Using the TrisulNSM Docker appliance

This post introduces the newly released TrisulNSM Docker Appliance. A lightweight fast Network Traffic Analytics and Security Monitoring system that can be deployed instantly.

The Docker appliance is on Docker Hub at trisulnsm/trisul6

Here are some links to get your started.

1. Start here github trisulnsm/docker : Quick instructions on running the appliance
2. Blog post announcing the release
3. Devzone article "Importing PCAPS" explaining how you can import PCAP dumps

1. Just run the appliance to get a complete NSM system live. All parts are included. There is no need to setup a backend database cluster with Elastic, Splunk, etc.
2. The performance is very close to directly installing on the host.
3. Secure. The docker image is a minimal install, with only the necessary packages.
4. Also includes Suricata IDS with auto updates. Trisul integrates the alert based metrics into its pipelines. Just check it out to see this powerful feature in action.
5. Built-in FREE Trisul Network Analytics License that lets you monitor for ever but only reports on the most recent 3 days.

If you need a 'point' solution , this Docker image should be good enough for most deployments. Here are some advantages of installing the packages directly on the host instead of Docker.

1. Trisul packages allow a Hub+Probe architecture. The Docker image bundles them all in one ball. If you want to deploy a distribute probe network. You need to use the packages.
2. This image uses the –net=host Host network bridge. If you are uncomfortable with that , and there is no need to be, you can use the raw packages.
3. Short answer : In most case this Docker image will work just fine as an all-in-one NSM and Traffic Analytics system.