Rebuilding Security Onion 2.4.120, without losing Manager settings #14377

skorpal · 2025-03-11T20:40:07Z

skorpal
Mar 11, 2025

Version

2.4.120

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

192gb

Storage for /

100 - 300gb

Storage for /nsm

300 - 2.4tb

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I am looking to rebuild Security Onion with a complete revamp of Searchnodes and Receiver nodes. I do not mind losing data, I am just looking to not have to rebuild every grid member from scratch again along with resetting up all the elastic agents to the new Fleet grid member. I came across faster storage and want to just cut the search and receiver nodes over as quickly as possible as I will also need to reclaim storage that they are currently running on. Last time I did something similar during testing, I could not add any new searchnodes or receiver nodes to the grid for some reason. I didnt check logs and just rebuilt from scratch since it was not fully setup. Is there a better way to just reinstall the searchnodes and receiver nodes when the previous grid members are lost due to storage reclaim and redeployed to new setup? The Grid members that will not be impacted will be Manager, Fleet, Sensors.

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by dougburks

Mar 13, 2025

You should be able to remove search nodes and receiver nodes as shown in the Removing a Node section of the documentation:
https://docs.securityonion.net/en/2.4/removing-a-node.html

You should be able to add search nodes and receiver nodes as shown in the Configuration section of the documentation:
https://docs.securityonion.net/en/2.4/configuration.html#production-server-distributed-deployment

View full answer

dougburks · 2025-03-13T17:02:42Z

dougburks
Mar 13, 2025
Maintainer

You should be able to remove search nodes and receiver nodes as shown in the Removing a Node section of the documentation:
https://docs.securityonion.net/en/2.4/removing-a-node.html

You should be able to add search nodes and receiver nodes as shown in the Configuration section of the documentation:
https://docs.securityonion.net/en/2.4/configuration.html#production-server-distributed-deployment

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Rebuilding Security Onion 2.4.120, without losing Manager settings #14377

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Rebuilding Security Onion 2.4.120, without losing Manager settings #14377

Uh oh!

skorpal Mar 11, 2025

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment

Uh oh!

dougburks Mar 13, 2025 Maintainer

skorpal
Mar 11, 2025

dougburks
Mar 13, 2025
Maintainer