Distributed node flows in SecurityOnion 16.04

Pete

unread,

Dec 2, 2020, 10:53:35 AM12/2/20

to security-onion

Wes or Doug,

Could I please get a short description on how events, queries, and pcaps flow on the distributed architecture under Security Onion 16.04? Specifically, assuming there is a sensor-only node (that I believe still holds raw pcaps), and a master node where kibana/elastic (and logstash?) run.

Are events and logs forwarded from sensor to master right after going through syslog-ng, or after they're enriched by logstash on the sensor?

Assuming kibana runs on the master, how does capme work, as it would have to query elasticsearch on the master to find address/port info but then search pcap files on the sensor for matching packets?

How does autossh play into this, and for what traffic are the forwarding tunnels it sets up used?

I've been running all my nodes standalone so far, but need to offload ES/LS from one sensor that's heavily used onto another that is hardly used at all. I am ok with supporting myself as I go off-script, but am having trouble understanding what I see in sosetup... there's comments on what's being done but no explanation of why or what it's used for.

Thanks,

--

Pete

unread,

Dec 2, 2020, 2:00:58 PM12/2/20

to security-onion

Looking through https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-Architecture#deployment-types I see the answer to the first one is that syslog-ng on the forward node sends to logstash on the master. I also see that autossh is used for a master node to query ES on a heavy node and for a forward node to send logs to logstash on a master node.

Still unclear to me is how capme works if kibana is running on the master but the pcap files are present on the forward node. I did see in sosetup that apache is not configured on forward nodes... I wasn't able to find info on that anywhere.

--

Pete

Wes Lambert

unread,

Dec 2, 2020, 2:10:12 PM12/2/20

to securit...@googlegroups.com

Hi Pete,

Have you had a look at the following?

https://docs.securityonion.net/en/16.04/architecture.html?highlight=data%20flow#detailed-data-flow-diagram

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/aeb1415a-be70-4711-9e03-2c8ec0cfeb0fn%40googlegroups.com.

--

https://twitter.com/therealwlambert

https://securityonion.net/

Pete

unread,

Dec 4, 2020, 9:03:20 AM12/4/20

to security-onion

Wes,

Thank you. I overlooked that detailed map when I found that page previously.

Reply all

Reply to author

Forward