Monday, November 30, 2020

Elastic Stack 7.9.3 now available for Security Onion 16.04!

First, please note that Security Onion 16.04 reaches EOL in less than 5 months. Instead of applying this update, most Security Onion 16.04 users should upgrade directly to Security Onion 2:

If you do decide to proceed with this update for Security Onion 16.04, please be reminded of the recent Docker Hub rate limit changes:

The following updates are now available for Security Onion 16.04!

  • Elastic 7.9.3 Docker images
  • securityonion-capme - 20121213-0ubuntu0securityonion80
  • securityonion-elastic - 20190510-1ubuntu1securityonion124
  • securityonion-setup - 20120912-0ubuntu0securityonion329
  • securityonion-sostat - 20120722-0ubuntu0securityonion146
  • securityonion-web-page - 20141015-0ubuntu0securityonion109

These updates should resolve the following issues:

Elastic 7.9.3 #1782

so-elastic-features - improve soup call #1789

securityonion-elastic: Migrate indices.* settings for elasticsearch.yml #1786

securityonion-elastic: update links to documentation #1801

securityonion-sostat: update links to documentation #1794

securityonion-web-page: update links to documentation #1799

Setup: do not write interfaces if we lack valid contents #1784

securityonion-setup: update links to documentation #1800

Known Issues

If you get errors in logstash.log like:

 "reason"=>"Failed to parse mapping [doc]: mapper [destination_geo.latitude] cannot be changed from type [long] to [half_float]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [destination_geo.latitude] cannot be changed from type [long] to [half_float]"}}}}}

then you may have an old Logstash template and may need to do the following on any node that is running Logstash:

          sudo so-logstash-stop   

curl -XDELETE localhost:9200/_template/logstash 

curl -XDELETE localhost:9200/_template/logstash-*

sudo so-logstash-start

For more information, please see: 

If that doesn't resolve the issue, you may have custom templates in /etc/logstash/custom/ that need to be updated. You’ll need to copy from source and modify as needed.


  • Thanks to the Elastic team for Elastic 7.9.3!
  • Thanks to Pete Nelson for submitting fixes for both so-elastic-features and sosetup-network!
  • Thanks to Chris Morgret for testing and QA!


Please see the following page for full update instructions:


Need support?  Please see:


Security Onion v2 prior to 2.3.10 has an incorrect sudo configuration

Security Onion v2 prior to 2.3.10 has an incorrect sudo configuration:

Thursday, November 19, 2020

Security Onion 2.3.10 now available!

We recently released Security Onion 2.3:

Today, we are releasing Security Onion 2.3.10, which resolves a few issues:


We've started migrating our documentation to 2.3:

However, this is a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

Known Issues

New Installations

If you want to do a new installation, please review the 2.3 documentation and then you can find instructions here:

Existing 2.x Installations

If you have an existing 2.3 GA installation, please see:

If you have an existing 2.x Release Candidate (RC1, RC2, or RC3) installation, please see the in-place upgrade notes here:

Security Onion 16.04 EOL

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. Please make plans to replace or upgrade any existing Security Onion 16.04 deployments before then:

Upgrading from Security Onion 16.04

If you're currently running Security Onion 16.04, please see the following for upgrade options:

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

You can then find the community support forum at:


Security Onion 2.3.10 ISO Boot Menu

For a full screenshot tour, please see the Security Onion 2.3 blog post:

Monday, November 16, 2020

New Security Onion 2 Training Available: Security Onion 2 in Production!

Security Onion 2 in Production is now available! In this course, you will learn more about architecting, operating and maintaining production Security Onion 2 distributed architectures.

From course author Josh Brower:

"Having spent a number of years myself in IT Infrastructure & Operations, I know the amount of effort it takes to architect, install, configure, and maintain technology stacks - which is why I think this course is really important – I think it will make your Security Onion deployment and long term maintenance of your grid smoother and much more straightforward."

For a limited time only, use the following Coupon Code for $50 off!


For more details and to register, please see:

5 month EOL notice for Security Onion 16.04

On 10/16/2020, we released Security Onion 2 and announced a 6-month EOL notice for Security Onion 16.04:

Ubuntu 16.04 reaches EOL in April 2021 and so therefore Security Onion 16.04 does as well. We will not provide any support for Security Onion 16.04 after April 16, 2021.  Please plan to upgrade or replace any existing 16.04 systems before then. If you have existing installations of Security Onion 16.04, you can upgrade to Security Onion 2:

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive