Setting a Static IP Monitoring Interface in Security Onion
It is HIGHLY recommended to try to find a way to use Security Onion as intended, with a passive (non-IP assigned) port for monitoring in a TAP configuration.
Even so, sometimes a simple passive or tap port is just not going to cut it. One example of this is when running in a virtual environment where a TAP isn’t possible to get to the edge of the network for monitoring. In that case, it might be necessary to redirect traffic to an IP.
In this case you will need to reconfigure the monitoring interface of Security Onion to actually use an IP.
To do this simply navigate to your interfaces file in /etc/network and edit it using your favorite editor, gedit, nano, pico, vim, vi, etc… I’d recommend anything with maybe the exception of ed; man were those days painful.
Find your monitoring interface portion of the configuration. It should be the section that contains the promisc flags like those below.
auto eth0 iface eth0 inet manual up ifconfig $IFACE -arp up up ip link set $IFACE promisc on down ip link set $IFACE promisc off down ifconfig $IFACE down post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
Now, simply change the top few lines to the following
auto eth0 iface eth0 inet static address YOURIPHERE netmask YOURNETMASKHERE up ifconfig $IFACE -arp up ...
After this change, just to make sure everything is clean, I would do a reboot. Once back online you should now be able to point your logs and other activity at the IP you specified in the configuration above.