cjeffcoatjr
Contributor
Contributor

I have to log into ESXi 6.7 every half hour to "jump start" Alienvault IDS?

We are attempting to deploy the Alienvault appliance on our ESXi 6.7 host. For the most part everything is going smoothly. I was able to properly set up the management network on the right VLAN, we can access the actual device, and it can perform its vulnerability checks. The one thing it is having problems with is Network IDS, Alienvault's traffic monitoring service. Here, Alienvault says that you have to have the other four ports set up to the switches you want to monitor. Currently, we are running everything through the default vSwitch0 with port groups that are segmented based on VLANs. Here, Alienvault says this is how you should do port mirroring in ESXi: Create a new port group on the vSwitch you want to monitor, assign it to VLAN 4095 and have the port group override with promiscuous mode enabled. Cool, that is what I did. Alienvault's 1st NIC is on its management network and the proceeding 4 NICs are on the VLAN 4095 port group.

The problem is that IDS stops receiving data after about a half hour. In order for it to recieve data again, I have to log into ESXi, and the instant I do, it receives data again. There is always a spike in activity for the VM whenever this happens.

pastedImage_0.png

I should note that we are still in the evaluation period for our ESXi (hence the web client screenshot). Could that possibly be what is happening here? Any ideas?

0 Kudos
2 Replies
daphnissov
Immortal
Immortal

I don't know anything about that solution and this isn't an Alienvault forum. I think the most expedient thing would be for you to contact them and see what their guidance is.

0 Kudos
cjeffcoatjr
Contributor
Contributor

I know this isn't an Alienvault forum, but since the issue is solved instantly when I log into ESXi I think it is an ESXi issue.

0 Kudos