Help with Forward Node and SO-Elastic Agent Installation in Distributed Security Onion Setup

[SankaGamage]

Hi everyone,

I am currently working with a distributed Security Onion setup, where I have a manager/search node (a combined manager and search node) hosted on a server. I can access the web view using the server's IP address through a VPN. My goal is to collect logs from a separate office, using a forward node to send them to Security Onion.

I have some questions regarding this setup:

1. Can I send Elastic Agent logs to the forward node? According to the documentation, Elastic Agent logs cannot be sent directly to a forward node. However, how can we configure it so that logs from one office can still be sent to Security Onion?

2. I have installed a forward node at the client end, which is successfully connected to the manager/search node.

• How do I get the logs from the client’s laptop to Security Onion using the forward node?
• Do I need to configure the agent differently for this setup?
• When I send logs to the forward node, will they automatically be forwarded to the manager/search node? Or is there an additional configuration needed?

3. Are there other methods to send logs from the client end to the forward node? Can we use an agent or any alternative method to achieve this while keeping logs separated for Security Onion?

4. Where are the logs saved in Security Onion?

• Can I change the log storage location to keep logs from different sources stored separately? If yes, how can I configure this?

5. How can I connect my client devices to the forward node? My understanding is that if I use separate forward nodes, I can collect logs from different clients separately. Could you please guide me on how to achieve this connection?

Any guidance or suggestions on how to proceed with setting up and troubleshooting this process would be greatly appreciated.

Thanks!

[cm-ops]

Answers below.

Can I send Elastic Agent logs to the forward node? According to the documentation, Elastic Agent logs cannot be sent directly to a forward node. However, how can we configure it so that logs from one office can still be sent to Security Onion?
Elastic agent sends log to logstash https://docs.securityonion.net/en/2.4/elastic-agent.html This is either you manager node or a reciever node running Logstash.

How do I get the logs from the client’s laptop to Security Onion using the forward node?
If you are using the Elastic agent, they will go directly to the manager node's Logstash. If you can send syslog, you could enable the integration and send syslog to the sensor to forward to the manager, but they will only be parsed as syslog.

Do I need to configure the agent differently for this setup?
No.

When I send logs to the forward node, will they automatically be forwarded to the manager/search node? Or is there an additional configuration needed?
If you are using an integration that will need to be enabled in Fleet - https://docs.securityonion.net/en/2.4/third-party-integrations.html

Are there other methods to send logs from the client end to the forward node? Can we use an agent or any alternative method to achieve this while keeping logs separated for Security Onion?
https://docs.securityonion.net/en/2.4/third-party-integrations.html Ingerations, this will create a separate index for each logsource.

Where are the logs saved in Security Onion?
https://docs.securityonion.net/en/2.4/directory.html#directory Explains where the logs are kept in SO. Parsed logs are kept in an Elasticsearch index.

Can I change the log storage location to keep logs from different sources stored separately? If yes, how can I configure this?
Salt is configuring and managing specific directories and files for logs.

How can I connect my client devices to the forward node? My understanding is that if I use separate forward nodes, I can collect logs from different clients separately. Could you please guide me on how to achieve this connection?
This is a pretty good description on how a distributed architecture works. https://docs.securityonion.net/en/2.4/architecture.html#distributed

[SankaGamage]

Answers below.

Can I send Elastic Agent logs to the forward node? According to the documentation, Elastic Agent logs cannot be sent directly to a forward node. However, how can we configure it so that logs from one office can still be sent to Security Onion? Elastic agent sends log to logstash https://docs.securityonion.net/en/2.4/elastic-agent.html This is either you manager node or a reciever node running Logstash.

How do I get the logs from the client’s laptop to Security Onion using the forward node? If you are using the Elastic agent, they will go directly to the manager node's Logstash. If you can send syslog, you could enable the integration and send syslog to the sensor to forward to the manager, but they will only be parsed as syslog.

Do I need to configure the agent differently for this setup? No.

When I send logs to the forward node, will they automatically be forwarded to the manager/search node? Or is there an additional configuration needed? If you are using an integration that will need to be enabled in Fleet - https://docs.securityonion.net/en/2.4/third-party-integrations.html

Are there other methods to send logs from the client end to the forward node? Can we use an agent or any alternative method to achieve this while keeping logs separated for Security Onion? https://docs.securityonion.net/en/2.4/third-party-integrations.html Ingerations, this will create a separate index for each logsource.

Where are the logs saved in Security Onion? https://docs.securityonion.net/en/2.4/directory.html#directory Explains where the logs are kept in SO. Parsed logs are kept in an Elasticsearch index.

Can I change the log storage location to keep logs from different sources stored separately? If yes, how can I configure this? Salt is configuring and managing specific directories and files for logs.

How can I connect my client devices to the forward node? My understanding is that if I use separate forward nodes, I can collect logs from different clients separately. Could you please guide me on how to achieve this connection? This is a pretty good description on how a distributed architecture works. https://docs.securityonion.net/en/2.4/architecture.html#distributed

Thank you for your response! I understood most of your answers and appreciate the references to the documentation. However, I still have a few more questions:

1. How do forward nodes get logs?
2. If I install a forward node in the client’s environment (same network), do I need to do any additional configurations?
3. How can I change the log storage location when using two forward nodes separately?
4. How can I collect logs separately from two clients in different locations?
5. As you mentioned, if I send syslogs to forward nodes, what are the main drawbacks of this approach?

Thank you again for your help!

[cm-ops]

How do forward nodes get logs?
This diagram https://docs.securityonion.net/en/2.4/architecture.html#distributed shows the architecture, the monitoring interface captures network traffic via SPAN or TAP. This is the ingest pipeline for a forward node https://docs.securityonion.net/en/2.4/ingest.html#forward

If I install a forward node in the client’s environment (same network), do I need to do any additional configurations?
No.

How can I change the log storage location when using two forward nodes separately?
Salt configures logging directories and changing these could break things, if you need to separate logs per location, consider a heavy node https://docs.securityonion.net/en/2.4/architecture.html#heavy-node

How can I collect logs separately from two clients in different locations?
https://docs.securityonion.net/en/2.4/architecture.html#heavy-node You could with a heavy node architecture, the raw logs and Elastic indices would hold data per location.

As you mentioned, if I send syslogs to forward nodes, what are the main drawbacks of this approach?
You can syslog to any node in your SO grid, the Elastic Agent on the SO node will send through the ingest pipeline from where the syslog is picked up.

[SankaGamage]

How do forward nodes get logs? This diagram https://docs.securityonion.net/en/2.4/architecture.html#distributed shows the architecture, the monitoring interface captures network traffic via SPAN or TAP. This is the ingest pipeline for a forward node https://docs.securityonion.net/en/2.4/ingest.html#forward

If I install a forward node in the client’s environment (same network), do I need to do any additional configurations? No.

How can I change the log storage location when using two forward nodes separately? Salt configures logging directories and changing these could break things, if you need to separate logs per location, consider a heavy node https://docs.securityonion.net/en/2.4/architecture.html#heavy-node

How can I collect logs separately from two clients in different locations? https://docs.securityonion.net/en/2.4/architecture.html#heavy-node You could with a heavy node architecture, the raw logs and Elastic indices would hold data per location.

As you mentioned, if I send syslogs to forward nodes, what are the main drawbacks of this approach? You can syslog to any node in your SO grid, the Elastic Agent on the SO node will send through the ingest pipeline from where the syslog is picked up.

Thank you for your response! I understood most of your answers, but I still have a few more questions regarding Heavy node:

1. As per the diagram, Zeek, Suricata, and Stenographer send logs to Security Onion. In this use case, do heavy nodes store logs in their respective Elasticsearch instances, and can these logs then be easily forwarded to another specific location? Is my understanding correct?
2. The documentation mentions that heavy nodes are meant for testing environments only. Could you clarify why you recommend using them in this case?

My final goal is to collect logs from two different environments into our Security Onion setup while saving them in separate locations. Do you know of any methods or configurations to achieve this?

Thank you again for your guidance!