Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Clone this wiki locally
As of Security Onion 16.04.4.1 MySQL (on the master server) should have a randomized root password set by default. You can still access MySQL using the following as an example of the syntax to run a command against securityonion_db (Sguil DB):
sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'select * from event limit 10';
You can install and run mysqltuner to get some initial recommendations.
Install mysqltuner if you haven't already:
sudo apt update && sudo apt install mysqltuner
Implement mysqltuner's recommendations in
/etc/mysql/my.cnf or create a new file in
/etc/mysql/conf.d/ with the changes. We recommend
/etc/mysql/conf.d/ so that your changes don't get overwritten during MySQL package upgrades.
Changes don't take effect until MySQL is restarted and you should ensure that Sguil and other services aren't using MySQL before shutting it down.
The first variable that you'll probably need to tune is
Here are some other common variables that will probably need to be tuned for your system:
MySQL slow to start on boot
At boot time, MySQL checks all tables, which can take a long time. If you wish to disable this check, comment out
400. You may want to increase this value if one or more of the following conditions applies to you:
- you have more than 400 MySQL
- you've increased
/etc/nsm/securityonion.confabove its default value of 30 (each day requires 5
.frmfiles for OSSEC and 5
.frmfiles for each sniffing interface)
- you're running prepared statements
table_definition cache (defaults to
mysql -uroot -e "show global variables like 'table_definition_cache'"
open_table_definitions (probably maxed out at
mysql -uroot -e "show global status like 'open_table_definitions'"
Check number of
sudo find /var/lib/mysql/ -name "*.frm" |wc -l
Increase table_definition_cache above number of
.frm files by creating a file called
/etc/mysql/conf.d/securityonion-table_definition_cache.cnf (please note
.cnf extension NOT
.conf) and adding the following (replacing
4000 with your desired setting):
[mysqld] table_definition_cache = 4000
Reboot and then verify that
open_table_definitions never gets limited by
For more information, please see: