Re: [EXTERNAL] [security-onion] Configuration with a standalone box and remote network via IPSEC
52 views
Skip to first unread message
Doug Burks
Feb 12, 2021, 6:14:21 AM2/12/21
to securit...@googlegroups.com
This mailing list is for Security Onion 16.04. If you have questions or problems relating to Security Onion 2, please use the Security Onion 2 discussion forum:
https://securityonion.net/discuss
Thanks!
https://securityonion.net/discuss
Thanks!
On Wed, Feb 10, 2021 at 5:15 PM pimpernel <pbro...@gmail.com> wrote:
I am working through the setup for SO 2.3 using VBox prototyping in anticipation of the EOL for 16.4. I have been previously using a single standalone 16.4 box on our SOHO network, and recently added a remote network connected via IPSEC.I am able to send remote network syslog data via the IPSEC, but it cannot get through to the SO box, even though pings pass through the network to SO and the so-allow opens connections to SO from the remote network.As a workaround, I set remote syslogs to get repackaged at the firewall (a pfSense box) on the subnet where SO resides using syslog-ng. However, useful data to distinguish the origin and service, such as firewall events, kernal information and snort warnings are imbedded in the repackaging and do not parse properly in the SO Kibana interface. Everything shows up as coming from the IPSEC remote gateway with the unparsed packet detail only available in the pcap.I am assuming that I need to set up a sensor on the remote network to process content to the manager node, but I have a small network that is easily handled by my current SO box with 32 GB RAM and 1 TB Raid storage for /nsm files. I do not want to have a separate manager and sensing node on the main SOHO network. Is there a configuration in SO2.3 where by a standalone deployment can have a remote sensor added?ThanksP--
Please keep in mind that Security Onion 16.04 reaches End Of Life soon!
https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/4300d1c6-4b10-42a2-8c76-1d6970063bf4n%40googlegroups.com.
Doug Burks
Founder and CEO
Security Onion Solutions, LLC
Founder and CEO
Security Onion Solutions, LLC
Reply all
Reply to author
Forward
0 new messages