3 hours 10 minutes
all right now to talk about deployment types.
Stand alone instances are single server architectures where all service is our run that on that one server.
Now these aren't really recommended for enterprise use outside of a proof of concept or POC, as it's storing and processing, that much data will likely break any server used.
Instead, single server architectures are used as forensics boxes or are used on lower bandwidth networks. Mike at home
for enterprise use and monitoring, you'll want to use a distributed environment. There are three server types, the manager forward notes and storage nodes.
Now the manager oversees the rest of the deployment and is usedto view logs by the end by the end analyst. It runs elasticsearch and log stash, as well as gathers logs from the I. D. S.
Afford notes do not run elastic stack components but are instead used for gathering and storing network traffic, as well as running them through the I. D. S.
They forward logs to log stash on the manager for storage and display.
By doing this, you are freeing up the Ford Note process and store the network traffic.
It also makes elastic set elasticsearch quicker on the manager and on the storage nodes, as it isn't competing with I. D. S or other service is for resource is
now storage notes are running elastic stack components and are used by the manager to store lock stash logs.
These logs are query through the use of cross cluster search.
Now this architecture allows you to devote servers two tasks instead of having them compete on one server like you'd see on a heavy architecture, which is what we will look at now.
So heavy architectures aren't really recommended for enterprise use for performance reasons as we touched on a bit before.
But as a heavy architecture can be cheaper as attends to need fewer servers, servers will still talk about it.
Now there are two server types with a heavy deployment. The manager and the heavy node.
Both are running elastic components. Resource is on the heavy note are split between gathering and parsing network logs and storing elastic logs, which are then queried by the manager by across cluster search.
Now the heavy architecture is still a viable option for enterprise use. Depending on your network, it's important to assess your network and then make a decision based on your findings.
All right, that wraps up Lesson two for the intro to Security Onion. In this lesson, we covered what security? Onion is including the history and the functionality. What tools are included in security Union? Plus the architecture and the deployment types.
Thank you very much for listening in. The next lesson will cover installing and configuring a standalone instance. See you then. Cheers.