Security Onion 2.4
How to install and do a basic configuration of Security Onion 2.4
Last updated
How to install and do a basic configuration of Security Onion 2.4
Last updated
Security Onion 2.4 is the newest version of the Security Onion (SO) open-source suite of tools. It utilizes the Elastic Stack (Consisting of Elastic Search, Logstash, Kibana, Beats, and more) and is one of the primary SIEM's DCO utilizes. Here, we will go over a basic Installation of SO and deployment types. The official documentation linked below goes into more detail on how to utilize the tools.
Installation can be done two different ways.
Install from the SO 2.4 ISO
Install from a Rocky Linux machine
The preferred way is via the SO 2.4 ISO and is as simple as mounting the ISO and launching your machine, following the prompts, and finalizing your installation.
If you want to install Security Onion on Rocky Linux 9 Minimal or Ubuntu 22.04 (not using our Security Onion ISO image), follow the steps below. Please note that Ubuntu is not supported for manager nodes and will be phased out in the future.
Download the ISO image for your preferred flavor of 64-bit Rocky Linux 9 Minimal or Ubuntu 22.04. Verify the ISO image and then boot from it.
Reboot into your new installation.
Login using the username and password you specified during installation.
Install prerequisites. If you’re using Rocky Linux 9 Minimal:
If you’re using Ubuntu 22.04:
Download our repo and start the Setup process:
There are three primary ways that DCO deploys Security Onion.
Standalone
Distributed
Three nodes - Forward, Manager, Search
Two nodes - Manager-Search, Forward
This type of deployment is typically used for testing, labs, POCs, or very low-throughput environments. It’s not as scalable as a distributed deployment.
A standard distributed deployment includes a manager node, one or more forward nodes running network sensor components, and one or more search nodes running Elastic search components. This architecture may cost more upfront, but it provides for greater scalability and performance, as you can simply add more nodes to handle more traffic or log sources.
A manager-search node is both a manager node and a search node at the same time. Since it is parsing, indexing, and searching data, it has higher hardware requirements than a normal manager node.
Combine the manager-search with one or more forwarders.
Review the and sections.
Follow the prompts in the installer. If you’re building a production deployment, you’ll probably want to use LVM and dedicate most of your disk space to /nsm as discussed in the section.
Proceed to the section.
Standalone is similar to Evaluation in that all components run on one box. However, instead of sending logs directly to , it sends them to , which sends them to for queuing. A second Logstash pipeline pulls the logs out of and sends them to , where they are parsed and indexed.
