sosetup: new production deployments should default to LOGSTASH_MINIMAL

[dougburks]

We are going to start defaulting new production deployments to LOGSTASH_MINIMAL, so that Logstash will no longer parse logs itself and only transport them to Elasticsearch where they are parsed using ingest node. This should result in Logstash initializing faster and better overall performance.

It should be noted that we will only be setting LOGSTASH_MINIMAL and NOT changing the default heap size (unlike sosetup-minimal which sets LOGSTASH_MINIMAL and also decreases heap size).

[dougburks]

The following package is now available at ppa:securityonion/test:

securityonion-setup - 20120912-0ubuntu0securityonion326

Please test/verify as follows:

• start with a 16.04 box with all stable updates applied

• add the test PPA:

  sudo add-apt-repository -y ppa:securityonion/test

• install all updates:

  sudo soup -y

• snapshot the VM if possible

• choose Production Mode, New Deployment, and Store Logs Locally to build a standalone box and then verify that LOGSTASH_MINIMAL is set in /etc/nsm/securityonion.conf and that Logstash initializes quickly

• revert to VM snapshot

• choose Production Mode, New Deployment, and Add Storage Node to enable Redis and then verify that LOGSTASH_MINIMAL is set in /etc/nsm/securityonion.conf

• create another VM with the updated Setup package, run Setup, join to your Master from the previous step as a Storage Node, and verify that LOGSTASH_MINIMAL is set locally and that Logstash initializes quickly

• create another VM with the updated Setup package, run Setup, join to your Master from above as a Heavy Node, and verify that LOGSTASH_MINIMAL is set locally and that Logstash initializes quickly

• go back to your Master and remove LOGSTASH_MINIMAL from /etc/nsm/securityonion.conf, then join a new node and verify that it does NOT inherit the LOGSTASH_MINIMAL setting and that Logstash initializes slowly

• choose Evaluation Mode and verify that it works as it always has with traditional Logstash config and freqserver and domainstats fully functional

• verify no other regressions

• anything else we misseed?

Thanks in advance for your time and testing!

[dougburks]

Published: https://blog.securityonion.net/2020/03/security-onion-160465-iso-image-now.html