The primary configuration file for RockNSM is found at
This file defines key information that drives the Ansible deployment playbook like network interface setup, cpu cores assignment, and much more. There are a lot of options to tune here so take time to familiarize.
A template of this file in it's entirety can be found [here on github], but for greater clarity let's break it down into it's major sections:
As mentioned previously, ROCK takes the interface with an ip address / gateway and will use that as the management NIC.
config.yml displays the remaining interfaces that will be used to MONITOR traffic.
Let's run through a basic example:
[admin@rock ~]$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether ... inet 192.168.1.207/24 brd 192.168.1.255 scope global noprefixroute dynamic enp0s3 ... 3: enp0s4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether ...
The demo box above has 2 NICs:
enp0s3 - is plugged in for install and deployment with an ip address from local dhcp. This will be used to manage the sensor
enp0s4 - will be unused (not connected) during install and deployment and be listed as a
rock_monif in the config file
The config file shows the other interface (
enp0s3) is listed as MONITOR interface.
# interfaces that should be configured for sensor applications rock_monifs: - enp0s3
# Set the hostname of the sensor: rock_hostname: rocknsm_sensor_1 # Set the Fully Qualified Domain Name: rock_fqdn: rocknsm_sensor_1.rocknsm.lan # Set the number of CPUs assigned to Bro: bro_cpu: 2 # Set the Elasticsearch cluster name: es_cluster_name: rocknsm # Set the Elasticsearch cluster node name: es_node_name: localhost # Set the value of Elasticsearch memory: es_mem: 5
We've taken into consideration that your sensor won't always have internet
access. Currently the default value is set to
# The primary installation variable defines the ROCK installation method: # ONLINE: used if the system may reach out to the internet # OFFLINE: used if the system may *NOT* reach out to the internet # The default value "False" will deploy using OFFLINE (local) repos. # A value of "True" will perform an install using ONLINE mirrors. rock_online_install: True
Does your sensor has access to upstream
online repositories? If so, then make sure that this value is set to
If you are in an offline environment, then set it to
Ansible will deploy using the locally cached files found in
Note: In our next release the default behavior will be changed to an offline install (reference Issue #376)
This section controls how long NSM data stay on the sensor:
# Set the interval in which Elasticsearch indexes are closed: elastic_close_interval: 15 # Set the interval in which Elasticsearch indexes are deleted: elastic_delete_interval: 60 # Set value for Kafka retention (in hours): kafka_retention: 168 # Set value for Bro log retention (in days): bro_log_retention: 0 # Set value for Bro statistics log retention (in days): bro_stats_retention: 0 # Set how often logrotate will roll Suricata log (in days): suricata_retention: 3 # Set value for FSF log retention (in days): fsf_retention: 3
This is a critical section that provides boolean options to choose what components of ROCK are installed and enabled during deployment.
rock_services: - name: bro quota_weight: 1 installed: True enabled: True - name: stenographer quota_weight: 8 installed: True enabled: True - name: docket quota_weight: 0 installed: True enabled: True - name: suricata quota_weight: 2 installed: True enabled: True - name: elasticsearch quota_weight: 4 installed: True enabled: True - name: kibana quota_weight: 0 installed: True enabled: True - name: zookeeper quota_weight: 0 installed: True enabled: True - name: kafka quota_weight: 4 installed: True enabled: True - name: lighttpd quota_weight: 0 installed: True enabled: True - name: fsf quota_weight: 1 installed: True enabled: True - name: filebeat quota_weight: 0 installed: True enabled: True
A good example for changing this section would involve Stenographer. Collecting raw PCAP is resource and storage intensive. You're machine may not be able to handle that and if you just wanted to focus on network logs, then you would set both options in the config file to disable installing and enabling Stenographer.