This repository was archived by the owner on Apr 16, 2021. It is now read-only.
This repository was archived by the owner on Apr 16, 2021. It is now read-only.
Elastic Stack Beta 2 #1132
Description
-
Elasticsearch
- Elasticsearch 5.6.4
-
Kibana
- Kibana 5.6.4
- avoid scroll bars on metric visualizations by replacing standard metric visualizations with time series visual builder metric visualizations
- on Stats dashboard, Logstash Error Type (Donut Chart) visualization is showing all tags not just errors
-
Logstash
- Logstash 5.6.4
- update parser for pfsense 2.4.1
-
so-crossclustercheck
- avoid issues with hyphenated hostnames (like elastic-virtual-machine)
- cron job should not run until after cross cluster settings are initially applied
- cron job should run as a limited user
- add logrotate entry for /var/log/elasticsearch/crossclustercheck.log
- enable/disable via
/etc/nsm/securityonion.conf
-
so-elastic-start
- break into separate scripts (so-elastic-start calls so-elastic-start-elasticsearch...)
-
/etc/init/securityonion.conf
- check for /etc/init.d/xplico before trying to execute it
-
CapMe
- check for IPv6 addresses
- detect BRO_PE / BRO_X509 and pivot to BRO_FILES via FID and then to BRO_CONN via CID
- increase
$stand$etwindow and check for multiple results
-
sosetup-elastic
- if configuring master-only, syslog-ng.conf never gets updated, thus logs never make it to Elastic (resolved in securityonion-elastic - 20171020-1ubuntu1securityonion13)
- always disable Xplico
- when re-running setup, make sure that
/etc/nsm/crossclustertabgets removed - disable FreqServer and DomainStats when running Production Mode
-
so-status
- elasticsearch and logstash output should be moved inside if statement in case they are disabled
- move elastic logic to
so-elastic-statusand have so-status just callservice nsm statusand thenso-elastic-status
-
securityonion-elastic package
- postinst should run
so-elastic-configureif Elastic is enabled and should include error checking
- postinst should run