Re‐Indexing
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/Re‐Indexing.
When changing mappings or index settings, we may need to re-index the existing indices to ensure there are no mapping conflicts.
One way to do this by using the following experimental example script:
https://raw.githubusercontent.com/weslambert/securityonion-elastic-misc/master/so-elastic-reindex
Pull down the script to your Security Onion box:
wget https://raw.githubusercontent.com/weslambert/securityonion-elastic-misc/master/so-elastic-reindex
Make the script executable:
sudo chmod +x so-elastic-reindex
Re-index all indices matching logstash-*, pulling the appropriate refresh_interval from the template named logstash in Elasticsearch:
sudo ./so-elastic-reindex -i "logstash-*" -t "logstash"
The script should then progress to re-index the matching indices, and inform you when it has completed.
Please note, abnormal execution of this script may result in data loss -- there are NO GUARANTEES this process will work perfectly for you.
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs