Need a second Strelka backend

[petiepooo]

I have a standalone sensor that not only sees many files on the wire (that zeek extracts and strelka evaluates), but we're also using it to evaluate other files (eg. powershell scripts) received by syslog and dropped into the /nsm/strelka/unprocessed directory. As a result, the so-strelka-backend container's process is running at 100% and appears to be falling behind. It's a good problem to have.

Has anyone tried running a second backend container on Security Onion 2.3? Would it be as simple as duplicating the "strelka_backend" state by appending a "_2" or similar to the state's and container's names, and adding another line for it in so-status.conf? Or is there additional plumbing needed in one of the config files that I'm not seeing.

I'm not very familiar with setting up Strelka, but I know it's made to deploy as a cluster. I don't see where the other containers enumerate what backends are present; it looks like the backend nodes reach out to the coordinator to advertise that they're available...

[dougburks]

If your Strelka instance is analyzing the same file multiple times, then you might want to take a look at our upcoming 2.3.190 release as it includes a new de-duplication feature that should help lower the load:
#9034

[petiepooo]

I saw that, thank you. I expect that will help drop the load to the point I won't need a second backend.
It's also dumping so many files in the processed folder that so-sensor-clean is having troubles running to completion, but I'm managing that with a separate cron script.

[petiepooo]

In case anyone else needs this prior to improvements announced in v2.3.190, starting an additional backend file processing engine for Strelka on a standalone node is surprisingly easy. In /opt/so/saltstack/local/salt/strelka/ drop a file called backend2.sls with the following:

{% set MANAGER = salt['grains.get']('master') %}
{% set VERSION = salt['pillar.get']('global:soversion') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}

strelka_backend2:
  docker_container.running:
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-backend:{{ VERSION }}
    - binds:
      - /opt/so/conf/strelka/backend/:/etc/strelka/:ro
      - /opt/so/conf/strelka/rules/:/etc/yara/:ro
    - name: so-strelka-backend2
    - command: strelka-backend
    - restart_policy: on-failure

Then run "sudo salt-call state.apply strelka.backend2" to start it.

Note: it will not show up in so-status, and will not survive a reboot. It is also not managed by any of the so-strelka-* scripts. If you need to stop it, run "sudo docker stop so-strelka-backend2"