vcenter Stenographer Packet loss

[vvenom61991]

Hello,

I have a distributed sec deployment. One manager node, one search, and one sensor. I have it on a vsan and every time I run tcpreplay with more then 1gb I get 30% stenographer packet loss and 1.40% suricata packet loss. Does anyone know how I can fix this?

[dougburks]

I have a distributed sec deployment. One manager node, one search, and one sensor. I have it on a vsan

For best results, we typically recommend direct dedicated storage to avoid I/O contention (especially for processes like stenographer):
https://docs.securityonion.net/en/2.3/hardware.html#storage
https://docs.securityonion.net/en/2.3/best-practices.html#installation

every time I run tcpreplay with more then 1gb I get 30% stenographer packet loss and 1.40% suricata packet loss. Does anyone know how I can fix this?

Are you using tcpreplay to simulate your anticipated network traffic in production? If so, then just because you get packet loss during tcpreplay does not necessarily mean that you will get packet loss in production. This is highly dependent on several factors including the options you use for tcpreplay.

Also note that you may want or need to exclude specific traffic (like port 443) from Stenographer via bpf:
https://docs.securityonion.net/en/2.3/bpf.html