Deploying Security Onion inside of an NSX Segment

Deploying Security Onion inside of an NSX Segment

There are various ways to deploy Security Onion within vSphere, but in this particular case, I was working inside an NSX segment. I couldn’t personally find any examples of this being done before, although I’m almost certain there are. That said, I’ve documented my steps throughout this process. Feel free to share your approach or what you did differently.

Before You Start

You will need access to NSX-T for port mirroring.

1. Download Security Onion ISO

2. Upload ISO to vSphere

Important: Do not navigate away from either the download or upload page until the process is complete, as it will stop the upload.

A. Datastore

  1. Inside vSphere, click on Datastores.

  2. In the left pane, click on the desired datastore.

  3. Navigate to your desired location for file upload.

  4. In the top left of the right pane, click on Upload File and select the Security Onion ISO.

B. Content Library

  1. Click on vSphere in the top left; Content Libraries will be under Inventories.

  2. Click on your library in the right pane, then click the Actions button and select Import Item. A pop-up will appear.

  3. Choose Local File, then click Upload File and select the ISO.

3. Create a VM

Create a VM in the desired location with at least the minimum requirements listed below for your specific node type.

Node TypeCPUsRAMStorageNICs
Import24GB50GB1
Eval48GB200GB2
Standalone416GB200GB2
Manager416GB200GB1
ManagerSearch816GB200GB1
Search Node416GB200GB1
Sensor412GB200GB2
Heavy Node416GB200GB2
IDH Node21GB12GB1
Fleet Node44GB200GB1
Receiver Node28GB200GB1

CD/DVD Configuration:

  • In CD/DVD, select the method to upload the ISO file, either through the content library or datastore. A pop-up will usually appear to locate the ISO. If not, click the CD/DVD tab, then the Browse button to select the ISO.

  • Ensure to add another network adapter if needed when configuring the VM.

Once you have finished creating the VM, follow the Security Onion documentation for installation.

4. NSX-T Setup

To enable port mirroring for collecting logs with Security Onion, you will need access to NSX-T and create two groups: one for the Security Onion VM and one for the VMs you want to monitor.

A. Security Onion Group

  1. In the top pane, navigate to Inventory. Click on Groups in the left pane, then click on Add Group in the middle pane.

  2. Name your group, add a description, and set the members.

    • Note: This group will have only one member, the monitoring port for Security Onion.
  3. To add members, go to the Members tab, select VIF from the category drop-down, filter by virtual machine name, and select the interface corresponding to the monitoring port you chose (the port without an IP address).

B. Monitored VMs Group

  1. Navigate to Inventory > Groups > Add Group.

  2. Name your group and add a description if needed.

  3. Add members by virtual machine name. This method is usually the easiest. You can always return to add or delete VMs from this group at any time.

5. Enable Port Mirroring

To enable port mirroring in NSX-T:

  1. Go to Plan & Troubleshoot and find the Port Mirroring option in the left pane.

  2. Click on Add Session in the middle pane.

  3. Select the Logical Span option. Give it a name and set the direction, source, and destination ports.

    • Set the direction to Bi-Directional.

    • Set the source to your Monitored VMs group.

    • Set the destination to your Security Onion group.