How to Save Logs from Different Forward Nodes Separately in Security Onion

[SankaGamage]

Hi everyone,

I am currently working with a distributed Security Onion setup and have multiple forward nodes (sensor nodes) sending logs to a central manager/search node. I want to know:

1. How can I save logs from different forward nodes separately in Security Onion?

• Can the system be configured to store logs from each forward node in distinct locations?
• If yes, what steps or configurations are required to achieve this?

2. How does Security Onion handle logs from multiple forward nodes by default?

• Are they merged into a single location or index, or is there some form of separation?
• Any guidance, configuration examples, or best practices would be greatly appreciated!

Thanks in advance for your help!

[InfosecGoon]

By default, data coming from multiple Forward Nodes is intermingled in the same Elasticsearch indices on the back end.

Can you expand on your use case a little? Why do you want to store these logs separately?

[SankaGamage]

By default, data coming from multiple Forward Nodes is intermingled in the same Elasticsearch indices on the back end.

Can you expand on your use case a little? Why do you want to store these logs separately?

Thank you for your response!

My use case is to collect logs from two different clients into one Security Onion setup but store them in separate locations. To achieve this, I planned to install two forward nodes at the clients’ respective locations and send the logs to the manager/search node.

However, if you know of any other method to collect logs from different clients in the same Security Onion setup while keeping them stored separately, I would really appreciate it.

Thank you for your guidance!