dougburks
commented
5 years ago securityonion-setup - 20120912-0ubuntu0securityonion314 is now available at ppa:securityonion/test. Please test and verify as follows:
-
create a VM using the latest 16.04.6.2 ISO image, but do not install any updates yet
-
run through normal Setup (not
sosetup-minimal) and choose Evaluation Mode -
verify that everything works correctly on this first run of Setup
-
re-run Setup as described previously
-
/etc/logstash/conf.d/*output*files should be missing and so logs never make it to Elasticsearch -
add the test PPA:
sudo add-apt-repository -y ppa:securityonion/test -
install all updates:
sudo soup -
run through Setup choosing Evaluation Mode again
-
/etc/logstash/conf.d/*output*files should now exist and logs should be sending properly to Elasticsearch -
re-run Setup and choose
Evaluation Modeagain -
verify that
/etc/logstash/conf.d/*output*files were not deleted and that logs are flowing to Elasticsearch -
enable Elastic Auth:
sudo so-elastic-auth -
verify that
/etc/logstash/conf.d/*output*files have been rewritten with auth credentials -
re-run Setup and choose
Evaluation Modeagain -
verify that
/etc/logstash/conf.d/*output*files were deleted and re-created as symlinks and that logs are flowing to Elasticsearch -
anything else we missed?
Thanks in advance for your time and effort!
weslambert
In https://github.com/Security-Onion-Solutions/security-onion/issues/1570 we updated Setup to remove Logstash output files since they might contain auth information. However, the Logstash output files are not getting re-created because README.txt still exists. So let's delete that as well.
Also add an
ifstatement so files are only removed if Elastic auth was actually enabled.