This section provides guidance and options specific for configurations based on whether you will be analyzing logs, packets, or both.
Configure Log Ingest in the Virtual Environment
Log ingest is easily accomplished by sending the logs to the IP address you have specified for the decoder. The decoder’s management interface allows you to then select the proper interface to listen for traffic on if it has not already selected it by default.
Configure Packet Capture in the Virtual Environment
There are two options for capturing packets in a VMWare environment The first is setting your vSwitch in promiscuous mode and the second is to use a third party Virtual Tap.
Set a vSwitch to Promiscuous Mode
The option of putting a switch whether virtual or physical into promiscuous mode, also described as a SPAN port (Cisco services) and port mirroring, is not without limitations. Whether virtual or physical, depending on the amount and type of traffic being copied, packet capture can easily lead to oversubscription of the port, which equates to packet loss. Taps, being either physical or virtual, are designed and intended for lossless 100% capture of the intended traffic.
Promiscuous mode is disabled by default, and should not be turned on unless specifically required. Software running inside a virtual machine may be able to monitor any and all traffic moving across a vSwitch if it is allowed to enter promiscuous mode as well as causing packet loss due to oversubscription of the port..
To configure a portgroup or virtual switch to allow promiscuous mode:
- Log on to the ESXi/ESX host or vCenter Server using the vSphere Client.
- Select the ESXi/ESX host in the inventory.
- Select the Configuration tab.
- In the Hardware section, click Networking.
- Select Properties of the virtual switch for which you want to enable promiscuous mode.
- Select the virtual switch or portgroup you want to modify, and click Edit.
- Click the Security tab. In the Promiscuous Mode drop-down menu, select Accept.
Use of a Third-Party Virtual Tap
Installation methods of a virtual tap vary depending on the vendor. Please refer to the documentation from your vendor of choice for installation instructions. Virtual taps are typically easy to integrate, and the user interface of the tap simplifies the selection and type of traffic to be copied.
Virtual taps encapsulate the captured traffic in a GRE tunnel. Depending on the type you choose, either of these scenarios may apply:
- An external appliance is required to terminate the tunnel, and the external appliance directs the traffic to the Decoder interface.
- The tunnel send traffic directly to the Decoder interface, where Security Analytics handles the de-encapsulation of the traffic.