Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

Elastic Architecture

Jump to bottom
weslambert edited this page Aug 7, 2017 · 23 revisions

Below is the current proposed architecture of Security Onion on the Elastic Stack:

elastic_stack_latest

PLEASE NOTE: This is subject to change, and may not reflect the final version of Security Onion on the Elastic Stack.

Since migrating to the Elastic Stack, Security Onion has maintained a consistent approach to adding new components. These new components consist of Docker images based on CentOS 7:

Core Components

Logstash - Parse and format logs.
Elasticsearch - Ingest and index logs.
Kibana - Visualize ingested log data.

Auxilliary Components

Curator - Manage indices through scheduled maintenance.
Elastalert - Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information.
FreqServer -Detect DGAs and find random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc.
DomainStats - Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc.

Getting Started

Update/Upgrade

Analyst Tools

Network Visibility

Host Visibility

Elastic Stack

Customizing for your network

Tuning

Tricks and Tips

Help

Issues

Other

Scripts

Clone this wiki locally