Elastic Stack Beta Release

[dougburks]

• Elasticsearch

  • change cluster name from docker-cluster to machine's hostname
  • docker image - change default user
  • [WARN ][org.elasticsearch.deprecation.rest.RestController] Content type detection for rest requests is deprecated. Specify the content type using the [Content-Type] header.
    Add -H'Content-Type: application/json' to cURL requests that have a body
    https://www.elastic.co/blog/strict-content-type-checking-for-elasticsearch-rest-requests
  • Elasticsearch 5.6.3
  • create a script called so-crossclustercheck that checks cross cluster nodes and updates elasticsearch settings

• Kibana

  • update ElastAlert visualizations for distributed deployments
  • update ElastAlert index-pattern for distributed deployments
  • docker image - change default user
  • on HTTP dashboard, fix sizing of "HTTP - Virtual Host Frequency Analysis" visualization
  • on DNS dashboard, hyperlink remaining domain names to Indicator dashboard (ex. highest_registered_domain)
  • create a new Markdown visualization called README to serve as an intro to new users and include a link to our wiki for further information
  • create a new dashboard called README and add the README visualization to it
  • add a link to README dashboard to the navigation panel
  • change README to Help
  • add a metric to the Overview dashboard to show the total number of sensors
  • add source port to Connections dashboard
  • Kibana 5.6.3
  • Kibana appears to be searching all days even when time range is set to "Last 24 hours" (resolved in 5.6)
  • fix x-axis label on "Connections - Top 10 - Total Bytes by Source Port" visualization
  • related to last fix, when hovering over a bar, the popup shows source port and destination port value as the same. I think this is due to the visualization still showing "Destination Port" under Split Series - Custom Label
  • on Home (Overview) Dashboard, add "Devices - Count"
  • on Home (Overview) Dashboard, change "Sensors - Log Count by Sensor" to "Devices - Log County by Device"

• Logstash

  • docker image - change default user
  • Logstash 5.6.3
  • check if IP address is local before doing geoip
  • modify 1108_preprocess_bro_kerberos.conf with correct fields (client_cert_fuid, from)
  • modify 1113_preprocess_bro_snmp.conf (set_responses to set_requests)

• Curator

  • docker image - change default user
  • if migrating from ELSA, migrate log_size_limit to curator equivalent
  • if new installation, configure to delete similar to ELSA log_size_limit

• ElastAlert

  • docker image - change default user

• Freqserver

  • docker image - change default user

• Domainstats

  • docker image - change default user
  • disable if no Internet access

• so-elastic-configure

  • check to see if d_logstash already exists in syslog-ng.conf before trying to add it
  • check to see if elastic user accounts already exist before trying to create them

• so-elastic-start

  • fix publish parameters to only bind ports to 127.0.0.1
  • Kibana should wait on ElasticSearch up to 240 seconds

• so-elastic-reset

  • delete elastalert_status

• CapMe

  • change elk references to elastic
  • connect to $ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT based on securityonion.conf

• sosetup-elastic

  • when re-running Setup, delete existing ES data and stop all Elastic processes before configuring
  • enforce minimum requirements of 2 CPU cores and 8GB RAM
  • when configuring sensor only, stop and disable mysql
  • when re-running Setup, delete logstash persistent queue

• Setup

  • update sosetup.conf and verify Setup works from command line

[dougburks]

Published:
http://blog.securityonion.net/2017/11/elastic-stack-beta-release-and-security.html