Security Onion with Elastic Stack distributed deployment with master slave

[mam...@gmail.com]

Hi

Is it possible to implement distributed deployment of latest image of security onion with elastic stack 14.04.5.7

Thanks in advance

[Wes Lambert]

Yes, you should be able to do this as you have previously.

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Mohammed]

Thank you Wes, but what about this warning at the beginning of the installation. the prevoius version did not show the snort sensor in kibana!
. the sensor is showing in sguil but not in kibana. Does this got fixed in this version or the same problem still here ?
I am willing to use a master server with two sensors connected remotely to it.

[Wes Lambert]

I think the verbiage there might old and need to be updated.  You can certainly try out a distributed deployment with the current Elastic components.  Does the sensor still not show up in Kibana?  Have you tried checking /var/log/nsm/sosetup.log for clues?

Thanks,

Wes 

[mam...@gmail.com]

On Monday, February 5, 2018 at 4:07:53 PM UTC+3, Wes wrote:
> I think the verbiage there might old and need to be updated.  You can certainly try out a distributed deployment with the current Elastic components.  Does the sensor still not show up in Kibana?  Have you tried checking /var/log/nsm/sosetup.log for clues?
>
>
> Thanks,
> Wes 
>
>
> On Sun, Feb 4, 2018 at 9:54 AM, Mohammed <moham...@gmail.com> wrote:
> Thank you Wes, but what about this warning at the beginning of the installation. the prevoius version did not show the snort sensor in kibana!
>
> . the sensor is showing in sguil but not in kibana. Does this got fixed in this version or the same problem still here ?
>
> I am willing to use a master server with two sensors connected remotely to it.
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

It's not showing up, this is the output of the log file:


# Please wait while setting OS timezone to UTC...

Current default time zone: 'Etc/UTC'
Local time is now: ح فبر 4 15:07:03 UTC 2018.
Universal Time is now: Sun Feb 4 15:07:03 UTC 2018.

ح فبر 4 15:07:03 UTC 2018
# Please wait while setting OSSEC timezone to UTC...
# Please wait while restarting OSSEC...
Deleting PID file '/var/ossec/var/run/ossec-remoted-2228.pid' not used...
Killing ossec-monitord ..
Killing ossec-logcollector ..
ossec-remoted not running ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
ossec-maild not running ..
Killing ossec-execd ..
ossec-csyslogd not running ..
OSSEC HIDS v2.8 Stopped
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
Started ossec-csyslogd...
2018/02/04 15:07:03 ossec-maild: INFO: E-Mail notification disabled. Clean Exit.
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
# Please wait while stopping services...


=========================================================================
Stopping NSM services...
=========================================================================

start: Job is already running: mysql
mysql start/running, process 30211
Rules updated
Rules updated (v6)
Firewall is active and enabled on system startup
# Please wait while creating the Sguil server...

Creating new server: securityonion
filters table already has type field.
object_mappings table already has hash field.
# Please wait while configuring /etc/nsm/securityonion.conf...
# Please wait while configuring IDS Ruleset...
Already configured for Emerging Threats Open ruleset.
# Please wait while executing PulledPork to download rules...
update-rc.d: warning: start runlevel arguments (none) do not match apache2 Default-Start values (2 3 4 5)
update-rc.d: warning: stop runlevel arguments (none) do not match apache2 Default-Stop values (0 1 6)
Enabling system startup links for /etc/init.d/apache2 ...
Removing any system startup links for /etc/init.d/apache2 ...
/etc/rc0.d/K09apache2
/etc/rc1.d/K09apache2
/etc/rc2.d/S91apache2
/etc/rc3.d/S91apache2
/etc/rc4.d/S91apache2
/etc/rc5.d/S91apache2
/etc/rc6.d/K09apache2
Adding system startup for /etc/init.d/apache2 ...
/etc/rc0.d/K09apache2 -> ../init.d/apache2
/etc/rc1.d/K09apache2 -> ../init.d/apache2
/etc/rc6.d/K09apache2 -> ../init.d/apache2
/etc/rc2.d/S91apache2 -> ../init.d/apache2
/etc/rc3.d/S91apache2 -> ../init.d/apache2
/etc/rc4.d/S91apache2 -> ../init.d/apache2
/etc/rc5.d/S91apache2 -> ../init.d/apache2
Site securityonion already enabled
Site default-ssl already disabled
# Please wait while configuring salt...
stop: Unknown instance:
salt-master start/running, process 31693
stop: Unknown instance:
salt-minion start/running, process 31703
salt-minion hasn't checked in yet, 59 seconds remaining until timeout
salt-minion hasn't checked in yet, 58 seconds remaining until timeout
salt-minion hasn't checked in yet, 57 seconds remaining until timeout
salt-minion hasn't checked in yet, 56 seconds remaining until timeout
The following keys are going to be accepted:
Unaccepted Keys:
mohammed-virtual-machine
Key for minion mohammed-virtual-machine accepted.
sed: can't read /etc/nsm/*/barnyard2*.conf: No such file or directory
# Please wait while starting all Security Onion services...
securityonion start/running, process 32343
# Please wait while configuring Elastic...
* Restarting syslog-ng
* Stopping system logging syslog-ng
...done.
* Starting system logging syslog-ng
...done.
# Please wait while configuring Elastic...

=========================================================================
Creating Docker network for Elastic Stack
=========================================================================
so-elastic-net

=========================================================================
Setting vm.max_map_count to 262144
=========================================================================
vm.max_map_count = 262144
Done!

=========================================================================
Configuring users
=========================================================================
Creating elasticsearch group...
Creating elasticsearch user...
Creating logstash group...
Creating logstash user...
Creating kibana group...
Creating kibana user...
Creating elastalert group...
Creating elastalert user...
Creating curator group...
Creating curator user...
Creating freqserver group...
Creating freqserver user...
Creating domainstats group...
Creating domainstats user...

=========================================================================
Configuring ElasticSearch
=========================================================================
‘/opt/elastic/src/etc/elasticsearch/log4j2.properties’ -> ‘/etc/elasticsearch/log4j2.properties’
‘/opt/elastic/src//etc/elasticsearch/elasticsearch.yml’ -> ‘/etc/elasticsearch/elasticsearch.yml’
Done!

=========================================================================
Configuring Logstash
=========================================================================
‘/opt/elastic/src/configfiles/0000_input_syslogng.conf’ -> ‘/etc/logstash/conf.d/0000_input_syslogng.conf’
‘/opt/elastic/src/configfiles/0001_input_json.conf’ -> ‘/etc/logstash/conf.d/0001_input_json.conf’
‘/opt/elastic/src/configfiles/0002_input_windows_json.conf’ -> ‘/etc/logstash/conf.d/0002_input_windows_json.conf’
‘/opt/elastic/src/configfiles/0003_input_syslog.conf’ -> ‘/etc/logstash/conf.d/0003_input_syslog.conf’
‘/opt/elastic/src/configfiles/0005_input_suricata.conf’ -> ‘/etc/logstash/conf.d/0005_input_suricata.conf’
‘/opt/elastic/src/configfiles/0006_input_beats.conf’ -> ‘/etc/logstash/conf.d/0006_input_beats.conf’
‘/opt/elastic/src/configfiles/0007_input_import.conf’ -> ‘/etc/logstash/conf.d/0007_input_import.conf’
‘/opt/elastic/src/configfiles/1000_preprocess_log_elapsed.conf’ -> ‘/etc/logstash/conf.d/1000_preprocess_log_elapsed.conf’
‘/opt/elastic/src/configfiles/1001_preprocess_syslogng.conf’ -> ‘/etc/logstash/conf.d/1001_preprocess_syslogng.conf’
‘/opt/elastic/src/configfiles/1002_preprocess_json.conf’ -> ‘/etc/logstash/conf.d/1002_preprocess_json.conf’
‘/opt/elastic/src/configfiles/1003_preprocess_bro.conf’ -> ‘/etc/logstash/conf.d/1003_preprocess_bro.conf’
‘/opt/elastic/src/configfiles/1004_preprocess_syslog_types.conf’ -> ‘/etc/logstash/conf.d/1004_preprocess_syslog_types.conf’
‘/opt/elastic/src/configfiles/1026_preprocess_dhcp.conf’ -> ‘/etc/logstash/conf.d/1026_preprocess_dhcp.conf’
‘/opt/elastic/src/configfiles/1029_preprocess_esxi.conf’ -> ‘/etc/logstash/conf.d/1029_preprocess_esxi.conf’
‘/opt/elastic/src/configfiles/1030_preprocess_greensql.conf’ -> ‘/etc/logstash/conf.d/1030_preprocess_greensql.conf’
‘/opt/elastic/src/configfiles/1031_preprocess_iis.conf’ -> ‘/etc/logstash/conf.d/1031_preprocess_iis.conf’
‘/opt/elastic/src/configfiles/1032_preprocess_mcafee.conf’ -> ‘/etc/logstash/conf.d/1032_preprocess_mcafee.conf’
‘/opt/elastic/src/configfiles/1033_preprocess_snort.conf’ -> ‘/etc/logstash/conf.d/1033_preprocess_snort.conf’
‘/opt/elastic/src/configfiles/1034_preprocess_syslog.conf’ -> ‘/etc/logstash/conf.d/1034_preprocess_syslog.conf’
‘/opt/elastic/src/configfiles/1100_preprocess_bro_conn.conf’ -> ‘/etc/logstash/conf.d/1100_preprocess_bro_conn.conf’
‘/opt/elastic/src/configfiles/1101_preprocess_bro_dhcp.conf’ -> ‘/etc/logstash/conf.d/1101_preprocess_bro_dhcp.conf’
‘/opt/elastic/src/configfiles/1102_preprocess_bro_dns.conf’ -> ‘/etc/logstash/conf.d/1102_preprocess_bro_dns.conf’
‘/opt/elastic/src/configfiles/1103_preprocess_bro_dpd.conf’ -> ‘/etc/logstash/conf.d/1103_preprocess_bro_dpd.conf’
‘/opt/elastic/src/configfiles/1104_preprocess_bro_files.conf’ -> ‘/etc/logstash/conf.d/1104_preprocess_bro_files.conf’
‘/opt/elastic/src/configfiles/1105_preprocess_bro_ftp.conf’ -> ‘/etc/logstash/conf.d/1105_preprocess_bro_ftp.conf’
‘/opt/elastic/src/configfiles/1106_preprocess_bro_http.conf’ -> ‘/etc/logstash/conf.d/1106_preprocess_bro_http.conf’
‘/opt/elastic/src/configfiles/1107_preprocess_bro_irc.conf’ -> ‘/etc/logstash/conf.d/1107_preprocess_bro_irc.conf’
‘/opt/elastic/src/configfiles/1108_preprocess_bro_kerberos.conf’ -> ‘/etc/logstash/conf.d/1108_preprocess_bro_kerberos.conf’
‘/opt/elastic/src/configfiles/1109_preprocess_bro_notice.conf’ -> ‘/etc/logstash/conf.d/1109_preprocess_bro_notice.conf’
‘/opt/elastic/src/configfiles/1110_preprocess_bro_rdp.conf’ -> ‘/etc/logstash/conf.d/1110_preprocess_bro_rdp.conf’
‘/opt/elastic/src/configfiles/1111_preprocess_bro_signatures.conf’ -> ‘/etc/logstash/conf.d/1111_preprocess_bro_signatures.conf’
‘/opt/elastic/src/configfiles/1112_preprocess_bro_smtp.conf’ -> ‘/etc/logstash/conf.d/1112_preprocess_bro_smtp.conf’
‘/opt/elastic/src/configfiles/1113_preprocess_bro_snmp.conf’ -> ‘/etc/logstash/conf.d/1113_preprocess_bro_snmp.conf’
‘/opt/elastic/src/configfiles/1114_preprocess_bro_software.conf’ -> ‘/etc/logstash/conf.d/1114_preprocess_bro_software.conf’
‘/opt/elastic/src/configfiles/1115_preprocess_bro_ssh.conf’ -> ‘/etc/logstash/conf.d/1115_preprocess_bro_ssh.conf’
‘/opt/elastic/src/configfiles/1116_preprocess_bro_ssl.conf’ -> ‘/etc/logstash/conf.d/1116_preprocess_bro_ssl.conf’
‘/opt/elastic/src/configfiles/1117_preprocess_bro_syslog.conf’ -> ‘/etc/logstash/conf.d/1117_preprocess_bro_syslog.conf’
‘/opt/elastic/src/configfiles/1118_preprocess_bro_tunnel.conf’ -> ‘/etc/logstash/conf.d/1118_preprocess_bro_tunnel.conf’
‘/opt/elastic/src/configfiles/1119_preprocess_bro_weird.conf’ -> ‘/etc/logstash/conf.d/1119_preprocess_bro_weird.conf’
‘/opt/elastic/src/configfiles/1121_preprocess_bro_mysql.conf’ -> ‘/etc/logstash/conf.d/1121_preprocess_bro_mysql.conf’
‘/opt/elastic/src/configfiles/1122_preprocess_bro_socks.conf’ -> ‘/etc/logstash/conf.d/1122_preprocess_bro_socks.conf’
‘/opt/elastic/src/configfiles/1123_preprocess_bro_x509.conf’ -> ‘/etc/logstash/conf.d/1123_preprocess_bro_x509.conf’
‘/opt/elastic/src/configfiles/1124_preprocess_bro_intel.conf’ -> ‘/etc/logstash/conf.d/1124_preprocess_bro_intel.conf’
‘/opt/elastic/src/configfiles/1125_preprocess_bro_modbus.conf’ -> ‘/etc/logstash/conf.d/1125_preprocess_bro_modbus.conf’
‘/opt/elastic/src/configfiles/1126_preprocess_bro_sip.conf’ -> ‘/etc/logstash/conf.d/1126_preprocess_bro_sip.conf’
‘/opt/elastic/src/configfiles/1127_preprocess_bro_radius.conf’ -> ‘/etc/logstash/conf.d/1127_preprocess_bro_radius.conf’
‘/opt/elastic/src/configfiles/1128_preprocess_bro_pe.conf’ -> ‘/etc/logstash/conf.d/1128_preprocess_bro_pe.conf’
‘/opt/elastic/src/configfiles/1129_preprocess_bro_rfb.conf’ -> ‘/etc/logstash/conf.d/1129_preprocess_bro_rfb.conf’
‘/opt/elastic/src/configfiles/1130_preprocess_bro_dnp3.conf’ -> ‘/etc/logstash/conf.d/1130_preprocess_bro_dnp3.conf’
‘/opt/elastic/src/configfiles/1131_preprocess_bro_smb_files.conf’ -> ‘/etc/logstash/conf.d/1131_preprocess_bro_smb_files.conf’
‘/opt/elastic/src/configfiles/1132_preprocess_bro_smb_mapping.conf’ -> ‘/etc/logstash/conf.d/1132_preprocess_bro_smb_mapping.conf’
‘/opt/elastic/src/configfiles/1133_preprocess_bro_ntlm.conf’ -> ‘/etc/logstash/conf.d/1133_preprocess_bro_ntlm.conf’
‘/opt/elastic/src/configfiles/1134_preprocess_bro_dce_rpc.conf’ -> ‘/etc/logstash/conf.d/1134_preprocess_bro_dce_rpc.conf’
‘/opt/elastic/src/configfiles/1998_test_data.conf’ -> ‘/etc/logstash/conf.d/1998_test_data.conf’
‘/opt/elastic/src/configfiles/2000_network_flow.conf’ -> ‘/etc/logstash/conf.d/2000_network_flow.conf’
‘/opt/elastic/src/configfiles/6000_bro.conf’ -> ‘/etc/logstash/conf.d/6000_bro.conf’
‘/opt/elastic/src/configfiles/6001_bro_import.conf’ -> ‘/etc/logstash/conf.d/6001_bro_import.conf’
‘/opt/elastic/src/configfiles/6002_syslog.conf’ -> ‘/etc/logstash/conf.d/6002_syslog.conf’
‘/opt/elastic/src/configfiles/6101_switch_brocade.conf’ -> ‘/etc/logstash/conf.d/6101_switch_brocade.conf’
‘/opt/elastic/src/configfiles/6200_firewall_fortinet.conf’ -> ‘/etc/logstash/conf.d/6200_firewall_fortinet.conf’
‘/opt/elastic/src/configfiles/6201_firewall_pfsense.conf’ -> ‘/etc/logstash/conf.d/6201_firewall_pfsense.conf’
‘/opt/elastic/src/configfiles/6300_windows.conf’ -> ‘/etc/logstash/conf.d/6300_windows.conf’
‘/opt/elastic/src/configfiles/6301_dns_windows.conf’ -> ‘/etc/logstash/conf.d/6301_dns_windows.conf’
‘/opt/elastic/src/configfiles/6400_suricata.conf’ -> ‘/etc/logstash/conf.d/6400_suricata.conf’
‘/opt/elastic/src/configfiles/6500_ossec.conf’ -> ‘/etc/logstash/conf.d/6500_ossec.conf’
‘/opt/elastic/src/configfiles/6501_ossec_sysmon.conf’ -> ‘/etc/logstash/conf.d/6501_ossec_sysmon.conf’
‘/opt/elastic/src/configfiles/6502_ossec_autoruns.conf’ -> ‘/etc/logstash/conf.d/6502_ossec_autoruns.conf’
‘/opt/elastic/src/configfiles/8000_postprocess_bro_cleanup.conf’ -> ‘/etc/logstash/conf.d/8000_postprocess_bro_cleanup.conf’
‘/opt/elastic/src/configfiles/8001_postprocess_common_ip_augmentation.conf’ -> ‘/etc/logstash/conf.d/8001_postprocess_common_ip_augmentation.conf’
‘/opt/elastic/src/configfiles/8006_postprocess_dns.conf’ -> ‘/etc/logstash/conf.d/8006_postprocess_dns.conf’
‘/opt/elastic/src/configfiles/8007_postprocess_http.conf’ -> ‘/etc/logstash/conf.d/8007_postprocess_http.conf’
‘/opt/elastic/src/configfiles/8200_postprocess_tagging.conf’ -> ‘/etc/logstash/conf.d/8200_postprocess_tagging.conf’
‘/opt/elastic/src/configfiles/8998_postprocess_log_elapsed.conf’ -> ‘/etc/logstash/conf.d/8998_postprocess_log_elapsed.conf’
‘/opt/elastic/src/configfiles/8999_postprocess_rename_type.conf’ -> ‘/etc/logstash/conf.d/8999_postprocess_rename_type.conf’
‘/opt/elastic/src/configfiles/9000_output_bro.conf’ -> ‘/etc/logstash/conf.d/9000_output_bro.conf’
‘/opt/elastic/src/configfiles/9001_output_switch.conf’ -> ‘/etc/logstash/conf.d/9001_output_switch.conf’
‘/opt/elastic/src/configfiles/9002_output_import.conf’ -> ‘/etc/logstash/conf.d/9002_output_import.conf’
‘/opt/elastic/src/configfiles/9004_output_flow.conf’ -> ‘/etc/logstash/conf.d/9004_output_flow.conf’
‘/opt/elastic/src/configfiles/9026_output_dhcp.conf’ -> ‘/etc/logstash/conf.d/9026_output_dhcp.conf’
‘/opt/elastic/src/configfiles/9029_output_esxi.conf’ -> ‘/etc/logstash/conf.d/9029_output_esxi.conf’
‘/opt/elastic/src/configfiles/9030_output_greensql.conf’ -> ‘/etc/logstash/conf.d/9030_output_greensql.conf’
‘/opt/elastic/src/configfiles/9031_output_iis.conf’ -> ‘/etc/logstash/conf.d/9031_output_iis.conf’
‘/opt/elastic/src/configfiles/9032_output_mcafee.conf’ -> ‘/etc/logstash/conf.d/9032_output_mcafee.conf’
‘/opt/elastic/src/configfiles/9033_output_snort.conf’ -> ‘/etc/logstash/conf.d/9033_output_snort.conf’
‘/opt/elastic/src/configfiles/9034_output_syslog.conf’ -> ‘/etc/logstash/conf.d/9034_output_syslog.conf’
‘/opt/elastic/src/configfiles/9200_output_firewall.conf’ -> ‘/etc/logstash/conf.d/9200_output_firewall.conf’
‘/opt/elastic/src/configfiles/9300_output_windows.conf’ -> ‘/etc/logstash/conf.d/9300_output_windows.conf’
‘/opt/elastic/src/configfiles/9301_output_dns_windows.conf’ -> ‘/etc/logstash/conf.d/9301_output_dns_windows.conf’
‘/opt/elastic/src/configfiles/9400_output_suricata.conf’ -> ‘/etc/logstash/conf.d/9400_output_suricata.conf’
‘/opt/elastic/src/configfiles/9500_output_beats.conf’ -> ‘/etc/logstash/conf.d/9500_output_beats.conf’
‘/opt/elastic/src/configfiles/9998_output_test_data.conf’ -> ‘/etc/logstash/conf.d/9998_output_test_data.conf’
‘/opt/elastic/src/configfiles-setup_required/8007_postprocess_dns_top1m_tagging.conf’ -> ‘/etc/logstash/optional/8007_postprocess_dns_top1m_tagging.conf’
‘/opt/elastic/src/configfiles-setup_required/8008_postprocess_dns_whois_age.conf’ -> ‘/etc/logstash/optional/8008_postprocess_dns_whois_age.conf’
‘/opt/elastic/src/configfiles-setup_required/8502_postprocess_freq_analysis_bro_dns.conf’ -> ‘/etc/logstash/optional/8502_postprocess_freq_analysis_bro_dns.conf’
‘/opt/elastic/src/configfiles-setup_required/8503_postprocess_freq_analysis_bro_http.conf’ -> ‘/etc/logstash/optional/8503_postprocess_freq_analysis_bro_http.conf’
‘/opt/elastic/src/configfiles-setup_required/8504_postprocess_freq_analysis_bro_ssl.conf’ -> ‘/etc/logstash/optional/8504_postprocess_freq_analysis_bro_ssl.conf’
‘/opt/elastic/src/configfiles-setup_required/8505_postprocess_freq_analysis_bro_x509.conf’ -> ‘/etc/logstash/optional/8505_postprocess_freq_analysis_bro_x509.conf’
‘/opt/elastic/src/etc/logstash/beats-template.json’ -> ‘/etc/logstash/beats-template.json’
‘/opt/elastic/src/etc/logstash/log4j2.properties’ -> ‘/etc/logstash/log4j2.properties’
‘/opt/elastic/src/etc/logstash/logstash-template.json’ -> ‘/etc/logstash/logstash-template.json’
‘/opt/elastic/src/etc/logstash/logstash.yml’ -> ‘/etc/logstash/logstash.yml’
‘/opt/elastic/src/lib/dictionaries’ -> ‘/lib/dictionaries’
‘/opt/elastic/src/lib/dictionaries/iana_services.yaml’ -> ‘/lib/dictionaries/iana_services.yaml’
‘/opt/elastic/src/lib/dictionaries/iana_protocols.yaml’ -> ‘/lib/dictionaries/iana_protocols.yaml’
‘/opt/elastic/src/lib/dictionaries/tcp_flags.yaml’ -> ‘/lib/dictionaries/tcp_flags.yaml’
‘/opt/elastic/src/lib/dictionaries/services.yaml’ -> ‘/lib/dictionaries/services.yaml’
Done!

=========================================================================
Configuring Kibana
=========================================================================
‘/opt/elastic/src/etc/kibana/kibana.yml’ -> ‘/etc/kibana/kibana.yml’
Done!

=========================================================================
Configuring Elastalert
=========================================================================
‘/opt/elastic/src/etc/elastalert/rules/bro_conn.yaml’ -> ‘/etc/elastalert/rules/bro_conn.yaml’
‘/opt/elastic/src/etc/elastalert/rules/ids.yaml’ -> ‘/etc/elastalert/rules/ids.yaml’
Done!

=========================================================================
Configuring Curator
=========================================================================
‘/opt/elastic/src/etc/curator/config/curator.yml’ -> ‘/etc/curator/config/curator.yml’
‘/opt/elastic/src/etc/curator/action/close.yml’ -> ‘/etc/curator/action/close.yml’
‘/opt/elastic/src/etc/curator/action/delete.yml’ -> ‘/etc/curator/action/delete.yml’
Done!

=========================================================================
Configuring freq_server
=========================================================================
Done!

=========================================================================
Configuring domain_stats
=========================================================================
Done!

=========================================================================
Adding Elastic Stack options to /etc/nsm/securityonion.conf
=========================================================================
Done!

=========================================================================
Starting Elastic Stack
=========================================================================

Starting containers:

so-elasticsearch: 66a8eba927d71012bb253944b89ac47d6c08c1fcc5ee26c844f0e4e84622a988
so-logstash: f35e968bb962adede425f66b0c20024cc3a19eaca3095aba641c261e7cc9bf65
Waiting for ElasticSearch.........................................connected!
so-kibana: 3eeba24d8cede8e0e67b113e44218ba648ac98ab3f65265bf4a34bfc324b1688
Configuring Kibana, please wait...
so-elastalert: 253e1cb37082344f9ab35f08f4138b8a60830781c3b48f82752845c5d108d22b
so-curator: 9004d7a9ab00185bbbb7768a37850b88eb65d09e76624ef38bd12e93fbd37da4

Done!

=========================================================================
Configuring Elastic Stack to start on boot
=========================================================================
Done!

=========================================================================
Configuring Apache
=========================================================================
‘/opt/elastic/src/etc/apache2/sites-available/securityonion.conf’ -> ‘/etc/apache2/sites-available/securityonion.conf’
‘/opt/elastic/src/var/www/so/capme/login.php’ -> ‘/var/www/so/capme/login.php’
‘/opt/elastic/src/var/www/so/capme/index.php’ -> ‘/var/www/so/capme/index.php’
‘/opt/elastic/src/var/www/so/capme/.js/capme.js’ -> ‘/var/www/so/capme/.js/capme.js’
‘/opt/elastic/src/var/www/so/capme/.js/elastic.js’ -> ‘/var/www/so/capme/.js/elastic.js’
‘/opt/elastic/src/var/www/so/capme/.inc/callback.php’ -> ‘/var/www/so/capme/.inc/callback.php’
‘/opt/elastic/src/var/www/so/capme/.inc/callback-elastic.php’ -> ‘/var/www/so/capme/.inc/callback-elastic.php’
‘/opt/elastic/src/var/www/so/capme/.inc/functions.php’ -> ‘/var/www/so/capme/.inc/functions.php’
‘/opt/elastic/src/var/www/so/capme/elastic.php’ -> ‘/var/www/so/capme/elastic.php’
‘/opt/elastic/src/var/www/so/css’ -> ‘/var/www/so/css’
‘/opt/elastic/src/var/www/so/css/bootstrap-theme.min.css.map’ -> ‘/var/www/so/css/bootstrap-theme.min.css.map’
‘/opt/elastic/src/var/www/so/css/bootstrap-theme.min.css’ -> ‘/var/www/so/css/bootstrap-theme.min.css’
‘/opt/elastic/src/var/www/so/css/securityonion.css’ -> ‘/var/www/so/css/securityonion.css’
‘/opt/elastic/src/var/www/so/css/bootstrap-theme.css’ -> ‘/var/www/so/css/bootstrap-theme.css’
‘/opt/elastic/src/var/www/so/css/bootstrap.min.css.map’ -> ‘/var/www/so/css/bootstrap.min.css.map’
‘/opt/elastic/src/var/www/so/css/bootstrap.css.map’ -> ‘/var/www/so/css/bootstrap.css.map’
‘/opt/elastic/src/var/www/so/css/bootstrap.min.css’ -> ‘/var/www/so/css/bootstrap.min.css’
‘/opt/elastic/src/var/www/so/css/bootstrap.css’ -> ‘/var/www/so/css/bootstrap.css’
‘/opt/elastic/src/var/www/so/css/bootstrap-theme.css.map’ -> ‘/var/www/so/css/bootstrap-theme.css.map’
‘/opt/elastic/src/var/www/so/fonts’ -> ‘/var/www/so/fonts’
‘/opt/elastic/src/var/www/so/fonts/glyphicons-halflings-regular.woff’ -> ‘/var/www/so/fonts/glyphicons-halflings-regular.woff’
‘/opt/elastic/src/var/www/so/fonts/glyphicons-halflings-regular.woff2’ -> ‘/var/www/so/fonts/glyphicons-halflings-regular.woff2’
‘/opt/elastic/src/var/www/so/fonts/glyphicons-halflings-regular.ttf’ -> ‘/var/www/so/fonts/glyphicons-halflings-regular.ttf’
‘/opt/elastic/src/var/www/so/fonts/glyphicons-halflings-regular.eot’ -> ‘/var/www/so/fonts/glyphicons-halflings-regular.eot’
‘/opt/elastic/src/var/www/so/fonts/glyphicons-halflings-regular.svg’ -> ‘/var/www/so/fonts/glyphicons-halflings-regular.svg’
‘/opt/elastic/src/var/www/so/index.php’ -> ‘/var/www/so/index.php’
‘/opt/elastic/src/var/www/so/js’ -> ‘/var/www/so/js’
‘/opt/elastic/src/var/www/so/js/npm.js’ -> ‘/var/www/so/js/npm.js’
‘/opt/elastic/src/var/www/so/js/bootstrap.min.js’ -> ‘/var/www/so/js/bootstrap.min.js’
‘/opt/elastic/src/var/www/so/js/bootstrap.js’ -> ‘/var/www/so/js/bootstrap.js’
‘/opt/elastic/src/var/www/so/js/jquery.min.js’ -> ‘/var/www/so/js/jquery.min.js’
‘/opt/elastic/src/var/www/so/login.html’ -> ‘/var/www/so/login.html’
‘/opt/elastic/src/var/www/so/login-inline.html’ -> ‘/var/www/so/login-inline.html’
‘/opt/elastic/src/var/www/so/squert/login.php’ -> ‘/var/www/so/squert/login.php’
‘/opt/elastic/src/var/www/so/squert/.js/squertMain.js’ -> ‘/var/www/so/squert/.js/squertMain.js’
Considering dependency session for auth_form:
Enabling module session.
Considering dependency authn_core for auth_form:
Module authn_core already enabled
Enabling module auth_form.
To activate the new configuration, you need to run:
service apache2 restart
Enabling module request.
To activate the new configuration, you need to run:
service apache2 restart
Considering dependency session for session_cookie:
Module session already enabled
Enabling module session_cookie.
To activate the new configuration, you need to run:
service apache2 restart
Considering dependency session for session_crypto:
Module session already enabled
Enabling module session_crypto.
To activate the new configuration, you need to run:
service apache2 restart
tr: write error: Broken pipe
tr: write error
ERROR: Site elsa does not exist!
Module perl disabled.
To activate the new configuration, you need to run:
service apache2 restart
* Restarting web server apache2
...done.
Done!

=========================================================================
Disabling ELSA
=========================================================================
stop: Unknown instance:
Done!

=========================================================================
Reconfiguring syslog-ng to send logs to Elastic
=========================================================================
* Stopping system logging syslog-ng
...done.
* Starting system logging syslog-ng
...done.
Done!

=========================================================================
Updating OSSEC rules
=========================================================================
Deleting PID file '/var/ossec/var/run/ossec-remoted-30061.pid' not used...
Killing ossec-monitord ..
Killing ossec-logcollector ..
ossec-remoted not running ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
ossec-maild not running ..
Killing ossec-execd ..
Killing ossec-csyslogd ..
OSSEC HIDS v2.8 Stopped
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
Started ossec-csyslogd...
2018/02/04 15:09:05 ossec-maild: INFO: E-Mail notification disabled. Clean Exit.
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
Done!

=========================================================================
Configuring Kibana
=========================================================================

Applying Kibana config...
{"id":"59052b20-09bd-11e8-a58a-45fddc44b7f9","type":"index-pattern","updated_at":"2018-02-04T15:09:08.178Z","version":1,"attributes":{"title":"*:logstash-*","timeFieldName":"@timestamp"}}
{"message":"[doc][config:6.1.2]: version conflict, document already exists (current version [1]): [version_conflict_engine_exception] [doc][config:6.1.2]: version conflict, document already exists (current version [1]), with { index_uuid=\"-p8Yx9xhRvC-Vc8xZLnnwg\" & shard=\"0\" & index=\".kibana\" }","statusCode":409,"error":"Conflict"}

Applying cross cluster search config...
{"acknowledged":true,"persistent":{"search":{"remote":{"mohammed-virtual-machine":{"seeds":["127.0.0.1:9300"]}}}},"transient":{}}

Applying Kibana template...
{"acknowledged":true}

Updating /etc/nsm/securityonion.conf with correct Kibana version (6.1.2)...


=========================================================================
Configuring Curator
=========================================================================
Done!

=========================================================================
Configuring ElastAlert
=========================================================================

=========================================================================
Configuring cron jobs
=========================================================================
‘/opt/elastic/src/etc/cron.d/crossclustercheck’ -> ‘/etc/cron.d/crossclustercheck’
‘/opt/elastic/src/etc/cron.d/curator-close’ -> ‘/etc/cron.d/curator-close’
‘/opt/elastic/src/etc/cron.d/curator-delete’ -> ‘/etc/cron.d/curator-delete’
Done!

All Done!