Monday, November 30, 2020

Elastic Stack 7.9.3 now available for Security Onion 16.04!

First, please note that Security Onion 16.04 reaches EOL in less than 5 months. Instead of applying this update, most Security Onion 16.04 users should upgrade directly to Security Onion 2:
https://blog.securityonion.net/2020/11/5-month-eol-notice-for-security-onion.html

If you do decide to proceed with this update for Security Onion 16.04, please be reminded of the recent Docker Hub rate limit changes:
https://blog.securityonion.net/2020/10/docker-hub-rate-limits-effective.html

The following updates are now available for Security Onion 16.04!

  • Elastic 7.9.3 Docker images
  • securityonion-capme - 20121213-0ubuntu0securityonion80
  • securityonion-elastic - 20190510-1ubuntu1securityonion124
  • securityonion-setup - 20120912-0ubuntu0securityonion329
  • securityonion-sostat - 20120722-0ubuntu0securityonion146
  • securityonion-web-page - 20141015-0ubuntu0securityonion109

These updates should resolve the following issues:

Elastic 7.9.3 #1782
https://github.com/Security-Onion-Solutions/security-onion/issues/1782

so-elastic-features - improve soup call #1789
https://github.com/Security-Onion-Solutions/security-onion/issues/1789

securityonion-elastic: Migrate indices.* settings for elasticsearch.yml #1786
https://github.com/Security-Onion-Solutions/security-onion/issues/1786

securityonion-elastic: update links to documentation #1801
https://github.com/Security-Onion-Solutions/security-onion/issues/1801

securityonion-sostat: update links to documentation #1794
https://github.com/Security-Onion-Solutions/security-onion/issues/1794

securityonion-web-page: update links to documentation #1799
https://github.com/Security-Onion-Solutions/security-onion/issues/1799

Setup: do not write interfaces if we lack valid contents #1784
https://github.com/Security-Onion-Solutions/security-onion/issues/1784

securityonion-setup: update links to documentation #1800
https://github.com/Security-Onion-Solutions/security-onion/issues/1800

Known Issues

If you get errors in logstash.log like:

 "reason"=>"Failed to parse mapping [doc]: mapper [destination_geo.latitude] cannot be changed from type [long] to [half_float]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [destination_geo.latitude] cannot be changed from type [long] to [half_float]"}}}}}

then you may have an old Logstash template and may need to do the following on any node that is running Logstash:

          sudo so-logstash-stop   

curl -XDELETE localhost:9200/_template/logstash 

curl -XDELETE localhost:9200/_template/logstash-*

sudo so-logstash-start

For more information, please see:
https://groups.google.com/g/security-onion/c/6p6Jkr91-kM 

If that doesn't resolve the issue, you may have custom templates in /etc/logstash/custom/ that need to be updated. You’ll need to copy from source and modify as needed.

Thanks

  • Thanks to the Elastic team for Elastic 7.9.3!
  • Thanks to Pete Nelson for submitting fixes for both so-elastic-features and sosetup-network!
  • Thanks to Chris Morgret for testing and QA!

Updating

Please see the following page for full update instructions:
https://docs.securityonion.net/en/16.04/upgrade.html

Support

Need support?  Please see:
https://docs.securityonion.net/en/16.04/support.html

Thanks!


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.