-
Notifications
You must be signed in to change notification settings - Fork 518
Elastic Stack Alpha Release #1095
Comments
Not sure if it's helpful, but not too long back I put together a wiki article covering how to tune ES, focused on bro data for another project. It is intended for 2.4, and I noticed you recently upgraded to 5.4, so I'm not sure if this is still valid. |
Thanks @JonZeolla ! |
are there any plans for a hadoop/big data enabled back end for SO? thanks for your work on this, its an excellent product, elegant, and it fits in my brain nicely. :) |
Hi @ragdelaed , You can pull in Windows Event Logs today using OSSEC agent or several other event log collectors. Right now, our main focus is integrating the Elastic stack. Once that is done, we'll look at what makes the most sense for our next project. Thanks! |
@dougburks - This migration is AWESOME. I have already taken version one if your script and turned it into a fully functioning AWS AMI. As a proof of concept 1:1 ratio (management to sniffing interface), I have collected data to show my teams what type of traffic is coming into our system. I have begun to play around with ElastAlert, but running into some index pattern issues. I have showed this off to my teams enough times that once the migration to ELK is completed, we are going to be implementing this across the entire company. All I can say is JOB WELL DONE SIR and THANK YOU! FYI - I am hoping to be at the Security Onion conference this year. Very excited! |
Hi @mv003348 , Thanks for the feedback! Hope to see you at the conference! |
Is this transition to elastic stack something that will definitely happen? Why? I would be very interested in reading about your reasons for this decision. Don't you think ES is too much bloat? |
Hi @gaganova , This is most likely going to happen. Our community and our customers have been asking for the Elastic Stack for quite some time and we try to be responsive to demand. |
I am asking myself if people demand that because they have only seen nice ELK screenshots or if they have actually used that bloated java stack in real life. Of course there is no answer to that, so hopefully this project will survive this decision. Good Luck! Anybody interested in maintaining the ELSA based version with 16.04? |
Hi @gaganova , Replies inline.
I can tell you that there are many folks in our community who have already rolled their own Elastic deployment and are quite happy with it.
While ELSA certainly has low resource requirements, that results in quite a few drawbacks which limit hunting capabilities (only 12 indexed fields, no multiple groupby, just to name a few). These limitations caused the lead developer of ELSA to then migrate to Elasticsearch for what was going to be ELSA 2.0. The future of ELSA 2.0 is currently unclear, thus we are moving to the Elastic stack. |
Hi @dougburks, First and foremost, love this project. I would love to add the ELK stack to my deployment, but is there a timeline of when it will officially be supported? I'd hate to implement this in our deployment and have the official project roll out ELK two weeks later. Just asking because the last blog post was all I was able to find directly referencing the script, which is now months old. Thank you! |
Hi @mattraneri , We've had a few blog posts about the Elastic integration: We're not ready to commit to any timelines at this point. This is a large project and we still have a lot of work left to do. This is an important project and we want to make sure that it's done right! Thanks! |
@dougburks - I have been following the updates and launching new EC2 instances every time a new TP comes out. All I can say is, :mind blown:. This stuff is AWESOME! Whenever it becomes a stable version, I am making it our Enterprise IDS tool...all I need now are boat loads of SO stickers! THANK YOU! |
Hi @dougburks, Congratulations, this integration is awesome. Where are the dockerfiles o how manage the containers? How is the deployment ? THANKS !!! |
Sorry I've already found docker images. But I try config with Production Mode and I have problems with dockers. I would like test the integration to do an academic work, |
@kxuanCeltik , Please see: http://blog.securityonion.net/2017/07/towards-elastic-on-security-onion.html This technology preview only works with Evaluation Mode currently. Instead of opening an issue, or commenting on this issue, please use our mailing list: https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists#security-onionv Also see: https://groups.google.com/forum/#!topic/security-onion/Sr8wrJSQxo0 Thanks, |
Ok, thanks. |
@dougburks just to add some notes https://groups.google.com/forum/#!topic/security-onion/-PDV2E8Jn6k that resolves the massive amount of _grokparsefailure for the NIDS, I've not seen another log like that after the correction, not sure if related to the TODO "check for _grokparsefailure" thing. |
Hi @behkxyz , Yes, the fix in that google group thread was already in our dev repo and so it will automatically go into the next release. As we announce future releases, please continue to watch out for _grokparsefailures and report them on the mailing list so they can be resolved. Thanks! |
submitted to QA group for testing: |
Elasticsearch
--env "bootstrap_memory_lock=true"
--ulimit memlock=-1:-1
--env ES_JAVA_OPTS="-Xms$ELASTICSEARCH_HEAP -Xmx$ELASTICSEARCH_HEAP"
$ELASTICSEARCH_HEAP
based on available RAMMAX_OPEN_FILES=65536
elasticsearch - nofile 65536
elasticsearch soft/hard nproc 2048
Kibana
field type conflict
forstatus_code
fieldLogstash
0001_intput_json.conf
bro
tag if type isbro
rename
from 0000_input to 1000_preprocessmessage
andsub_message
asmsg
andsub_msg
pipeline.workers: 1
Curator
ElastAlert
use_count_query
Freqserver
Domainstats
so-elastic-configure
so-elastic-configure-elastalert
elastalert_status
index exists before deletingso-elastic-start
--link
is a deprecated legacy feature, replace with user-defined networkso-start / so-stop / so-restart
sostat
soup
ELSA
CapMe
Sguil
Squert
Setup
Experimental
OSSEC
Files hidden inside directory '/var/lib/docker/aufs
distributed deployments
update existing packages
build new packages where necessary
develop tests for QA
The text was updated successfully, but these errors were encountered: