Elastic

Doug Burks edited this page Nov 30, 2017 · 26 revisions
Clone this wiki locally

We are currently working on integrating the Elastic Stack (Elasticsearch, Logstash, and Kibana)!

In addition, we've added the following:

Curator
DomainStats
ElastAlert
FreqServer

Each component has its own Docker image.

You can get an idea of what this whole integration might look like at a high-level by viewing our proposed architecture diagram.

Blog Posts

Beta 2 Release:
http://blog.securityonion.net/2017/11/elastic-stack-beta-2-release-and.html

Beta Release:
http://blog.securityonion.net/2017/11/elastic-stack-beta-release-and-security.html

Alpha Release:
http://blog.securityonion.net/2017/09/elastic-stack-alpha-release-and.html

Technology Preview 3:
http://blog.securityonion.net/2017/07/towards-elastic-on-security-onion.html

Technology Preview 2:
http://blog.securityonion.net/2017/06/towards-elastic-on-security-onion.html

Technology Preview 1:
http://blog.securityonion.net/2017/03/towards-elk-on-security-onion.html

Videos

Doug Burks - State of the Onion

Hardware Requirements

Please note the following MINIMUM requirements for the Elastic stack:

  • 2 CPU cores
  • 8GB RAM

Warning

Our Elastic integration is currently in Beta and so the usual warnings and disclaimers apply:

  • Experimental Setup is BLEEDING EDGE and TOTALLY UNSUPPORTED!
  • If this breaks your system, you get to keep both pieces!
  • This is a work in progress and is in constant flux.
  • This is intended to build a quick prototype proof of concept so you can see what our ultimate Elastic configuration might look like. This configuration will change drastically over time leading up to the final release.
  • Do NOT run this on a system that you care about!
  • Do NOT run this on a system that has data that you care about!
  • This should only be run on a TEST box with TEST data!
  • Experimental Setup may result in nausea, vomiting, or a burning sensation.

Installation

The easiest way to try the new Elastic integration is using our 14.04.5.5 (or newer) ISO image: http://blog.securityonion.net/2017/11/elastic-stack-beta-2-release-and.html

Alternatively, if you have an existing TEST installation or if you want to install using an ISO image other than our 14.04.5.5 (or newer), you can install the securityonion-elastic package and then run so-elastic-download as follows:

sudo soup
sudo apt install securityonion-elastic
sudo so-elastic-download

If you've already run Setup, you can then convert the box from ELSA to Elastic using so-elastic-configure:

sudo so-elastic-configure

If this is a fresh installation where you haven't run Setup yet, then you can instead run sosetup:

sudo sosetup

If you would like to install on your own preferred flavor of Ubuntu 14.04, you can follow steps 1-11 here:

https://github.com/Security-Onion-Solutions/security-onion/wiki/InstallingOnUbuntu

Then run:

sudo apt install securityonion-elastic 
sudo so-elastic-download 
sudo sosetup