-
|
So moving from 16.04 to 2.3 and used to seeing Uncatorgized events in 16.04 and Suricata, and wanted to see if that is still in 2.3. Does any of that exist outside of the SOC (Looking at options for remote sites to send data highlights back that are easy). I like sostat cause it was a quick command they can run and email out. Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
In Security Onion 2.3, the equivalent of Uncategorized Events is shown on the Alerts page. The default view shows events that have not been acknowledged or escalated:
Alerts are now stored in Elasticsearch rather than mysql, so you might be able to put together a command line query using |
Beta Was this translation helpful? Give feedback.
-
|
Doug, Does this go with the same issue if you left the Alert increase to the 100k, 200k ? |
Beta Was this translation helpful? Give feedback.
-
|
I'm not sure I understand what you're asking. |
Beta Was this translation helpful? Give feedback.
-
|
With mysql in 16.04 if the uncategorized reached high numbers it kind of slowed/.killed the system (at least that is what we noticed). 100k, 200k, ect. - Suricata gone wild. |
Beta Was this translation helpful? Give feedback.
-
|
That was mostly an issue with MySQL merge tables and should be less of a concern now that we're using Elasticsearch. However, it's still good practice to acknowledge alerts on a regular basis to avoid reaching those numbers. |
Beta Was this translation helpful? Give feedback.
In Security Onion 2.3, the equivalent of Uncategorized Events is shown on the Alerts page. The default view shows events that have not been acknowledged or escalated:
https://docs.securityonion.net/en/2.3/alerts.html
Alerts are now stored in Elasticsearch rather than mysql, so you might be able to put together a command line query using
so-elasticsearch-query:https://docs.securityonion.net/en/2.3/so-elasticsearch-query.html