Friday, October 1, 2021

Security Onion 2.3.80 now available!

Last October, we released Security Onion 2.3:
https://blog.securityonion.net/2020/10/security-onion-2-has-reached-general.html

Today, we are releasing Security Onion 2.3.80, which adds new features and resolves a few issues:

https://docs.securityonion.net/en/2.3/release-notes.html#changes

New Features and Improvements

Security Onion 2.3.80 now includes RBAC (Role Based Access Control). This allows you to assign different privileges to different members of your security team:
https://docs.securityonion.net/en/2.3/rbac.html

In addition, 2.3.80 also includes a new utility called so-import-evtx which is similar to so-import-pcap but allows you to import Windows event logs:
https://docs.securityonion.net/en/2.3/so-import-evtx.html

Starting in Security Onion 2.3.80, users can completely customize their Elasticsearch configuration via Salt pillars. This allows elasticsearch.yml customizations to be retained when doing upgrades of Security Onion. Depending on your customization goal, you can specify settings in either the global pillar or the minion pillar. You can find full detail on how to do this via our documentation: 
https://docs.securityonion.net/en/2.3/elasticsearch.html?highlight=elastic#pillar-files

Another significant change is that we’ve improved support for Elastic clustering. You can read more about that here:
https://docs.securityonion.net/en/2.3/elasticsearch.html#distributed-deployments

One of the things that we’ve improved for Elastic clustering is the curator configuration. In previous versions, curator ran once a minute which put stress on the cluster. Also, curator ran on each node which could cause the imbalance of data due to how the close and delete functions work. We made the following changes to curator to improve Elastic clustering:

  1. Curator only runs on the manager. When you upgrade to Security Onion 2.3.80, it will disable curator on all search nodes and enable it on the manager.
  2. Curator will only run once a day since we use daily indices. You will notice 3 new curator scripts that will get automatically populated based on what filebeat modules you have enabled via the pillar. These scripts are:
    • so-curator-cluster-close
    • so-curator-cluster-delete
    • so-curator-cluster-warm
  3. You must change the delete settings for the individual indices listed in the global.sls. Here is the detailed documentation on how to do this: 
    https://docs.securityonion.net/en/2.3/elasticsearch.html?highlight=curator#elastic-clustering

Please note that this curator change is only required if you are using Elastic clustering. This means that no action is required if you are running a single instance or a distributed deployment in our traditional default of cross cluster search.

Documentation

You can find our documentation here:
https://docs.securityonion.net/en/2.3/

We've also updated our printed book at Amazon:
https://securityonion.net/book

Documentation is always a work in progress and some documentation may be missing or incorrect. Please let us know if you notice any issues.

New Installations

If you want to perform a new installation, please review the documentation and then you can find instructions here:

https://docs.securityonion.net/en/2.3/download.html

Existing 2.3 Installations

If you have an existing Security Onion 2.3 installation, please see:

https://docs.securityonion.net/en/2.3/soup.html

AWS Marketplace

For new Security Onion 2 installations, version 2.3.80 will soon be available on AWS Marketplace via the official Security Onion 2 AMI:
https://securityonion.net/aws/?ref=_ptnr_soc_blog_210819

AMI Documentation:
https://securityonion.net/docs/cloud-ami

Existing Security Onion 2 AMI users should use the "soup" command to upgrade:
https://docs.securityonion.net/en/2.3/soup.html

Azure Marketplace

Security Onion 2.3.80 will soon be available on Azure!

https://securityonion.net/azure

Azure Documentation:

https://docs.securityonion.net/en/2.3/cloud-azure.html

Security Onion 16.04 EOL

As a reminder, Security Onion 16.04 has reached End Of Life (EOL):
https://blog.securityonion.net/2021/04/security-onion-1604-has-reached-end-of.html

If you're still running Security Onion 16.04, please see the following for upgrade options:

https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

  • Josh Brower
  • Jason Ertel
  • Wes Lambert
  • Josh Patterson
  • Mike Reeves
  • William Wernert

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training!

https://securityonion.net/training

Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2, just follow the screenshots below to install an Import node and then optionally enable the Analyst Workstation. This can be done in a minimal VM with only 4GB RAM!













































No comments:

Search This Blog

Featured Post

Security Onion 2.4.111 now available!

In October, we released version 2.4.110: https://blog.securityonion.net/2024/10/security-onion-24110-hurricane-helene.html Last week, Surica...

Popular Posts

Blog Archive