Known Issue: Custom Elasticsearch Indices and Security Onion 2.3.110 #7545
Locked
dougburks
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
If you are using custom Elasticsearch indices and specifying their index settings in the pillar (/opt/so/saltstack/local/pillar/global.sls), then please be aware of this known issue with Security Onion 2.3.110. This version includes lots of changes for Elastic Common Schema (ECS) data type compliance and composable templates and these changes can cause issues with your custom Elasticsearch indices.
If you have already tried to upgrade to 2.3.110, the Elasticsearch state most likely exited with an error. The custom Elasticsearch settings will need to be removed until a fix can be applied and this is currently scheduled for 2.3.120.
If you haven't yet tried to upgrade to 2.3.110, here are your options:
Remove your custom Elasticsearch index settings from global.sls and proceed with the upgrade to 2.3.110. Any custom settings defined in the pillar will not be honored. If Curator action files were not created for these indices, they would have had no affect anyway.
Hold off on upgrading until 2.3.120 is released.
Regardless of which approach you choose, you will need to update your custom templates to the new format once 2.3.120 is released. For more information, please see:
https://docs.securityonion.net/en/latest/elasticsearch.html#templates
Beta Was this translation helpful? Give feedback.
All reactions