Questions About Forward Node (Sensor Node) and Receiver Node in Security Onion

[SankaGamage]

Hi everyone,

I am currently working with a distributed Security Onion setup and have gone through the documentation, but I still have some questions and need clarification on the following:

1. Forward Node (Sensor Node):

• What scenarios are forward nodes (sensor nodes) typically used in?
• How do they work in a distributed setup?
• How can I collect logs from endpoints (machines) and send them to the forward node?

2. Receiver Node:

• What scenarios are receiver nodes used in?
• How do they function, and how are they different from forward nodes?

I would appreciate detailed explanations or examples to help clarify these concepts and their practical applications beyond what is mentioned in the documentation.

Thanks in advance for your guidance!

[InfosecGoon]

A forward node is a network sensor -- it watches live network traffic, generates logs from services like Suricata, Zeek, and Strelka, writes those logs to disk, and then sends them to a Manager.

A receiver node is a secondary path for accepting and ingesting logs -- if you deploy one, the forward nodes in your environment will split the logs that they're sending between your manager and the receiver nodes.

If you want to collect logs from endpoints using Elastic Agent, you'll need to send them to a manager, fleet, or receiver node, a forward node cannot accept the incoming connection.