Deployment questions

Hi guys

New guy here !!!.. yes stupid questions are on the way lol

I got a few questions for you guys:

It is posible to deploy a sensor from different networks? on the documentation says i got run it on the same network (told you )

Second one it is posible to configure a naked sensor ? with that i means no elk and posibly shrink it more so we can use low level hardwer for the sensors “maybe just suricata and all the files needed for the sensor comunication” . (told you to be ready):zipper_mouth_face:


@maibol welcome to the community! Yes you can turn off Elastic Stack by essentially tweaking the configuration file or using the new TUI (which is the easier option)

Under “Choose Components”

Nice Thanks for your quick reply

How about the networking did you have try the multitenant on different networks ?

ROCK at the sensor level has no concept of multi-tenancy. You could use it to monitor multi-tenant networks, depending on your requirements. 802.1Q and Q-in-Q tagging is supported natively and the recommended way to monitor multi-tenant networks. If you’re doing things like VXLAN (common in Open Stack) or other more esoteric things, you may not get the results you want because the components do not adequately analyze those protocols. GRE tunnels would be another transport that both Suricata and Zeek/Bro could analyze just fine.

Multitenancy at the Elastic level can be done with roles (commercial Elastic license). Assign a user to a given role, apply a search filter to the role that is segmented on the most reliable data. I’ve applied filters on VLAN, IP address (subnet), and sensor ID (multiple sensors).

Thanks dcode
I was looking to add sensors in different vlans on the infraestucture and create routes to the siem so they can comunícate wth it I guess it might work I’m correct?