net/en/2.4/architecture.html#forward-node

[tsmith-spscc]

Thank you!