Why Do We Need a Search Node in Distributed Deployment? Where Are Logs Stored?

[abcd123chamara]

Have some questions about the purpose and behaviour of search nodes in a distributed deployment of Security Onion:

1. Why is a search node needed in a distributed deployment?

• What is the specific role or benefit of having a search node separate from the manager?

2. Where are the logs stored in this setup?

• Are logs saved on the manager node or the search node?

3. Does log storage location change depending on hot or cold storage?

• For example, are hot logs stored in one place and cold logs in another?

I'm trying to better understand the architecture and how to manage log storage and search performance efficiently.

Thank you for your help!

[cm-ops]

Have you looked at https://docs.securityonion.net/en/2.4/architecture.html#distributed

If you are asking about Elastic data, that data is stored on any node in the grid running Elasticsearch and that has the data role.

For your third question, if you enable data tiers, then the phase of the datastream index will route to the node that has that data tier. For example, if you have a search node that has the role data_warm only then when the index rolls over to the warm phase, that data will move to the node with that role.