Standalone setup with multiple sensors

65 views
Skip to first unread message

Chad

unread,
Jul 22, 2019, 9:40:30 AM7/22/19
to security-onion
Hello,

Does anyone know if it is possible to configure security onion to monitor multiple sensors in a standalone system. I configured both sensors during the network setup, but during the second part of the setup I am only able to choose one sensor. Subsequently, I only have one sensor in the so-status:

Status: securityonion
* sguil server [ OK ]
Status: HIDS
* ossec_agent (sguil) [ OK ]
Status: Bro
Name Type Host Status Pid Started
bro standalone localhost running 1336 22 Jul 13:33:33
Status: eit-so2-enp0s31f6
* netsniff-ng (full packet data) [ OK ]
* pcap_agent (sguil) [ OK ]
* snort_agent-1 (sguil) [ OK ]
* snort-1 (alert data) [ OK ]
* barnyard2-1 (spooler, unified2 format) [ OK ]
Status: Elastic stack
* so-elasticsearch [ OK ]
* so-logstash [ OK ]
* so-kibana [ OK ]
* so-freqserver [ OK ]
* so-domainstats [ OK ]
* so-curator [ OK ]
* so-elastalert [ OK ]

Steven J

unread,
Jul 22, 2019, 10:14:49 AM7/22/19
to securit...@googlegroups.com

Hi Chad,

If your goal is to record all events to the same database then I'll let someone more proficient guide you on setting up a Master to multiple sensor deployment.

On the other hand, if your goal is to be able to see the events from different sensors using Sguil, you could install the Analyst VM and point it to whichever sensor you wanted to examine.  This may be preferable if each of your sensors is located in different company premises where you would want to avoid cross contamination between the various db's.

https://github.com/Security-Onion-Solutions/security-onion/wiki/Analyst-VM



--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/c56df496-2530-442c-b549-d6989f579b9b%40googlegroups.com.

Chad

unread,
Jul 22, 2019, 10:34:09 AM7/22/19
to security-onion
Thanks Steven,

My goal is to record events to the same database from two sensors in a standalone system and to get email alerts for two sensors.
> To unsubscribe from this group and stop receiving emails from it, send an email to securit...@googlegroups.com.

Doug Burks

unread,
Jul 22, 2019, 10:58:52 AM7/22/19
to securit...@googlegroups.com
Hi Chad,

It sounds like you chose Evaluation Mode, which is limited to configuring one sniffing interface.  If you instead choose Production Mode, then you should be able to configure multiple sniffing interfaces.

image.png

To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/db3f8379-30f2-4bca-8727-f9c2560f90c6%40googlegroups.com.


--
Doug Burks
CEO
Security Onion Solutions, LLC

Chad Langston

unread,
Jul 22, 2019, 11:00:10 AM7/22/19
to securit...@googlegroups.com
Awesome! Thank you Doug!!


You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/rQLsV3gxbNs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAJ%2BhwWDcrri20uG1MQQEOQ3sjUJx8JsGJ-KCd9UWN0xCStMA-Q%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages