External sensors to RockNSM

hi, really impressed with RockNSM, i’ve been working on an internal project thats almost exactly like RockNSM. (didnt have Kafka integrated yet, i went straight from filebeat to logstash in my internal project)

What i’d like to do is have RockNSM as the main server and possibly one sensor… but i’d also like to place some raspberri pi’s, smaller pc’s or virtual sensors running bro & suricata (mimicing the configuration of RockNSM, but without the ES, Kibana, etc) in other places on the network that work transmit data back to the RockNSM sensor, for processing, storage and visualization.

What hurdles am i going to run into?

  • As of right now the proxy only allows access to kibana from the outside. I’ll need to open up a few ports for the external sensors to communicate through with filebeat.
  • then adjust kafka to accept to except data from outside sources other than local host…

What am i missing?
Any suggestions would be appreciated.

1 Like

Multi-node support

@stcdarrell sorry for the delay in answering. As @andrea pointed out, we now offer multi-node support that will suit you well for x86_64 machines. We don’t have any pre-optimized virtual sensors, but I’ve run several and it works just fine. You can build them in the usual way just like bare metal. Raspberry Pi’s aren’t going to work with RockNSM, as we don’t support ARM architectures. People have done it, but we just don’t have the bandwidth to support another architecture right now.

That said, if you were able to get equivalent components up to Kafka (with Bro/Zeek JSON output), Logstash could push it along down the pipe and it would likely work as expected.

no problem for the delay, thanks for the response.

i should be able to get my rasp. pi sensors to talk to the rocknsm host.
its using all the same stuff (bro and suricata) you are without kafka, i’ll just need to adjust my filebeat settings to send it to your kafka server.

once i get that working i’ll post the code/instructions.

Sounds great. Be sure to use JSON formatted logs from Bro. I recommend adding the following bro script: https://github.com/corelight/json-streaming-logs
Using that in connection with the normal RockNSM bro scripts will ensure the Logstash data pipeline still works with your data.

If you post the instructions on a blog or something like a GitHub gist, be sure to let us know and we’ll tweet it for others to find.

Couldn’t the sensor have Kafka on it as usual then use filebeat to send the info up to Elastic Stack on your SIEM?