Deploying Security Onion inside of an NSX Segment
Cyber Viper
There are various ways to deploy Security Onion within vSphere, but in this particular case, I was working inside an NSX segment. I couldn’t personally find any examples of this being done before, although I’m almost certain there are. That said, I’ve documented my steps throughout this process. Feel free to share your approach or what you did differently.
Before You Start
You will need access to NSX-T for port mirroring.
1. Download Security Onion ISO
- Download the Security Onion ISO from the Security Onion website.
2. Upload ISO to vSphere
Important: Do not navigate away from either the download or upload page until the process is complete, as it will stop the upload.
A. Datastore
Inside vSphere, click on Datastores.
In the left pane, click on the desired datastore.
Navigate to your desired location for file upload.
In the top left of the right pane, click on Upload File and select the Security Onion ISO.
B. Content Library
Click on vSphere in the top left; Content Libraries will be under Inventories.
Click on your library in the right pane, then click the Actions button and select Import Item. A pop-up will appear.
Choose Local File, then click Upload File and select the ISO.
3. Create a VM
Create a VM in the desired location with at least the minimum requirements listed below for your specific node type.
| Node Type | CPUs | RAM | Storage | NICs |
| Import | 2 | 4GB | 50GB | 1 |
| Eval | 4 | 8GB | 200GB | 2 |
| Standalone | 4 | 16GB | 200GB | 2 |
| Manager | 4 | 16GB | 200GB | 1 |
| ManagerSearch | 8 | 16GB | 200GB | 1 |
| Search Node | 4 | 16GB | 200GB | 1 |
| Sensor | 4 | 12GB | 200GB | 2 |
| Heavy Node | 4 | 16GB | 200GB | 2 |
| IDH Node | 2 | 1GB | 12GB | 1 |
| Fleet Node | 4 | 4GB | 200GB | 1 |
| Receiver Node | 2 | 8GB | 200GB | 1 |
CD/DVD Configuration:
In CD/DVD, select the method to upload the ISO file, either through the content library or datastore. A pop-up will usually appear to locate the ISO. If not, click the CD/DVD tab, then the Browse button to select the ISO.
Ensure to add another network adapter if needed when configuring the VM.
Once you have finished creating the VM, follow the Security Onion documentation for installation.
4. NSX-T Setup
To enable port mirroring for collecting logs with Security Onion, you will need access to NSX-T and create two groups: one for the Security Onion VM and one for the VMs you want to monitor.
A. Security Onion Group
In the top pane, navigate to Inventory. Click on Groups in the left pane, then click on Add Group in the middle pane.
Name your group, add a description, and set the members.
- Note: This group will have only one member, the monitoring port for Security Onion.
To add members, go to the Members tab, select VIF from the category drop-down, filter by virtual machine name, and select the interface corresponding to the monitoring port you chose (the port without an IP address).
B. Monitored VMs Group
Navigate to Inventory > Groups > Add Group.
Name your group and add a description if needed.
Add members by virtual machine name. This method is usually the easiest. You can always return to add or delete VMs from this group at any time.
5. Enable Port Mirroring
To enable port mirroring in NSX-T:
Go to Plan & Troubleshoot and find the Port Mirroring option in the left pane.
Click on Add Session in the middle pane.
Select the Logical Span option. Give it a name and set the direction, source, and destination ports.
Set the direction to Bi-Directional.
Set the source to your Monitored VMs group.
Set the destination to your Security Onion group.
Subscribe to my newsletter
Read articles from Cyber Viper directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by