-
Version2.4.3 Installation MethodSecurity Onion ISO image Descriptionconfiguration Installation TypeDistributed Locationon-prem with Internet access Hardware SpecsMeets minimum requirements CPU4 RAM12GB Storage for /200GB Storage for /nsm5TB Network Traffic Collectionspan port Network Traffic SpeedsLess than 1Gbps StatusYes, all services on all nodes are running OK Salt StatusNo, there are no failures LogsNo, there are no additional clues DetailWe are trying to save snapshots directly to an Azure repository following the documentation below: https://www.elastic.co/guide/en/elasticsearch/reference/8.10/repository-azure.html We updated the keystore and set up custom bind mounts to point to a local copy on each node's host os. What we are having trouble with is trying to update azure.client.default.endpoint_suffix in the elasticsearch.yml for each node. I have added this on the manager node under elasticsearch:config in /opt/so/saltstack/default/salt/elasticsearch/defaults.yaml but the elasticsearch container fails to restart after adding this on the manager and search nodes. Does anyone have suggestions on how this should be configured? I'm not able to find the log for elasticsearch and am not sure where else I should look. There isn't more documentation on where to nest the setting in the yml file to ensure it's in the right place. Guidelines
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
I figured the issue out myself. I had reverted to a previous snapshot where the bindmount wasn't set up and so the failure of the container to start up was because the account property was not set in the keystore. If anyone is curious how to set this up here is what we did. In SOC under Grid Configuration we updated: docker > containers > so-elasticsearch > custom_bind_mounts and set it to: /home/onionadmin/elasticsearch.keystore:/usr/share/elasticsearch/config/elasticsearch.keystore:ro This binds the keystore we added the account and key to on the node with the keystore within the container. Once this is set, if you need to adjust any of the account settings you can update the following on the manager node. This is used to feed the elasticsearch.yml within each node's elasticsearch container. /opt/so/saltstack/default/salt/elasticsearch/defaults.yaml Lastly, if you are having issues with elasticsearch, the logs can be found at the following location for each node: /opt/so/log/elasticsearch/securityonion.log |
Beta Was this translation helpful? Give feedback.
I figured the issue out myself. I had reverted to a previous snapshot where the bindmount wasn't set up and so the failure of the container to start up was because the account property was not set in the keystore. If anyone is curious how to set this up here is what we did.
In SOC under Grid Configuration we updated:
docker > containers > so-elasticsearch > custom_bind_mounts
and set it to:
/home/onionadmin/elasticsearch.keystore:/usr/share/elasticsearch/config/elasticsearch.keystore:ro
This binds the keystore we added the account and key to on the node with the keystore within the container. Once this is set, if you need to adjust any of the account settings you can update the following …