Elastic 6.8.10 - Githubissues

dougburks commented 4 years ago

https://discuss.elastic.co/t/elastic-stack-7-7-1-and-6-8-10-security-update/235573

https://www.elastic.co/guide/en/elasticsearch/reference/6.8/release-notes-6.8.10.html

https://www.elastic.co/guide/en/logstash/6.8/logstash-6-8-10.html

https://www.elastic.co/guide/en/kibana/6.8/release-notes-6.8.10.html

dougburks commented 4 years ago

https://github.com/Security-Onion-Solutions/securityonion-docker/commit/7db1fda1f34c6f78e151ec74cdae335a5bfd644d

dougburks commented 4 years ago

https://github.com/Security-Onion-Solutions/securityonion-docker/commit/7951821ac145c20e3bee60855470a293891f2614

dougburks commented 4 years ago

List of packages to be tested:

securityonion-elastic - 20190510-1ubuntu1securityonion94

List of Docker images to be tested:

Elasticsearch 6.8.10 (both OSS and Elastic Features versions)
Logstash 6.8.10 (both OSS and Elastic Features versions)
Kibana 6.8.10 (both OSS and Elastic Features versions)
Freqserver
Domainstats
ElastAlert
Curator

An overview of the testing process can be found in the comments below.

Please record all testing results via comments on this issue.

Thanks in advance for your time and effort!

dougburks commented 4 years ago

How To Start Testing

install the current 16.04 ISO image
snapshot the VM if possible

add the test PPA:

sudo add-apt-repository -y ppa:securityonion/test

change DOCKERHUB from "securityonionsolutions" to "securityonionsolutionstest" (OSS license):

sudo sed -i 's|DOCKERHUB="securityonionsolutions"|DOCKERHUB="securityonionsolutionstest"|g' /etc/nsm/elasticdownload.conf

update:
```
sudo soup
```

dougburks commented 4 years ago

How To Verify Proper Elastic Operation

Please test in as many different combinations as possible:

verify that traditional Logstash parsing correctly parses Zeek logs in JSON or TSV format and Sysmon logs via Winlogbeat and Wazuh
verify that Elasticsearch Ingest parsing correctly parses Zeek logs in JSON format and Sysmon logs via Winlogbeat and Wazuh
verify Kibana dashboards visualize those parsed logs correctly
check elasticsearch, logstash, and kibana logs in /var/log/ for anything out of the ordinary
so-import-pcap vs sosetup-minimal vs traditional Setup
Setup GUI vs CLI
Evaluation Mode vs Production Mode
standalone vs distributed deployments
new installation vs upgrade
Elastic OSS vs Elastic Features license (use so-elastic-features to switch from OSS to Features)
SSO vs Elastic native auth (use so-elastic-auth to switch to Elastic native auth)

bryant-treacle commented 4 years ago

verify that traditional Logstash parsing correctly parses Zeek logs in JSON or TSV format and Sysmon logs via Winlogbeat and Wazuh Tested Good - No Issues
verify that Elasticsearch Ingest parsing correctly parses Zeek logs in JSON format and Sysmon logs via Winlogbeat and Wazuh Tested Good - No Issues
verify Kibana dashboards visualize those parsed logs correctly Tested Good - No Issues
so-import-pcap vs sosetup-minimal vs traditional Setup so-import-pcap - No Issues sosetup-minimal - No Issues
Evaluation Mode vs Production Mode Evaluation Mode - No Issues Production Standalone - No Issues
Distributed Deployment Production Master, Storage, & Forward (Ubuntu install) - No Issues Production Master, Heavy, & Forward (Ubuntu install) - No Issues
Elastic OSS vs Elastic Features license (use so-elastic-features to switch from OSS to Features) so-elastic-auth - No Issues so-elastic-features - No Issues
SSO vs Elastic native auth (use so-elastic-auth to switch to Elastic native auth) Tested Good - No Issues

j-bernal commented 4 years ago

Evaluation/Production Standalone

verify that traditional Logstash parsing correctly parses Zeek logs in JSON or TSV format JSON - Tested Good - No issues (Eval) TSV - Tested Good - No issues (Eval) JSON - Tested Good - No issues (Prod) TSV - Tested Good - No issues (Prod) **Documents page does not account for logstash minimal. Should be a command for changing securityonion.conf:

sudo sed -i 's|LOGSTASH_MINIMAL="yes"|LOGSTASH_MINIMAL="no"|g' /etc/nsm/securityonion.conf

Then restart logstash:

sudo so-logstash-restart

verify that Elasticsearch Ingest parsing correctly parses Zeek logs in JSON format Tested Good - No issues

verify Kibana dashboards visualize those parsed logs correctly Tested Good - No issues

Evaluation Mode vs Production Mode Evaluation Mode - No issues Production Mode - No issues

Elastic OSS vs Elastic Features license so-elastic-auth - No issues so-elastic-features - No issues

SSO vs Elastic native auth Tested Good - No issues

cm-ops commented 4 years ago

verify that Elasticsearch Ingest parsing correctly parses Zeek logs in JSON format JSON – no issues TSV – no issues

verify Kibana dashboards visualize those parsed logs correctly no issues

check elasticsearch, logstash, and kibana logs in /var/log/ for anything out of the ordinary no issues

so-import-pcap vs sosetup-minimal vs traditional Setup so-import-pcap – no issues sosetup-minimal – no issues

Setup GUI vs CLI No issues

Evaluation Mode vs Production Mode Evaluation mode – no issues Production mode – no issues

standalone vs distributed deployments Standalone – no issues Distributed – no issues

Elastic OSS vs Elastic Features license (use so-elastic-features to switch from OSS to Features) so-elastic-features – no issues so-elastic-auth – no issues

SSO vs Elastic native auth (use so-elastic-auth to switch to Elastic native auth) No issues

dougburks commented 4 years ago

Thanks @bryant-treacle @j-bernal @cm-ops !

Published: https://blog.securityonion.net/2020/06/elastic-6810-now-available-for-security.html

Security-Onion-Solutions / security-onion

Elastic 6.8.10 #1765