Does the Heavy Node store elasticsearch logs? #5579

linsecnet · 2021-09-20T13:16:51Z

linsecnet
Sep 20, 2021

Quick question regarding elasticsearch combined logs ( Zeek, osquery, strelka, suricata, and wazuh)

Does the heavy node store logs like the search node? or does it just assist the search node with the workload?

I wanted to verify I understood this document correctly: https://readthedocs.org/projects/securityonion/downloads/pdf/latest/

Note: Heavy nodes do not consume from the Redis queue on the manager. This means that if you just have a
manager and heavy nodes, then the Redis queue on the manager will grow and never be drained. To avoid this, you
have two options. If you are starting a new deployment, you can make your manager a manager search so that
it will drain its own Redis queue. Alternatively, if you have an existing deployment with a manager and want to
avoid rebuilding, then you can add a separate search node (NOT heavy node) to consume from the Redis queue on the

Answered by linsecnet

Sep 20, 2021

This answer was provided on issue #5567

View full answer

linsecnet · 2021-09-20T13:54:54Z

linsecnet
Sep 20, 2021
Author

This answer was provided on issue #5567

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Does the Heavy Node store elasticsearch logs? #5579

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

Select a reply

Does the Heavy Node store elasticsearch logs? #5579

linsecnet Sep 20, 2021

Replies: 1 comment

linsecnet Sep 20, 2021 Author

linsecnet
Sep 20, 2021

linsecnet
Sep 20, 2021
Author