Export ingest data to a new installation

[Larockus]

Version

2.4.60

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

20

RAM

50G

Storage for /

222G

Storage for /nsm

1 TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Basically the title says it all. My existing 2.4 installation got borked somehow during an upgrade to 2.4.5, I can still access the SOC dashboard, and see data, but Kibana keeps giving me a 404 error when trying to open it up.

I've decided to scrap this VM and start over. However I would like to port my already ingested data/logs that I've collected into the new installation of security onion 2.6, but I haven't really found anything concrete on which directories I would need to migrate or a method for exporting and importing the data. Also, If there's a method of bringing over my settings and extensions I'd be incredibly grateful for any advise on that.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Which data, just Elasticsearch?

Did you ever see any issues in the /opt/so/log/kibana/kibana.log?

[Larockus]

The Kibana logs for today and yesterday are completely empty, but looking at the log from the 19th I see a bunch of the following.

{"tags":["siem.eqlRule","6a4f8f40-c764-11ee-a6b4-599081a7cc49","rule-run-failed"],"error":{"stack_trace":"Error: Rule type siem.eqlRule is disabled because your trial license has expired.\n at validateRule (/usr/share/kibana/node_modules/@kbn/alerting-plugin/server/task_runner/rule_loader.js:50:11)\n

{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2024-03-19T21:38:13.851+00:00","message":"[.kibana] WAIT_FOR_YELLOW_SOURCE -> FATAL. took: 64090ms.","log":{"level":"INFO","logger":"savedobjects-service"},"process":{"pid":7},"trace":{"id":"fb86a108a483819971408d6be386e80f"},"transaction":{"id":"19a2c8802785fc3a"}}

Any existing ingested data from my sensors. I'd like to not lose my existing metrics if I have to move to another server.

[cm-ops]

What does this show? so-elasticsearch-query _license

[Larockus]

Nothing is returned, see below

[cm-ops]

Is Elasticsearch running? sudo so-status

[Larockus]

Correction

Yes, elasticsearch shows green & running when I check so-status, however so-elastalert, so-playbook, so-strelka-filestream, so-strelka-frontend and so-strelka-manager, all show as missing.

[cm-ops]

If that command returns nothing, I suspect the container is running, but the service is not. Check the log /opt/so/log/elasticsearch/securityonion.log .

This is the command to start a basic license - sudo so-elasticsearch-query _license/start_basic?acknowledge=true -XPOST