Deployment Issues rocknsm-2.0.5-1705.iso


#1

Hi all,

My name is Roger and I’m currently working as an Incident Responder. We found out about RockNSM a few weeks ago and decided to test in parallel to our current network monitoring solution for one of our environments.

We found a few problems during installation that we’d like to share in case anyone else has come across them.

A few details about the set up:

  • VM on top of ESXi 6.5
  • 500GB disk, 16GB memory
  • 1 management interface, 1 sniffing interface (traffic mirrored from a switch).

We had to carry out the following 4 steps in order to successfully deploy it:

  1. $rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7

  2. Copy logs-to-kafka.bro

$cp /opt/bro/lib/bro/plugins/Bro_Kafka/scripts/Bro/Kafka/logs-to-kafka.bro /opt/bro/share/bro/site/scripts/rock/plugins/logs-to-kafka.bro

  1. In /opt/bro/share/bro/site/scripts/rock/plugins/kafka.bro

Load the module:
@load scripts/rock/plugins/logs-to-kafka

Replace send_to_logs for include_logs:
if (|Kafka::include_logs| == 0 || stream_id in Kafka::include_logs)

  1. Comment task in deploy-rock.yml
  • name: Checkout ROCK Bro scripts
    git:
    repo: “{{ bro_rockscripts_repo }}”
    dest: /opt/bro/share/bro/site/scripts/rock
    version: “{{ bro_rockscripts_branch }}”
    when: with_bro and rock_online_install

Of course step 4 could easily be avoided by uploading our own repo with the changes above.

Has anyone come across a similar issue while deploying RockNSM? We still haven’t played with all the components but so far seems to be working as expected. Health checks after installation were successful as well.

Thanks a lot for this awesome project :-)!

Roger