Security Onion Clustering
1,388 views
Skip to first unread message
Jason Close
Apr 15, 2015, 7:52:27 PM4/15/15
to securit...@googlegroups.com
We are looking at Security Onion for NSM, but have more bandwidth than can be handled by a single box, so we will need to cluster SO across several boxes.
My questions are: is there any out of the box clustering configurations that are done easily through the SO GUI? Are there preferred methods for clustering, such as setting up a master node, or is a distributed array of nodes preferred? What are the options for load balancing?
We want to know if this is something that can be done easily, or if we will end up needing to fine tune the tools from within SO. There is no 'cluster' documentation on the site, so it is hard to tell what the capabilities are, and the amount of configuration required. If I am just not seeing this documentation, please point me in the right direction.
Thanks.
My questions are: is there any out of the box clustering configurations that are done easily through the SO GUI? Are there preferred methods for clustering, such as setting up a master node, or is a distributed array of nodes preferred? What are the options for load balancing?
We want to know if this is something that can be done easily, or if we will end up needing to fine tune the tools from within SO. There is no 'cluster' documentation on the site, so it is hard to tell what the capabilities are, and the amount of configuration required. If I am just not seeing this documentation, please point me in the right direction.
Thanks.
Max Rogers
Apr 15, 2015, 8:25:07 PM4/15/15
to securit...@googlegroups.com
Hey Jason,
Security Onion can be configured as a single standalone device that functions as a central server and a sensor OR it can be configured so that you have one central server and multiple sensors across your network. These sensors ship alert data and logs back to the central server. That way you only have to connect to the central server to review alerts, run queries across all your sensors, etc.
When you run the Security Onion setup via the gui, you will have the option to set the machine up as either a "Server", "Sensor", or "Standalone". The easiest way to accomplish what you want to do is by creating one central server and then dispersing multiple sensors across your network at different points where you have SPAN/Tap capabilities. If you can't cover all parts of your network, you will most likely want to focus on covering your ingress/egress points first.
By deploying multiple sensors you aren't exactly "clustering" but you are dispersing the amount of traffic across multiple machines thus reducing the load.
-Max
Security Onion can be configured as a single standalone device that functions as a central server and a sensor OR it can be configured so that you have one central server and multiple sensors across your network. These sensors ship alert data and logs back to the central server. That way you only have to connect to the central server to review alerts, run queries across all your sensors, etc.
When you run the Security Onion setup via the gui, you will have the option to set the machine up as either a "Server", "Sensor", or "Standalone". The easiest way to accomplish what you want to do is by creating one central server and then dispersing multiple sensors across your network at different points where you have SPAN/Tap capabilities. If you can't cover all parts of your network, you will most likely want to focus on covering your ingress/egress points first.
By deploying multiple sensors you aren't exactly "clustering" but you are dispersing the amount of traffic across multiple machines thus reducing the load.
-Max
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Heine Lysemose
Apr 16, 2015, 2:25:49 AM4/16/15
to securit...@googlegroups.com
Hi
I think the way you think about clustering can't be done by SecurityOnion...
What you could do is, as Max wrote, to deploy multiple sensors around your network. If one sensor can't handle the amount of traffic you can have a load balancer in front of some SecurityOnion sensors
Regards,
Lysemose
Jason Close
Apr 16, 2015, 8:48:26 AM4/16/15
to securit...@googlegroups.com
Thanks.
We currently do our share of load balancing across servers from our Spans and Taps, but that is done to dedicated boxes (dedicated as in a cluster running a specific piece of software).
We've done the balanced bro cluster, where we are balancing by session data to bro clusters, who then report back to the master. It sounds like that is what you are talking about.
We were wondering if, when we set up this cluster (and how), if SO not only configures bro to be clustered, but other software as well. It's hard to drum up any documentation about what configuration changes are made when you use the Server/Sensor settings, and which software on SO that will affect.
Appreciate the reply.
Jas
We currently do our share of load balancing across servers from our Spans and Taps, but that is done to dedicated boxes (dedicated as in a cluster running a specific piece of software).
We've done the balanced bro cluster, where we are balancing by session data to bro clusters, who then report back to the master. It sounds like that is what you are talking about.
We were wondering if, when we set up this cluster (and how), if SO not only configures bro to be clustered, but other software as well. It's hard to drum up any documentation about what configuration changes are made when you use the Server/Sensor settings, and which software on SO that will affect.
Appreciate the reply.
Jas
Doug Burks
Apr 16, 2015, 9:02:49 AM4/16/15
to securit...@googlegroups.com
Hi Jason,
Start with one Security Onion box, run Setup, choose Advanced Setup,
and choose Master. This box will be a Master only, no sniffing. Then
build your separate sensor boxes, choosing Advanced Setup, and then
choosing Sensor. Sensors will check into the Master server. Then you
use flow based load balancing to split your large traffic volume up
amongst the sensors. When you log into Snorby/Squert/Sguil/ELSA, you
will see alerts/logs from all sensors at once.
As far as Bro clustering, Advanced Setup puts Bro into cluster mode.
Each sensor is its own Bro cluster by default (manager, proxy, and one
or more Bro workers). All Bro logs go into the local ELSA database on
the sensor itself, but when you log into the central ELSA web
interface it queries all ELSA sensor databases in parallel, showing
you all Bro logs across your entire deployment.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Start with one Security Onion box, run Setup, choose Advanced Setup,
and choose Master. This box will be a Master only, no sniffing. Then
build your separate sensor boxes, choosing Advanced Setup, and then
choosing Sensor. Sensors will check into the Master server. Then you
use flow based load balancing to split your large traffic volume up
amongst the sensors. When you log into Snorby/Squert/Sguil/ELSA, you
will see alerts/logs from all sensors at once.
As far as Bro clustering, Advanced Setup puts Bro into cluster mode.
Each sensor is its own Bro cluster by default (manager, proxy, and one
or more Bro workers). All Bro logs go into the local ELSA database on
the sensor itself, but when you log into the central ELSA web
interface it queries all ELSA sensor databases in parallel, showing
you all Bro logs across your entire deployment.
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
John Smith
Jun 10, 2019, 6:11:34 AM6/10/19
to security-onion
as I am working in a very big company, I have a question,
how I can build Security Onion in a cluster, let's say I need to collect logs from 280 points, across the world, 1 end point is sending per day around 1,5 Gb of data,
so 1 node master and 280 as sensors, how I can build sec onion as a cluster? as sending so big volume of data?
Thanks.
Wes Lambert
Jun 10, 2019, 8:28:43 AM6/10/19
to securit...@googlegroups.com
Hi John,
If these are Windows hosts, one option would be to use WEF (Windows Event Forwarding), have events forwarded to a central or multiple dedicated servers, then install Winlogbeat or Wazuh on those dedicated servers to ship logs to the Security Onion master server. one thing to keep in mind would be the resources allocated for the server to handle the processing of agent communication/data. Some folks may assign a dedicated box or boxes for this function, depending on the number of agents.
Wazuh and Filebeat could also be used to ship events from non-Windows hosts, or non-WIndows event type data.
If you are referring to the collection of network traffic and not directly picking up logs from hosts, then you can certainly have as many forward nodes as required. Without knowing actual throughput, required retention, and knowing specific budgetary or hardware constraints I can't give you an exact solution. It would be best to engage with Professional Services for that to ensure you have something that can be easily extended and manageable down the road.
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/15d51d72-0d16-45b3-ba3c-9c65174d8d90%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages