Skip to content

Elastic

doug edited this page Feb 12, 2019 · 40 revisions

Please note! We are migrating our documentation to https://securityonion.net/docs/. You can find the latest version of this page at: https://securityonion.net/docs/Elastic.

We've completed our initial integration of the Elastic Stack (Elasticsearch, Logstash, and Kibana)!

In addition, we've added the following:

Curator
DomainStats
ElastAlert
FreqServer

Each component has its own Docker image.

You can get an idea of what this whole integration might look like at a high-level by viewing our proposed architecture diagram.

Blog Posts

General Availability:
https://blog.securityonion.net/2018/04/security-onion-elastic-stack-general.html

Release Candidate 4:
https://blog.securityonion.net/2018/03/security-onion-elastic-stack-release_28.html

Release Candidate 3:
https://blog.securityonion.net/2018/03/security-onion-elastic-stack-release.html

Release Candidate 2:
https://blog.securityonion.net/2018/02/security-onion-elastic-stack-release.html

Release Candidate 1:
https://blog.securityonion.net/2018/01/security-onion-elastic-stack-release.html

Beta 3 Release:
https://blog.securityonion.net/2017/12/security-onion-elastic-stack-beta-3.html

Beta 2 Release:
https://blog.securityonion.net/2017/11/elastic-stack-beta-2-release-and.html

Beta Release:
https://blog.securityonion.net/2017/11/elastic-stack-beta-release-and-security.html

Alpha Release:
https://blog.securityonion.net/2017/09/elastic-stack-alpha-release-and.html

Technology Preview 3:
https://blog.securityonion.net/2017/07/towards-elastic-on-security-onion.html

Technology Preview 2:
https://blog.securityonion.net/2017/06/towards-elastic-on-security-onion.html

Technology Preview 1:
https://blog.securityonion.net/2017/03/towards-elk-on-security-onion.html

Videos

Doug Burks - State of the Onion

Hardware Requirements

Please note the following MINIMUM requirements for the Elastic stack:

  • 2 CPU cores
  • 8GB RAM

Installation

The easiest way to try the new Elastic integration is using our 14.04.5.11 (or newer) ISO image: https://blog.securityonion.net/2018/04/security-onion-elastic-stack-general.html

Alternatively, if you have an existing TEST installation or if you want to install using an ISO image other than our 14.04.5.11 (or newer), you can install the securityonion-elastic package and then run so-elastic-download as follows:

sudo soup
sudo apt install securityonion-elastic
sudo so-elastic-download

If this is a fresh installation where you haven't run Setup yet, then you can run sosetup:

sudo sosetup

If you would like to install on your own preferred flavor of Ubuntu 14.04, you can follow steps 1-11 here:

https://github.com/Security-Onion-Solutions/security-onion/wiki/InstallingOnUbuntu

Then run:

sudo apt install securityonion-elastic 
sudo so-elastic-download 
sudo sosetup

Upgrading from ELSA to Elastic

For best results, we recommend performing a fresh installation, but if you really need to do an in-place upgrade from ELSA to Elastic, you can try the steps on the ELSA-to-Elastic page.

Clone this wiki locally
You can’t perform that action at this time.