cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Using a Raspberry PI as a Stealthwatch Cloud flow collector - Updated

5788
Views
85
Helpful
7
Comments
John Heintz
Cisco Employee

Updated!!

 

Posting this for anyone interested in using a Raspberry PI as a flow collector for Stealthwatch.  We created a very lightweight version of the Stealtwatch Cloud sensor.  It will create flows on any ethernet port, so you can attach LAN port to SPAN and/or forward NetFlow/IPFIX to it.  I would recommend keeping device counts under 100.

 

We now have an IMG file that works on Pi versions 3 or 4.  Thanks to Steven Marin who created it.

 

Cisco Employees get to keep their SWC account as long as it is being usedhttps://www.cisco.com/c/en/us/products/security/stealthwatch/stealthwatch-cloud-free-offer.html

 

Cheers - John

pi.PNG

 

 

 

 

 

 

 

 

 

 

 

 

See attachment for directions on using pre-built Image

 

Package Install on existing PI (not a full image)

 

sudo apt-get install tcpdump

sudo apt-get update && sudo apt-get install -y libglib2.0-0 liblzo2-2 libltdl7 libpcap0.8 zlib1g

wget https://onstatic.s3.amazonaws.com/ona/master/ona-service_RaspbianJessie_armhf.deb

sudo dpkg -i ona-service_RaspbianJessie_armhf.deb

wget https://github.com/bbayles/netsa-pkg/releases/download/v0.1.18/netsa-pkg_raspbian.deb

sudo dpkg -i netsa-pkg_raspbian.deb

 

 

7 Comments
dcappell
Cisco Employee

It was easy to send NetFlow from my Meraki MX to the Pi running the sensor code!  Thanks for sharing! 11_14_47.jpg

 

ravega
Cisco Employee

Just tried this and it works like a charm! thank you Steven for making this image available. I just ran into a small issue with the priority of the interfaces. The raspberry will default to the Eth0 interface which in my case will be used to connect to a SPAN port so when I connect Eth0 it loses internet connectivity. This can be easily solved by modifying the interface metric parameter on this file:

 /etc/dhcpcd.conf

 

just add the following configuration and reboot

 

interface eth0 metric 300

 

interface wlan0 metric 200

 

Cheers

Randall Vega

 

Jefkelle
Cisco Employee

Are there any ports for Buster, Buster 64, and Ubuntu?

chyates
Cisco Employee

the commands in the dhcpcd.conf file need to be on separate lines to work correctly

 

interface eth0

metric 300

interface wlan0

metric 200

stmarin
Cisco Employee

If image link is broken use this as alternative: 

Raspberry Pi Custom Buster Image (ONA) 

dcappell
Cisco Employee

Just had to reinstall and setup my Raspberry Pi sensor - SSD card went bad with all the power hits from the weather last week - the new v3 directions worked well and the image link from stmarin that was posted also worked great - thanks! 

 

Screen Shot 2021-02-28 at 3.02.46 PM.png

 

crondero
Cisco Employee

I got this set up very quickly thanks to your help!

I had a few questions and Stealthwatch / SWA support helped with a few more pieces of information:

Details on how to configure and manage the SWC sensor via CLI can be found here:
https://ebooks.cisco.com/story/swc-sensor-install/page/1

 

In particular, if you have a dynamic IP and prefer to have the sensor tied to your account directly you can edit (requires sudo):
/opt/obsrvbl-ona/config.local

 

And add these two lines:
OBSRVBL_HOST="https://sensor.obsrvbl.obsrvbl.com"
OBSRVBL_SERVICE_KEY="<key>"

 

The <key> is found in your SWC / SWA dashboard under Settings > Sensors.

 

After saving the file, restart the service with:
sudo service obsrvbl-ona restart

 

Content for Community-Ad