Connecting sensors to multiple servers ( at least 2)
75 views
Skip to first unread message
Ludwig Goon
Sep 20, 2014, 8:38:48 AM9/20/14
to securit...@googlegroups.com
At the Security Onion conference and talking with Doug and company, I mentioned that we would like to have sensors send data to at least two servers. Doug mentioned that most data we could duplicate via syslog-ng ( over encrypted tunnel right?) however Squert would not necessarily work since it can do high availability database configurations.
Let's assume we could live without Squert any thoughts/ processes on configuring sensors to connect with two servers? let's assume they are in two different data centers? One in Washington DC and one somewhere in Utah.
Doug Burks
Sep 22, 2014, 10:06:07 AM9/22/14
to securit...@googlegroups.com
Hi Ludwig,
On a sensor, you would do something like the following:
- duplicate the existing autossh tunnel but point it to your secondary
server and have it forward a port for syslog
- edit /etc/syslog-ng/syslog-ng.conf and add another destination that
would send the logs to the syslog listener on the other end of the
autossh tunnel
- restart syslog-ng
On Sat, Sep 20, 2014 at 8:38 AM, Ludwig Goon <lag...@gmail.com> wrote:
> At the Security Onion conference and talking with Doug and company, I mentioned that we would like to have sensors send data to at least two servers. Doug mentioned that most data we could duplicate via syslog-ng ( over encrypted tunnel right?) however Squert would not necessarily work since it can do high availability database configurations.
>
> Let's assume we could live without Squert any thoughts/ processes on configuring sensors to connect with two servers? let's assume they are in two different data centers? One in Washington DC and one somewhere in Utah.
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
On a sensor, you would do something like the following:
- duplicate the existing autossh tunnel but point it to your secondary
server and have it forward a port for syslog
- edit /etc/syslog-ng/syslog-ng.conf and add another destination that
would send the logs to the syslog listener on the other end of the
autossh tunnel
- restart syslog-ng
On Sat, Sep 20, 2014 at 8:38 AM, Ludwig Goon <lag...@gmail.com> wrote:
> At the Security Onion conference and talking with Doug and company, I mentioned that we would like to have sensors send data to at least two servers. Doug mentioned that most data we could duplicate via syslog-ng ( over encrypted tunnel right?) however Squert would not necessarily work since it can do high availability database configurations.
>
> Let's assume we could live without Squert any thoughts/ processes on configuring sensors to connect with two servers? let's assume they are in two different data centers? One in Washington DC and one somewhere in Utah.
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Reply all
Reply to author
Forward
0 new messages