Setting Up Kibana Snapshots

[jimhranicky]

Version

2.4.100

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

8

RAM

64g

Storage for /

80g

Storage for /nsm

2T

Network Traffic Collection

tap

Network Traffic Speeds

more than 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

I'm trying to set up kibana snapshots for SO 2.4.100. The docs say:

""This option requires that you configure elasticsearch with a path.repo setting where it can store the snapshots. Once elasticsearch has the path.repo setting, you should be able to log into kibana and configure snapshots as shown in the link above. Those snapshots will then be accessible in /nsm/elasticsearch/repo/"

However, I'm unsure if I should be adding this value in the 2.4 gui? Should I copy

/opt/so/saltstack/default/salt/elasticsearch/defaults.yaml

to the local dir and add the path next to path.logs?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

You will want to add the path.repo in Configuration, under elasticsearch --> config --> advanced (You'll need to enable advanced settings under the Options dropdown at the top of the screen to see this)

In advanced add (change /backup to whatever your repo location is):

elasticsearch:
  config:
    path:
      repo:
        - /backups

Then restart Elasticsearch

[jimhranicky]

Yes, I registered one in kibana - data is getting written to the repo on the manager node but path.repo is empty on the data nodes.

[TOoSmOotH]

All nodes have to be able to mount the same network storage. You will have to add that path to the docker container under the docker config for all elastic nodes. Then register the path.repo. This is assuming you are using network storage.

[jimhranicky]

Would this be done under docker > containers > so-elasticsearch > custom_bind_mounts ?

-  "Type": "bind",
   "Source": "/my/nfs-mount",
   "Destination": "/usr/share/elasticsearch/data/repo",
   "Mode": "rw",
   "RW": true,
   "Propagation": "rprivate"

Something like that?

[jimhranicky]

I dug into the jinja file a bit and found this:

 {% if ELASTICSEARCHMERGED.config.path.get('repo', False) %}
    {% for repo in ELASTICSEARCHMERGED.config.path.repo %}
  - {{ repo }}:{{ repo }}:rw
    {% endfor %}
  {% endif %}

So the path in the host os and the path in the docker container are expected to be the same. I created

/repo

on the host os and it's been mounted in the docker container, and I have snapshots running. I think this answers the question.

[jimhranicky]

One final thing - setting the repo to be the root of the NFS filesystem seemed to cause problems for some reason, so I configured the repo to be in a subdirectory ( /repo/data ). Snapshots appear to be working properly now.