Reinstall Security Onion without reinstalling Base OS

[MadDog Weenis]

Is there a process for this? I installed my sensors from the ISO but I made several pretty big mistakes, both on my sensor deployments, and my server and I am at the point i feel it may be less work to just blow it up and re-deploy correctly rather than try to fix it.

I have already installed the new server and updated it but would like to try and attach one of my sensors to test (Without risking bringing it completely down)

I suspect my issues are a combination of improper configuration, and inadequate hardware but until I correct the first issue it is difficult to assess the second.

Thanks!

[Matt Gregory]

You can always just re-run sosetup without reinstalling the OS; this will delete existing PCAPs, alerts, and other data.  However, if you do that on a server, you may run into issues with existing sensors connecting back to it, which may entail re-running sosetup on the sensors as well.

Can you explain what you think your "big mistakes" are?

Matt

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

[MadDog Weenis]

Well the biggest thing I see is I didn't install ELSA on any of my sensors, I didn't learn until this weekend that it is supposed to be on all sensors as well as your master server which could (I hope) explain my crippling performance issues.

In addition to that (Not sensor related) I installed 1 SO Server for my IDS Sensors to report to and a second sensor which my Ossec clients all connect to.. I did this because I initially thought my performance issues were the hardware I was running (Which may still be the case)

I do know that Elsa currently never returns any results to queries, and performance on my other monitoring tools is extremely slow.

I have built a new server, the first thing I would like to do is re-point my sensors (Which I assume can only be done by reinstalling, however if I can repoint the sensor and enable Elsa WITHOUT reinstalling that's certainly preferable)

Once I have this done I begin the larger task of re-connecting my OSSEC agents, but luckily I have those packed into an MSI so it won't be horrible..

After the class this weekend I was astonished at how ineffective our usage of the security onion software really has been, step 1 I want to fix it, and the re-train my jr analyst to properly review this data because it really is amazing.

[Doug Burks]

You should be able to re-point a sensor to a new server by re-running
Setup. Make sure that you have all updates applied first to ensure
that you're running the latest version of Setup.

If all else fails, you can always reinstall from ISO which should only
take 5-10 minutes.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.

--
Doug Burks
http://securityonion.blogspot.com