Tuesday, March 28, 2023

Security Onion 2.4 Beta 1 Release Now Available!

At Security Onion Conference 2022, we showed a sneak peek of Security Onion 2.4: https://blog.securityonion.net/2022/10/sneak-peek-at-security-onion-24.html

We have been overwhelmed by the excitement from our community and customers about Security Onion 2.4!

Today, we are excited to release the first Beta version of Security Onion 2.4. This release builds on the success of 2.3 but is easier to install, configure, and maintain. In addition, it's more powerful yet more streamlined!

New Features

Let’s start by talking about some of the many new features in Security Onion 2.4!

Configuration Interface

With the introduction of the configuration interface, we hope to reduce the overall time spent to manage and administer the grid. The goal is to make editing files at the command line a thing of the past. The configuration interface will help lower the barrier of entry for new users to the platform as well as be a nice convenience for our more seasoned users.

Enhanced Grid Status Interface

In addition to the configuration interface, we’ve also enhanced the SOC Grid page to give you more information about the status of your grid.

New Grid Members Interface

There is a new Grid Members interface used to review and accept new nodes that attempt to join the grid.

Simplified Setup

The installer has been greatly simplified and configuring new members of the grid will take place in the configuration interface. This removes the need for the soremote account and ssh access to the manager. 

Elastic Agent and Elastic Fleet

Our primary endpoint agent will be Elastic Agent. It replaces osquery, Beats, and Wazuh and is easily managed in Elastic Fleet, giving more control over upgrades. Users will also be able to deploy agents in standalone (unmanaged) mode if they choose to do so.

Security Onion Virtual Appliance based on Rocky Linux 9

When we were laying out features for Security Onion 2.4, we really wanted to shift the focus away from the OS and more into features that help our users find evil. We felt that we needed to shift to more of a virtual appliance model to allow us to continue to grow and scale to the needs of the future. We are basing this new appliance model on Rocky Linux 9. This change will allow us to deliver features faster and simplify support of the platform. Rocky Linux 9 has an EOL date of March 2032 allowing us to continue to innovate on the platform for years to come. Users will be able to install Security Onion either from our ISO image or on top of a minimal installation of Rocky Linux 9. Below we explain how this will impact Ubuntu-based deployments.

Simplified Updates

For this new virtual appliance model, all packages will be distributed from the manager similar to the current Airgap mode. You can optionally override the package source to some other source which hosts specific signed packages. In non-Airgap deployments, the manager or repo will sync daily with the upstream Security Onion repo to ensure updates are downloaded from the Internet. Airgap deployments will continue to pull their updates from the latest ISO image as they do in 2.3.

Improved Health Metric Visualizations

Security Onion 2.4 includes InfluxDB 2 and some improved health metric visualizations.

Component Changes in Security Onion 2.4

Security Onion 2.4 has some major changes, including components that have been retired or are being phased out:

  • Ubuntu support

  • Wazuh

  • FleetDM 

  • Dedicated osquery agents

  • Filebeat for SO components

Phasing Out Support for Ubuntu

Back in 2009, the first release of Security Onion was based on Ubuntu 9.04 and we have continued to support Ubuntu through Security Onion 2.3. Since Security Onion 2.4 is shifting to more of an appliance model based on Rocky Linux 9 (as described above), we are phasing out support for Ubuntu. Users running a large distributed grid of Ubuntu 20.04 nodes will be able to gradually migrate those nodes to the new appliance structure as long as the manager runs Rocky Linux 9. We will release more details on this as we finalize the process.

Endpoint Agent Changes

As mentioned above, our primary endpoint agent will be Elastic Agent:

  • Since Elastic Agent has osquery built in, it will be taking the place of the current osquery agent.
  • Security Onion 2.4 will also use the Elastic Agent to send alerts and metadata from the sensors to the back end, replacing the current Filebeat agent.
  • Users will be able to manage all of their Elastic Agents using Elastic Fleet in Kibana.
  • Since Elastic Agent covers most of the Wazuh use cases used in Security Onion, Wazuh is being removed as well.
This single agent architecture will save resources, streamline administrative processes, and ease the upgrade process in Security Onion.

Known Issues

Here are some known issues that should be resolved in later releases:

  • You cannot do an in-place upgrade from 2.3 to 2.4. We are still investigating the feasibility of migrating data.

  • You must perform a new installation of Rocky Linux 9 Minimal and have full Internet access. We hope to have a 2.4 ISO image in a future release.

  • Upgrades from this 2.4 Beta release to anything else will not be supported. Starting in RC2 we will support soup to upgrade 2.4 grids.

  • Airgap mode is not supported at this time. This is due to a 3rd party dependency but will be supported in RC1. 

  • Ubuntu 20.04 support is not available until RC1. This has to do with a 3rd party dependency. 

  • Elastic agents will connect directly to the Elasticsearch cluster. Future releases will have the Elastic agents sending their data to Logstash similar to how the data pipeline works in version 2.3.

  • ATT&CK Navigator doesn’t work correctly yet.

  • so-import-evtx imports logs but they don't get parsed correctly.

  • The following installation modes are NOT supported at this time:

    • Heavy Node

    • Receiver Node

    • Analyst Workstation

    • Dedicated Elastic Fleet Node

Transition from 2.3 to 2.4

When we release the final version of Security Onion 2.4, we will announce an End Of Life (EOL) date for Security Onion 2.3. Security Onion 2.3 will continue to receive security patches and priority bug fixes until it reaches EOL.


You can find 2.4 documentation at:


Documentation is always a work in progress. If you find documentation that needs to be updated, please let us know as described in the Feedback section below.

Warnings and Disclaimers

  • This is Beta software. It is not a finished product.

  • Beta software is not officially supported for production usage.

  • Ask your doctor if Beta software is right for you.

  • Using Beta software can cause a disruption in the space time continuum.
  • If it breaks, you get to keep both pieces!

Enough warnings and disclaimers? Let’s go!


Our Security Onion 2.4 ISO image is not quite ready yet so for now you'll need to download Rocky Linux 9 Minimal: https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9.1-x86_64-minimal.iso

Then check the checksum: https://download.rockylinux.org/pub/rocky/9/isos/x86_64/CHECKSUM

Next, install Rocky Linux 9 and start our Security Onion installation as shown here:


Once you've installed Rocky Linux 9 Minimal and started our Setup wizard, we highly recommend that you start with a simple IMPORT installation as shown here:


Once you have verified proper IMPORT installation, you can then try EVAL, STANDALONE, and DISTRIBUTED deployments as described here:


Questions, Problems, and Feedback

If you have any questions or problems relating to Security Onion 2.4, please use the new 2.4 category at our Discussions site:


We welcome your detailed feedback!

Screenshot Tour

No comments:

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive