Elastic Stack Beta 3

[dougburks]

• Elasticsearch

  • Elasticsearch 5.6.5

• Kibana

  • Kibana 5.6.5
  • load settings via new API
  • load dashboards via new API
  • update new Home - Sensors - Count TSVB viz to search cross cluster (*:logstash-* instead of logstash-*) and check other TSVB viz as well
  • move FreqServer visualizations to a separate dashboard to avoid leaving blank space on dashboards when FreqServer is disabled
  • move DomainStats visualizations to a separate dashboard to avoid leaving blank space on dashboards when DomainStats is disabled
  • on Software and Syslog dashboards, search panel at bottom should not display _id by default since pivoting to CapMe won't work
  • Bro - SNMP Duration field needs to be set to Duration - Seconds - Seconds - 6 Decimal Places
  • improve Help page, add more Getting Started information
  • add basic dashboard for Beats

• Logstash

  • Logstash 5.6.5
  • stop using _all
  • move to a single mapping type:
    dougburks/securityonion-elastic@4a1ae52
  • allow user to expose logstash ports to network to send logs from external sources
  • support for beats input port 5044:
    dougburks/securityonion-elastic@4a1ae52
    dougburks/securityonion-elastic@cb84aaf
    configure output/index creation for Elastic Beats dougburks/securityonion-elastic#144
  • support for beats output
  • grok parser error for Microsoft-Windows-Sysmon/Operational Logstash - grok parser error #1182

• so-elastic-download

  • check to see if components are installed before trying to install
  • upon successul installation of all components, write INSTALLED="yes" into /etc/nsm/elasticdownload.conf
  • at start of script, if INSTALLED="yes", then exit immediately

• CapMe

  • search event_type

• Docker

  • allow user to configure docker0 interface via /etc/nsm/securityonion.conf
  • documentation for proxying multiple Docker clients

• ElastAlert

  • update elastalert rules to event_type and doc_type logs

• Setup

  • improve HIGHEST_REVERSE_PORT detection for sensors joining master:
    https://groups.google.com/d/topic/security-onion/EsbeYoh4ymU/discussion
    dougburks/securityonion-elastic@f04be5d
    dougburks/securityonion-elastic@d4ed5c6
  • fix verbiage for Elasticsearch disk usage

• so-allow-elastic

  • allow user to open logstash ports in firewall

[dougburks]

submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/XymwE7T_qF4/discussion

[dougburks]

Published:
http://blog.securityonion.net/2017/12/security-onion-elastic-stack-beta-3.html