From 90a59186436e31455b53e26c333d34fa92b97a2d Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 15 Oct 2024 10:59:22 -0400 Subject: [PATCH 1/4] update download --- download.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/download.rst b/download.rst index ce8be5f6..5e98ce81 100644 --- a/download.rst +++ b/download.rst @@ -13,7 +13,7 @@ Download and verify our ISO image as shown at https://github.com/Security-Onion- .. warning:: - If you download our ISO image and then scan it with antivirus software, it is possible that one or more of the files included in the ISO image may generate false positives. If you look at the antivirus scan details, it will most likely tell you that it alerted on a file in ``SecurityOnion\agrules\``. + Antivirus software may alert on the ISO image but any alerts are most likely false positives. If you look at the antivirus scan details, it will most likely tell you that it alerted on a file in ``SecurityOnion\agrules\``. These are rules that look for malicious activity but the rules themselves are not actually malicious. .. note:: From 7ec9a49c7c9dd8ec8a3350997cd7ea53263c4375 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 15 Oct 2024 15:41:21 -0400 Subject: [PATCH 2/4] update first-time-users --- first-time-users.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/first-time-users.rst b/first-time-users.rst index 61557655..a8bcccb5 100644 --- a/first-time-users.rst +++ b/first-time-users.rst @@ -3,7 +3,7 @@ First Time Users ================ -Welcome first time users! You're going to be peeling back the layers of your network in just a few minutes! +Welcome, first time users! You're going to be peeling back the layers of your network in just a few minutes! First, download our ISO image as shown in the :ref:`download` section. @@ -225,3 +225,5 @@ All this in a minimal VM with only 4GB RAM! .. image:: images/39_grid.png :target: _images/39_grid.png + +If you made it to the end of this First Time Users section, congratulations! If you have any questions or problems, please see the :ref:`help` section. If you like Security Onion, please consider sharing on social media about Security Onion to help spread the word. Thanks! From e0c20bf3792a5f3895c252648d28c9fd4b774f80 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 17 Oct 2024 09:00:24 -0400 Subject: [PATCH 3/4] Update release-notes.rst --- release-notes.rst | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/release-notes.rst b/release-notes.rst index 71e5203f..891a780a 100644 --- a/release-notes.rst +++ b/release-notes.rst @@ -6,7 +6,13 @@ Release Notes Known Issues ~~~~~~~~~~~~ -If you had previously updated to version 2.4.100 and had indices with incorrect data like source IP address, then you may need to delete the incorrect indices via the command line as follows. +If you had previously updated to version 2.4.100 and had indices with conflicting data types for fields like source IP address, then you may need to delete affected indices. Field conflicts typically occur when a field is indexed using a different set of mappings than other indices. This can occur if a component template or index template changes and a data stream rolls over to create a new backing index, causing issues with field value aggregation and data tables not being rendered as expected. + +Field conflicts can be identified by navigating to ``Kibana -> Management -> Data Views -> logs-*``. They are typically noted via a yellow banner on the data view page, or they can be found by filtering by a field type of ``conflict``. For each affected field, clicking the yellow ``Conflict`` icon in the ``Type`` column will display the conflicting field types and indices. + +For example, you may have a conflict for ``source.ip``, where it was previously correctly mapped as field type of ``ip``, but the index mappings were inadvertently changed and ``source.ip`` is now mapped as a field type of ``keyword`` in the ``logs-system.security`` and ``logs-system.syslog`` data streams. The mappings have been fixed, but the data streams need to be rolled over to pick up the correct mappings, and the affected index containing ``source.ip`` mapped as a field type of ``keyword`` needs to be deleted to resolve the conflict. + +You can issue the following commands from the CLI to resolve the conflict. First, become root: @@ -14,23 +20,23 @@ First, become root: sudo -i -Next, roll over each of the affected data streams (replacing ``YOUR-DATASTREAM`` as necessary): +Next, roll over each of the affected data streams: :: - for i in YOUR-DATASTREAM-1 YOUR-DATASTREAM-2; do + for i in logs-system.security logs-system.syslog; do so-elasticsearch-query $i/_rollover -XPOST done -Then, delete the previous index for each of the affected data streams (replacing ``YOUR-DATASTREAM`` as necessary): +Then, delete the previous index for each of the affected data streams: :: - for i in YOUR-DATASTREAM-1 YOUR-DATASTREAM-2; do + for i in logs-system.security logs-system.syslog; do INDEX_TO_DELETE=$(so-elasticsearch-query $i | jq -r 'keys[]' | tail -2 | head -1); so-elasticsearch-query $INDEX_TO_DELETE -XDELETE done -Finally, check to see that the fields now display as expected. +Finally, check the `logs-*` data view to see if the field conflict is now resloved. 2.4.110 Hotfix [20241010] Changes --------------------------------- From e501abf3b6a7990d9b7c273d623a21ad27c01672 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 17 Oct 2024 09:02:28 -0400 Subject: [PATCH 4/4] Change formatting --- release-notes.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes.rst b/release-notes.rst index 891a780a..03d3ca65 100644 --- a/release-notes.rst +++ b/release-notes.rst @@ -36,7 +36,7 @@ Then, delete the previous index for each of the affected data streams: INDEX_TO_DELETE=$(so-elasticsearch-query $i | jq -r 'keys[]' | tail -2 | head -1); so-elasticsearch-query $INDEX_TO_DELETE -XDELETE done -Finally, check the `logs-*` data view to see if the field conflict is now resloved. +Finally, check the ``logs-*`` data view to see if the field conflict is now resloved. 2.4.110 Hotfix [20241010] Changes ---------------------------------