First, please note that Security Onion 16.04 reaches EOL in less than 5 months. Instead of applying this update, most Security Onion 16.04 users should upgrade directly to Security Onion 2:
https://blog.securityonion.net/2020/11/5-month-eol-notice-for-security-onion.html
If you do decide to proceed with this update for Security Onion 16.04, please be reminded of the recent Docker Hub rate limit changes:
https://blog.securityonion.net/2020/10/docker-hub-rate-limits-effective.html
The following updates are now available for Security Onion 16.04!
- Elastic 7.9.3 Docker images
- securityonion-capme - 20121213-0ubuntu0securityonion80
- securityonion-elastic - 20190510-1ubuntu1securityonion124
- securityonion-setup - 20120912-0ubuntu0securityonion329
- securityonion-sostat - 20120722-0ubuntu0securityonion146
- securityonion-web-page - 20141015-0ubuntu0securityonion109
These updates should resolve the following issues:
Elastic 7.9.3 #1782
https://github.com/Security-Onion-Solutions/security-onion/issues/1782
so-elastic-features - improve soup call #1789
https://github.com/Security-Onion-Solutions/security-onion/issues/1789
securityonion-elastic: Migrate indices.* settings for elasticsearch.yml #1786
https://github.com/Security-Onion-Solutions/security-onion/issues/1786
securityonion-elastic: update links to documentation #1801
https://github.com/Security-Onion-Solutions/security-onion/issues/1801
securityonion-sostat: update links to documentation #1794
https://github.com/Security-Onion-Solutions/security-onion/issues/1794
securityonion-web-page: update links to documentation #1799
https://github.com/Security-Onion-Solutions/security-onion/issues/1799
Setup: do not write interfaces if we lack valid contents #1784
https://github.com/Security-Onion-Solutions/security-onion/issues/1784
securityonion-setup: update links to documentation #1800
https://github.com/Security-Onion-Solutions/security-onion/issues/1800
Known Issues
If you get errors in logstash.log like:
"reason"=>"Failed to parse mapping [doc]: mapper [destination_geo.latitude] cannot be changed from type [long] to [half_float]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [destination_geo.latitude] cannot be changed from type [long] to [half_float]"}}}}}
then you may have an old Logstash template and may need to do the following on any node that is running Logstash:
sudo so-logstash-stop
curl -XDELETE localhost:9200/_template/logstash
curl -XDELETE localhost:9200/_template/logstash-*
sudo so-logstash-start
For more information, please see:
https://groups.google.com/g/security-onion/c/6p6Jkr91-kM
If that doesn't resolve the issue, you may have custom templates in /etc/logstash/custom/ that need to be updated. You’ll need to copy from source and modify as needed.
Thanks
- Thanks to the Elastic team for Elastic 7.9.3!
- Thanks to Pete Nelson for submitting fixes for both so-elastic-features and sosetup-network!
- Thanks to Chris Morgret for testing and QA!
Updating
Please see the following page for full update instructions:
https://docs.securityonion.net/en/16.04/upgrade.html
Support
Need support? Please see:
https://docs.securityonion.net/en/16.04/support.html
Thanks!