Friday, October 1, 2021

Security Onion 2.3.80 now available!

Last October, we released Security Onion 2.3:

Today, we are releasing Security Onion 2.3.80, which adds new features and resolves a few issues:

New Features and Improvements

Security Onion 2.3.80 now includes RBAC (Role Based Access Control). This allows you to assign different privileges to different members of your security team:

In addition, 2.3.80 also includes a new utility called so-import-evtx which is similar to so-import-pcap but allows you to import Windows event logs:

Starting in Security Onion 2.3.80, users can completely customize their Elasticsearch configuration via Salt pillars. This allows elasticsearch.yml customizations to be retained when doing upgrades of Security Onion. Depending on your customization goal, you can specify settings in either the global pillar or the minion pillar. You can find full detail on how to do this via our documentation:

Another significant change is that we’ve improved support for Elastic clustering. You can read more about that here:

One of the things that we’ve improved for Elastic clustering is the curator configuration. In previous versions, curator ran once a minute which put stress on the cluster. Also, curator ran on each node which could cause the imbalance of data due to how the close and delete functions work. We made the following changes to curator to improve Elastic clustering:

  1. Curator only runs on the manager. When you upgrade to Security Onion 2.3.80, it will disable curator on all search nodes and enable it on the manager.
  2. Curator will only run once a day since we use daily indices. You will notice 3 new curator scripts that will get automatically populated based on what filebeat modules you have enabled via the pillar. These scripts are:
    • so-curator-cluster-close
    • so-curator-cluster-delete
    • so-curator-cluster-warm
  3. You must change the delete settings for the individual indices listed in the global.sls. Here is the detailed documentation on how to do this:

Please note that this curator change is only required if you are using Elastic clustering. This means that no action is required if you are running a single instance or a distributed deployment in our traditional default of cross cluster search.


You can find our documentation here:

We've also updated our printed book at Amazon:

Documentation is always a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

New Installations

If you want to perform a new installation, please review the documentation and then you can find instructions here:

Existing 2.3 Installations

If you have an existing Security Onion 2.3 installation, please see:

AWS Marketplace

For new Security Onion 2 installations, version 2.3.80 will soon be available on AWS Marketplace via the official Security Onion 2 AMI:

AMI Documentation:

Existing Security Onion 2 AMI users should use the "soup" command to upgrade:

Azure Marketplace

Security Onion 2.3.80 will soon be available on Azure!

Azure Documentation:

Security Onion 16.04 EOL

As a reminder, Security Onion 16.04 has reached End Of Life (EOL):

If you're still running Security Onion 16.04, please see the following for upgrade options:

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

You can then find the community support forum at:


Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

  • Josh Brower
  • Jason Ertel
  • Wes Lambert
  • Josh Patterson
  • Mike Reeves
  • William Wernert


Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training!

Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2, just follow the screenshots below to install an Import node and then optionally enable the Analyst Workstation. This can be done in a minimal VM with only 4GB RAM!

No comments:

Search This Blog

Featured Post

Security Onion 2.4.70 now available including our new Detections interface and much more!

Security Onion 2.4.70 is now available! It includes some new features for our fellow defenders including our new Detections interface to hel...

Popular Posts

Blog Archive