New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Elastic Stack Beta 2 #1132

dougburks opened this Issue Sep 21, 2017 · 2 comments


None yet
1 participant

dougburks commented Sep 21, 2017

  • Elasticsearch

    • Elasticsearch 5.6.4
  • Kibana

    • Kibana 5.6.4
    • avoid scroll bars on metric visualizations by replacing standard metric visualizations with time series visual builder metric visualizations
    • on Stats dashboard, Logstash Error Type (Donut Chart) visualization is showing all tags not just errors
  • Logstash

  • so-crossclustercheck

    • avoid issues with hyphenated hostnames (like elastic-virtual-machine)
    • cron job should not run until after cross cluster settings are initially applied
    • cron job should run as a limited user
    • add logrotate entry for /var/log/elasticsearch/crossclustercheck.log
    • enable/disable via /etc/nsm/securityonion.conf
  • so-elastic-start

    • break into separate scripts (so-elastic-start calls so-elastic-start-elasticsearch...)
  • /etc/init/securityonion.conf

    • check for /etc/init.d/xplico before trying to execute it
  • CapMe

    • check for IPv6 addresses
    • detect BRO_PE / BRO_X509 and pivot to BRO_FILES via FID and then to BRO_CONN via CID
    • increase $st and $et window and check for multiple results
  • sosetup-elastic

    • if configuring master-only, syslog-ng.conf never gets updated, thus logs never make it to Elastic (resolved in securityonion-elastic - 20171020-1ubuntu1securityonion13)
    • always disable Xplico
    • when re-running setup, make sure that /etc/nsm/crossclustertab gets removed
    • disable FreqServer and DomainStats when running Production Mode
  • so-status

    • elasticsearch and logstash output should be moved inside if statement in case they are disabled
    • move elastic logic to so-elastic-status and have so-status just call service nsm status and then so-elastic-status
  • securityonion-elastic package

    • postinst should run so-elastic-configure if Elastic is enabled and should include error checking

@dougburks dougburks changed the title from Elastic Stack Release Candidate 1 to Elastic Stack Beta 2 Nov 22, 2017


This comment has been minimized.

Show comment
Hide comment

dougburks commented Nov 26, 2017


This comment has been minimized.

Show comment
Hide comment

@dougburks dougburks closed this Nov 30, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment