Last October, we released Security Onion 2.3:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html
Today, we are releasing Security Onion 2.3.80, which adds new features and resolves a few issues:
https://docs.securityonion.net/en/2.3/release-notes.html#changes
New Features and Improvements
Security Onion 2.3.80 now includes RBAC (Role Based Access Control). This allows you to assign different privileges to different members of your security team:
https://docs.securityonion.net/en/2.3/rbac.html
In addition, 2.3.80 also includes a new utility called so-import-evtx which is similar to so-import-pcap but allows you to import Windows event logs:
https://docs.securityonion.net/en/2.3/so-import-evtx.html
Starting in Security Onion 2.3.80, users can completely customize their Elasticsearch configuration via Salt pillars. This allows elasticsearch.yml customizations to be retained when doing upgrades of Security Onion. Depending on your customization goal, you can specify settings in either the global pillar or the minion pillar. You can find full detail on how to do this via our documentation:
https://docs.securityonion.net/en/2.3/elasticsearch.html?highlight=elastic#pillar-files
Another significant change is that we’ve improved support for Elastic clustering. You can read more about that here:
https://docs.securityonion.net/en/2.3/elasticsearch.html#distributed-deployments
One of the things that we’ve improved for Elastic clustering is the curator configuration. In previous versions, curator ran once a minute which put stress on the cluster. Also, curator ran on each node which could cause the imbalance of data due to how the close and delete functions work. We made the following changes to curator to improve Elastic clustering:
- Curator only runs on the manager. When you upgrade to Security Onion 2.3.80, it will disable curator on all search nodes and enable it on the manager.
- Curator will only run once a day since we use daily indices. You will notice 3 new curator scripts that will get automatically populated based on what filebeat modules you have enabled via the pillar. These scripts are:
- so-curator-cluster-close
- so-curator-cluster-delete
- so-curator-cluster-warm
- You must change the delete settings for the individual indices listed in the global.sls. Here is the detailed documentation on how to do this:
https://docs.securityonion.net/en/2.3/elasticsearch.html?highlight=curator#elastic-clustering
Please note that this curator change is only required if you are using Elastic clustering. This means that no action is required if you are running a single instance or a distributed deployment in our traditional default of cross cluster search.
You can find our documentation here:
https://docs.securityonion.net/en/2.3/
We've also updated our printed book at Amazon:
https://securityonion.net/book
New Installations
If you want to perform a new installation, please review the documentation and then you can find instructions here:
https://docs.securityonion.net/en/2.3/download.html
Existing 2.3 Installations
If you have an existing Security Onion 2.3 installation, please see:
https://docs.securityonion.net/en/2.3/soup.html
AWS Marketplace
For new Security Onion 2 installations, version 2.3.80 will soon be available on AWS Marketplace via the official Security Onion 2 AMI:
https://securityonion.net/aws/?ref=_ptnr_soc_blog_210819
AMI Documentation:
https://securityonion.net/docs/cloud-ami
Existing Security Onion 2 AMI users should use the "soup" command to upgrade:
https://docs.securityonion.net/en/2.3/soup.html
Azure Marketplace
Security Onion 2.3.80 will soon be available on Azure!
https://securityonion.net/azure
Azure Documentation:
https://docs.securityonion.net/en/2.3/cloud-azure.html
Security Onion 16.04 EOL
As a reminder, Security Onion 16.04 has reached End Of Life (EOL):
https://blog.securityonion.net/2021/04/security-onion-1604-has-reached-end-of.html
If you're still running Security Onion 16.04, please see the following for upgrade options:
https://docs.securityonion.net/en/2.3/appendix.html
Questions or Problems
If you have questions or problems, please see our community support forum guidelines:
https://docs.securityonion.net/en/2.3/community-support.html
You can then find the community support forum at:
https://securityonion.net/discuss
Thanks
Lots of love went into this release!
Special thanks to all our folks working so hard to make this release happen!
- Josh Brower
- Jason Ertel
- Wes Lambert
- Josh Patterson
- Mike Reeves
- William Wernert
Training
Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training!
https://securityonion.net/training
Hardware Appliances
We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!
https://securityonionsolutions.com/hardware
Screenshot Tour
If you want the quickest and easiest way to try out Security Onion 2, just follow the screenshots below to install an Import node and then optionally enable the Analyst Workstation. This can be done in a minimal VM with only 4GB RAM!
No comments:
Post a Comment