-
Notifications
You must be signed in to change notification settings - Fork 522
Elastic Stack Release Candidate 1 #1179
Comments
Great looking road map Doug.
Exposing the docker so-elastic-net and making easily configurable would
allow for accomodating cluster scale out needs. ;)
For your perusal: https://thoughts.t37.net/designing-the-perfect-elasticsearch-cluster-the-almost-definitive-guide-e614eabc1a87
|
To add: for consideration: Kibana: Home page::
|
To address your questions:
Are you sure you have the latest updates? If you click to edit the visualization and check the panel options, you should get the correct results with the index set as
This is the host from which the syslog was delivered. This visualization gets the count value by determining the number of unique values for the Another option would be to update
so that the hostname will be written out as the machine's hostname, instead of "localhost". Please make sure to pose any other questions or feedback to the mailing list: Thanks, |
I have your "pass-thru-cache" enabled for the docker registry and updated all an hour ago. ( I see in the Viz editor that the counter reads correct. Though not on home screen ) A; Found it. The builder index pattern did not match the counter visualization index pattern. Thx Wes! |
With Elastic 6.x the mapping type will no longer work, all the reference to type will need to be adjusted if you intend to upgrade to Elastic 6. The use of type:bro_conn and type:bro_dns within the same index will not work. Multiple mapping types are not supported in indices created in 6.0 |
submitted for testing: |
Great work guys! Have you thought about scaling this out when you have say 10 SO sensors and say 20K docs per second between all the sensors? I've had to move to a dedicated ES cluster with dedicate logstash servers. Do you think the ssh tunnel to the server will be able to handle? |
Thanks @r32rtb ! Please see: If you have further questions or comments, please use the mailing list for discussion: Thanks! |
Elasticsearch
max number of threads [2048] for user [elasticsearch] is too low, increase to at least [4096]
Kibana
Signature_Info
tosignature_info
Logstash
if [sid]
andif [gid]
before doing comparisons in1033_preprocess_snort.conf
/etc/logstash/*-template.json
causing Elasticsearch to reportDeprecated field [template] used, replaced by [index_patterns]
/etc/logstash/logstash-template.json
causing Elasticsearch to report[_all] is deprecated in 6.0+ and will be removed in 7.0. As a replacement, you can use [copy_to] on mapping fields to create your own catch all field.
/etc/logstash/*-template.json
causing Elasticsearch to report[_default_] mapping is deprecated since it is not useful anymore now that indexes cannot have more than one type
Signature_Info
tosignature_info
ElastAlert
so-elastic-configure
so-elastic-download
Updating existing packages
sectionso-allow-view
ufw status
and also custom iptables rules inDOCKER-USER
(use theiptbl_stats
function inso-allow-elastic
, maybe move it to a utility script to be used by bothso-allow
andso-allow-view
)Apache
/shorten
and/goto
Locations into/etc/apache2/sites-available/securityonion.conf
and reverse proxy to Kibana - commitSguil
Squert
sosetup-elastic
sostat
The text was updated successfully, but these errors were encountered: