Max number of sensors per SO server?
588 views
Skip to first unread message
Corey J
Dec 8, 2016, 12:37:47 PM12/8/16
to security-onion
Hi,
I'm interested in knowing if a Sec Onion Master server (with Salt) has a known limit of Sensors that it can connect to. I'd appreciate any documentation links or comments with respect to known small business/production implementations (not 10 or 20 nodes). I can't find any solid info.
Thanks for your help,
CJ
I'm interested in knowing if a Sec Onion Master server (with Salt) has a known limit of Sensors that it can connect to. I'd appreciate any documentation links or comments with respect to known small business/production implementations (not 10 or 20 nodes). I can't find any solid info.
Thanks for your help,
CJ
Wes
Dec 8, 2016, 12:47:12 PM12/8/16
to security-onion
Corey,
I'm not aware of any limitations in regard to number of sensors reporting to a single master (other than hardware/resource utilization).
You can find deployment scenarios here:
https://github.com/Security-Onion-Solutions/security-
onion/wiki/IntroductionToSecurityOnion#deployment-scenarios
Thanks,
Wes
Corey J
Dec 8, 2016, 12:53:47 PM12/8/16
to security-onion
Thanks Wes
Doug Burks
Dec 8, 2016, 1:17:48 PM12/8/16
to securit...@googlegroups.com
Hi CJ,
One limit to be aware of is Sguil. Since it's written in tcl, it has
a limit of 1024 sockets, which will limit the number of Sguil agents
that can connect to the sguild process on the master server. Most
sensor boxes will be running at least 3 Sguil agents (ossec_agent,
pcap_agent, and snort_agent) and each of those agents will consume a
socket on sguild. So there's a maximum of about 340 sensors for one
master server. Also note that, if you're running multiple sniffing
interfaces per sensor box OR if you're running multiple instances of
snort per sniffing interface, then that will be more sguil agents per
sensor box which will mean a lower number of sensor boxes per master
server.
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
One limit to be aware of is Sguil. Since it's written in tcl, it has
a limit of 1024 sockets, which will limit the number of Sguil agents
that can connect to the sguild process on the master server. Most
sensor boxes will be running at least 3 Sguil agents (ossec_agent,
pcap_agent, and snort_agent) and each of those agents will consume a
socket on sguild. So there's a maximum of about 340 sensors for one
master server. Also note that, if you're running multiple sniffing
interfaces per sensor box OR if you're running multiple instances of
snort per sniffing interface, then that will be more sguil agents per
sensor box which will mean a lower number of sensor boxes per master
server.
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Reply all
Reply to author
Forward
0 new messages