Newbie help? #12960
-
Version2.4.60 Installation MethodSecurity Onion ISO image Descriptionconfiguration Installation TypeStandalone Locationon-prem with Internet access Hardware SpecsExceeds minimum requirements CPU8 RAM32 Storage for /293G Storage for /nsm720G Network Traffic Collectionspan port Network Traffic SpeedsLess than 1Gbps StatusYes, all services on all nodes are running OK Salt StatusNo, there are no failures LogsNo, there are no additional clues DetailHello, The SPAN port first; it works plugged into another device and wiresharked, so that part is fine. I have it bridged from a physical port to the SO VM in Proxmox, and the port exists in security onion and is part of bond0, I believe. I have not tried to give it an IP address. I rather assumed that traffic would just populate into security onion, but no dice there. Poking around has not come up with anything to allow/capture/view all that traffic pouring in. I even tried stopping firewalld and iptables, just for fun, but nothing there either. Ideas/help would be welcome. Second, the Cisco device. There's an integration for it, but it appears to require an agent; I wouldn't even know how to install it on a Cisco FTD box, and probably wouldn't want to. I can set the SO box as a syslog server, but without an agent to finish the integration, it does not appear to even listen on the port that I specified. Am I barking up the wrong tree here? Thank you very much for reading. Guidelines
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
For the proxmox you likely need some additional configuration of the bridge or pass-thru network interface https://docs.securityonion.net/en/2.4/proxmox.html#nic With the cisco device you can setup the integration and use the existing elastic agent on your standalone deployment and add your integration https://docs.securityonion.net/en/2.4/elastic-fleet.html#adding-an-integration You can also setup your cisco device to send logs over syslog and point it at your Security Onion box. https://docs.securityonion.net/en/2.4/syslog.html#syslog |
Beta Was this translation helpful? Give feedback.
For the proxmox you likely need some additional configuration of the bridge or pass-thru network interface https://docs.securityonion.net/en/2.4/proxmox.html#nic
While you're testing to see if the traffic is reaching your bond0 interface you can run
tcpdump -i bond0
that will show you what traffic is getting to the bond0 (monitor) interface for Security Onion.With the cisco device you can setup the integration and use the existing elastic agent on your standalone deployment and add your integration https://docs.securityonion.net/en/2.4/elastic-fleet.html#adding-an-integration
You can also setup your cisco device to send logs over syslog and point it at your Security Onion box. https://do…