Monitoring network traffic from different vlan tags

[witekenea]

Version

2.4.100

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

cloud

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

250

Storage for /

1TB

Storage for /nsm

500 Gb

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I have a Security Onion distributed deployment in a production cloud environment, with one manager node, one search node, and one sensor node. The sensor node currently has two NICs (one for the management interface and one for monitoring). My goal is to monitor all network traffic across multiple VLANs.

Environment Details:

The deployment is on a Proxmox setup with 5 nodes.

• Each node runs multiple VMs, and these VMs are connected to network interfaces with different VLAN tags.
• Security Onion is deployed on one of the Proxmox nodes.

My questions:
There are some VMS that i can install agents on and already did that, but for those VMS that i can't install agents on

• How can I monitor network traffic from different VLAN tags on my Security Onion sensor node?
• Can I attach multiple network interfaces with different VLAN tags (all of the VLAN tags that i have)to my sensor node and monitor traffic from all VLANs that way?
  I will appreciate anyone who can answer the above questions or tell me a different approach to make this work

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

Yes, you can add many interfaces to the sensor. Then you would run sudo so-monitor-add (on the sensor) to configure the sensor to start ingesting traffic from the additional interfaces. https://docs.securityonion.net/en/2.4/so-monitor-add.html#so-monitor-add