Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

Elastic Stack Beta 2 #1132

Closed
33 tasks done
dougburks opened this issue Sep 21, 2017 · 2 comments
Closed
33 tasks done

Elastic Stack Beta 2 #1132

dougburks opened this issue Sep 21, 2017 · 2 comments

Comments

@dougburks
Copy link
Contributor

dougburks commented Sep 21, 2017
edited

  • Elasticsearch

    • Elasticsearch 5.6.4

  • Kibana

    • Kibana 5.6.4
    • avoid scroll bars on metric visualizations by replacing standard metric visualizations with time series visual builder metric visualizations
    • on Stats dashboard, Logstash Error Type (Donut Chart) visualization is showing all tags not just errors

  • Logstash

  • so-crossclustercheck

    • avoid issues with hyphenated hostnames (like elastic-virtual-machine)
    • cron job should not run until after cross cluster settings are initially applied
    • cron job should run as a limited user
    • add logrotate entry for /var/log/elasticsearch/crossclustercheck.log
    • enable/disable via /etc/nsm/securityonion.conf

  • so-elastic-start

    • break into separate scripts (so-elastic-start calls so-elastic-start-elasticsearch...)

  • /etc/init/securityonion.conf

    • check for /etc/init.d/xplico before trying to execute it

  • CapMe

    • check for IPv6 addresses
    • detect BRO_PE / BRO_X509 and pivot to BRO_FILES via FID and then to BRO_CONN via CID
    • increase $st and $et window and check for multiple results

  • sosetup-elastic

    • if configuring master-only, syslog-ng.conf never gets updated, thus logs never make it to Elastic (resolved in securityonion-elastic - 20171020-1ubuntu1securityonion13)
    • always disable Xplico
    • when re-running setup, make sure that /etc/nsm/crossclustertab gets removed
    • disable FreqServer and DomainStats when running Production Mode

  • so-status

    • elasticsearch and logstash output should be moved inside if statement in case they are disabled
    • move elastic logic to so-elastic-status and have so-status just call service nsm status and then so-elastic-status

  • securityonion-elastic package

    • postinst should run so-elastic-configure if Elastic is enabled and should include error checking
@weslambert weslambert mentioned this issue Nov 7, 2017
Closed
@dougburks dougburks changed the title Elastic Stack Release Candidate 1 Elastic Stack Beta 2 Nov 22, 2017
@dougburks
Copy link
Contributor Author

submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/VmnW7LgQE-0/discussion

@dougburks
Copy link
Contributor Author

Published:
http://blog.securityonion.net/2017/11/elastic-stack-beta-2-release-and.html

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dougburks