securityonion-elastic: RC4

[dougburks]

• Elasticsearch

  • Elasticsearch 6.2.3
  • move to jvm.options for setting heap size
  • set dynamic mapping to false - commit

• Logstash

  • Logstash 6.2.3
  • don't automatically install redis files so we can avoid overwriting on package upgrades
  • allow users to disable individual files in /etc/logstash/conf.d/ without them being re-enabled
  • remove NIDS rule lookup to avoid performance hit
  • some outputs have template references like ./logstash-template.json (remove the dot)
  • heap size should be 25% of RAM up to 4GB
  • comment out pipeline.workers: 1 so that logstash can set workers automatically
  • use default logstash.yml and set path.config, http.host, and path.logs
  • move to jvm.options for setting heap size
  • fix kerberos client_cert_subject
  • fix RADIUS parser
  • fix OSSEC sysmon parser
  • fix pfsense parser

• Kibana

  • Kibana 6.2.3
  • so-elastic-configure-kibana-config should lower case hostname when setting seeds
  • Sysmon - Event Type Visualization should be changed to Event ID
  • ingest as many data types as possible (pfsense, beats, ossec, etc.) before exporting dashboards

• CapMe

  • display log that user is pivoting from
  • if pivoting from NIDS alert, display NIDS rule that generated alert
  • check to see if uid is an array

• ElastAlert

  • add flatline rule
  • add new_term rule
  • add change rule

• elasticdownload.conf

  • remove git settings since they're no longer used - commit

• so-*

  • finish so-COMPONENT-VERB control scripts (example: so-logstash-restart)

• so-elastic-status

  • check to see if Logstash is still initializing

• so-import-pcap

  • note that it may take 30 seconds for logs to appear in Kibana

• sosetup-elastic

  • configure remote elastic nodes with skip_unavailable: true

• so-crossclustercheck

  • reconfigure to just output _cluster/settings since we're now using skip_unavailable: true

[dougburks]

submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/WU5Sj88nF6s/discussion

[dougburks]

Published:
https://blog.securityonion.net/2018/03/elastic-623-and-securityonion-elastic.html