[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] Re: Towards ELK on Security Onion: A Technology Preview
From: Justin Henderson <jhenderson () tekrefresh ! com>
Date: 2017-04-25 13:39:54
Message-ID: CAO816Vm52BJW-TrW2zxE5VVDM_ZQL6AbzCpo89jMTco9Spq0_g () mail ! gmail ! com
[Download RAW message or body]
I'm glad you found the issue (although sorry you have packet loss). No
worries on the side track.
The community grows as the community supports one another.
On Apr 24, 2017 1:45 PM, "Marcus Liberto" <marcusliberto@gmail.com> wrote:
> Disregard...looks like packet loss outside of the NIC. Doesn't seem to be
> a problem with a separate low volume environment I just set up (~10MBit/s
> average, 8GB ram, 12 cores). Sorry to throw the thread off track.
>
> =========================================================================
> Packets received during last monitoring interval (600 seconds)
> =========================================================================
>
> eth4: 62769737
>
> =========================================================================
> Packet Loss Stats
> =========================================================================
>
> NIC:
>
> eth4:
>
> RX packets:959934397 dropped:0 TX packets:1 dropped:0
>
> -------------------------------------------------------------------------
>
> pf_ring:
>
> Appl. Name : <unknown>
> Tot Packets : 953419620
> Tot Pkt Lost : 194339404
>
>
> Appl. Name : snort-cluster-55-socket-0
> Tot Packets : 948385790
> Tot Pkt Lost : 671103640
>
> -------------------------------------------------------------------------
>
> IDS Engine (snort) packet drops:
>
> /nsm/sensor_data/SO-server-eth4/snort-1.stats last reported
> pkt_drop_percent as 68.985
> -------------------------------------------------------------------------
>
> Bro:
>
> Average packet loss as percent across all Bro workers: 25.604242
>
> bro: 1493054874.259560 recvd=759053106 dropped=194349793
> link=759053106
>
> Capture Loss:
>
> bro 100.0
>
> If you are seeing capture loss without dropped packets, this
> may indicate that an upstream device is dropping packets (tap or SPAN
> port).
>
> -------------------------------------------------------------------------
>
> Netsniff-NG:
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +234012 Lost: -1503
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +342673 Lost: -32804
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +285747 Lost: -1192
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +251171 Lost: -1
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +416690 Lost: -247132
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +358628 Lost: -3
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +348527 Lost: -2104
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +290883 Lost: -4
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +481973 Lost: -5200
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +293023 Lost: -5097
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +424731 Lost: -11533
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +365627 Lost: -12
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +287252 Lost: -5916
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +276616 Lost: -13
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +285411 Lost: -2649
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +344345 Lost: -8592
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +327307 Lost: -3
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +314197 Lost: -4473
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +398740 Lost: -12206
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +339085 Lost: -12
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +330692 Lost: -16609
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +270147 Lost: -3
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +275869 Lost: -29673
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +242993 Lost: -7
> File: /var/log/nsm/SO-server-eth4/netsniff-ng.log
> Processed: +312980 Lost: -16361
>
> =========================================================================
> PF_RING
> =========================================================================
> PF_RING Version : 6.4.1 (unknown)
> Total rings : 2
>
> Standard (non ZC) Options
> Ring slots : 4096
> Slot version : 16
> Capture TX : Yes [RX+TX]
> IP Defragment : No
> Socket Mode : Standard
> Total plugins : 0
> Cluster Fragment Queue : 2808
> Cluster Fragment Discard : 0
>
> =========================================================================
> Log Archive
> =========================================================================
> /nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
> 4.0K .
>
> /nsm/sensor_data/SO-server-eth1/dailylogs/ - 0 days
> 4.0K .
>
> /nsm/sensor_data/SO-server-eth2/dailylogs/ - 0 days
> 4.0K .
>
> /nsm/sensor_data/SO-server-eth3/dailylogs/ - 0 days
> 4.0K .
>
> /nsm/sensor_data/SO-server-eth4/dailylogs/ - 1 days
> 508G .
> 508G ./2017-04-24
>
> /nsm/bro/logs/ - 1 days
> 1.1G .
> 1.1G ./2017-04-24
> 60K ./stats
>
>
>
> On Monday, April 24, 2017 at 11:17:17 AM UTC-4, Marcus Liberto wrote:
> > No luck. Fresh install without soup updates. Attached screenshots for
> reference.
> >
> > On Friday, April 21, 2017 at 5:29:30 PM UTC-4, Justin Henderson wrote:
> > > You are welcome.
> > >
> > > If for some reason it doesn't work after a reinstall let me know. I'll
> > > spin off my own and then we can try to pinpoint what's going on.
> > >
> > > On 4/21/17, Marcus Liberto <marcusliberto@gmail.com> wrote:
> > > > Yep fresh install of the 14.04.5.2 iso, ran soup updates, ran the
> .sh file,
> > > > edited ES_HEAP_SIZE as mentioned earlier. I'm throwing about
> 100Mbit/s,
> > > > negligible packet loss, CPU usage is moderately low, memory is high
> but not
> > > > hitting swap significantly (HP DL390G7 12 cores, 128GB ram). I'll
> attempt a
> > > > reinstall without doing soup updates next week and report back to the
> > > > thread. Thanks for the quick reply Justin!
> > > >
> > > > On Friday, April 21, 2017 at 4:12:32 PM UTC-4, Justin Henderson
> wrote:
> > > > > Marcus, did you start with a fresh install when setting up this
> technology
> > > > > preview? This feature is one of the technology preview components
> and
> > > > > should be working.
> > > > >
> > > > >
> > > > > Also, it is possible that if updates were installed after running
> the
> > > > > technology preview bash script that it may have broke something.
> > > > >
> > > > >
> > > > > This is one of the core features I am hoping to see moving forward.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Sincerely,
> > > > >
> > > > >
> > > > > Justin Henderson
> > > > > (312) 857-5755
> > > > > Systems and Security Architect
> > > > > GSE # 108, Cyber Guardian Red / Blue
> > > > > http://www.linkedin.com/in/justinhenderson2014/
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Fri, Apr 21, 2017 at 3:08 PM, Marcus Liberto <
> marcus...@gmail.com>
> > > > > wrote:
> > > > >
> > > > > When clicking on the pcaps that pivot me over to capme...every pcap
> says
> > > > > "No Data Sent" and when I download sample pcaps and open in
> wireshark
> > > > > there is no data. Is this a future feature?
> > > > > -Marcus
> > > > >
> > > > >
> > > > > On Fri, Apr 14, 2017 at 8:27 AM, Justin Henderson
> > > > > <jhend...@tekrefresh.com> wrote:
> > > > >
> > > > > I think you may be right. The setting is already in the file. It
> just
> > > > > needs uncommented.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Apr 14, 2017 6:24 AM, "Doug Burks" <doug....@gmail.com> wrote:
> > > > > On Thu, Apr 13, 2017 at 11:47 PM, Justin Henderson
> > > > >
> > > > > <jhend...@tekrefresh.com> wrote:
> > > > >
> > > > > > Thanks all to the feedback on performance and stability. For this
> > > > > > preview we
> > > > >
> > > > > > intentionally have not put these settings in. However, we will
> try to
> > > > >
> > > > > > anticipate and design around this assuming we move forward with
> the new
> > > > >
> > > > > > additions.
> > > > >
> > > > > >
> > > > >
> > > > > > Also note, if you are trying to tune Elasticsearch you can also
> get a
> > > > > > boost
> > > > >
> > > > > > by enabling the bootstrap.mlockall: true setting in
> > > > >
> > > > > > /etc/elasticsearch/elasticsearch.yml
> > > > >
> > > > >
> > > > >
> > > > > Hi Justin,
> > > > >
> > > > >
> > > > >
> > > > > To clarify, I think this setting is now called
> bootstrap.memory_lock,
> > > > >
> > > > > right? From /etc/elasticsearch/elasticsearch.yml:
> > > > >
> > > > >
> > > > >
> > > > > # ----------------------------------- Memory
> > > > > -----------------------------------
> > > > >
> > > > > #
> > > > >
> > > > > # Lock the memory on startup:
> > > > >
> > > > > #
> > > > >
> > > > > # bootstrap.memory_lock: true
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > Doug Burks
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > Follow Security Onion on Twitter!
> > > > >
> > > > > https://twitter.com/securityonion
> > > > >
> > > > > ---
> > > > >
> > > > > You received this message because you are subscribed to a topic in
> the
> > > > > Google Groups "security-onion" group.
> > > > >
> > > > > To unsubscribe from this topic, visit
> > > > > https://groups.google.com/d/topic/security-onion/
> ReAPgPn746M/unsubscribe.
> > > > >
> > > > > To unsubscribe from this group and all its topics, send an email to
> > > > > security-onio...@googlegroups.com.
> > > > >
> > > > > To post to this group, send email to securit...@googlegroups.com.
> > > > >
> > > > > Visit this group at https://groups.google.com/group/security-onion.
> > > > >
> > > > > For more options, visit https://groups.google.com/d/optout.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > Follow Security Onion on Twitter!
> > > > >
> > > > > https://twitter.com/securityonion
> > > > >
> > > > > ---
> > > > >
> > > > > You received this message because you are subscribed to a topic in
> the
> > > > > Google Groups "security-onion" group.
> > > > >
> > > > > To unsubscribe from this topic, visit
> > > > > https://groups.google.com/d/topic/security-onion/
> ReAPgPn746M/unsubscribe.
> > > > >
> > > > > To unsubscribe from this group and all its topics, send an email to
> > > > > security-onio...@googlegroups.com.
> > > > >
> > > > > To post to this group, send email to securit...@googlegroups.com.
> > > > >
> > > > > Visit this group at https://groups.google.com/group/security-onion.
> > > > >
> > > > > For more options, visit https://groups.google.com/d/optout.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > Follow Security Onion on Twitter!
> > > > >
> > > > > https://twitter.com/securityonion
> > > > >
> > > > > ---
> > > > >
> > > > > You received this message because you are subscribed to a topic in
> the
> > > > > Google Groups "security-onion" group.
> > > > >
> > > > > To unsubscribe from this topic, visit
> > > > > https://groups.google.com/d/topic/security-onion/
> ReAPgPn746M/unsubscribe.
> > > > >
> > > > > To unsubscribe from this group and all its topics, send an email to
> > > > > security-onio...@googlegroups.com.
> > > > >
> > > > > To post to this group, send email to securit...@googlegroups.com.
> > > > >
> > > > > Visit this group at https://groups.google.com/group/security-onion.
> > > > >
> > > > > For more options, visit https://groups.google.com/d/optout.
> > > >
> > > > --
> > > > Follow Security Onion on Twitter!
> > > > https://twitter.com/securityonion
> > > > ---
> > > > You received this message because you are subscribed to a topic in
> the
> > > > Google Groups "security-onion" group.
> > > > To unsubscribe from this topic, visit
> > > > https://groups.google.com/d/topic/security-onion/
> ReAPgPn746M/unsubscribe.
> > > > To unsubscribe from this group and all its topics, send an email to
> > > > security-onion+unsubscribe@googlegroups.com.
> > > > To post to this group, send email to security-onion@googlegroups.com
> .
> > > > Visit this group at https://groups.google.com/group/security-onion.
> > > > For more options, visit https://groups.google.com/d/optout.
> > > >
> > >
> > >
> > > --
> > >
> > >
> > > Sincerely,
> > >
> > > Justin Henderson
> > > (312) 857-5755
> > > Systems and Security Architect
> > > GSE # 108, Cyber Guardian Red / Blue
> > > http://www.linkedin.com/in/justinhenderson2014/
>
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "security-onion" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/security-onion/ReAPgPn746M/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
>
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
https://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #3 (text/html)]
<div dir="auto">I'm glad you found the issue (although sorry you have packet \
loss). No worries on the side track. <div dir="auto"><br></div><div dir="auto">The \
community grows as the community supports one another.</div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Apr 24, 2017 1:45 PM, \
"Marcus Liberto" <<a \
href="mailto:marcusliberto@gmail.com">marcusliberto@gmail.com</a>> wrote:<br \
type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">Disregard...looks like packet loss \
outside of the NIC. Doesn't seem to be a problem with a separate low volume \
environment I just set up (~10MBit/s average, 8GB ram, 12 cores). Sorry to throw \
the thread off track.<br> <br>
==============================<wbr>==============================<wbr>=============<br>
Packets received during last monitoring interval (600 seconds)<br>
==============================<wbr>==============================<wbr>=============<br>
<br>
eth4: 62769737<br>
<br>
==============================<wbr>==============================<wbr>=============<br>
Packet Loss Stats<br>
==============================<wbr>==============================<wbr>=============<br>
<br>
NIC:<br>
<br>
eth4:<br>
<br>
RX packets:959934397 dropped:0 TX packets:1 dropped:0<br>
<br>
------------------------------<wbr>------------------------------<wbr>-------------<br>
<br>
pf_ring:<br>
<br>
Appl. Name : <unknown><br>
Tot Packets : 953419620<br>
Tot Pkt Lost : 194339404<br>
<br>
<br>
Appl. Name : snort-cluster-55-socket-0<br>
Tot Packets : 948385790<br>
Tot Pkt Lost : 671103640<br>
<br>
------------------------------<wbr>------------------------------<wbr>-------------<br>
<br>
IDS Engine (snort) packet drops:<br>
<br>
/nsm/sensor_data/SO-server-<wbr>eth4/snort-1.stats last reported pkt_drop_percent as \
68.985<br>
------------------------------<wbr>------------------------------<wbr>-------------<br>
<br>
Bro:<br>
<br>
Average packet loss as percent across all Bro workers: 25.604242<br>
<br>
bro: 1493054874.259560 recvd=759053106 dropped=194349793 \
link=759053106<br> <br>
Capture Loss:<br>
<br>
bro 100.0<br>
<br>
If you are seeing capture loss without dropped packets, this<br>
may indicate that an upstream device is dropping packets (tap or SPAN port).<br>
<br>
------------------------------<wbr>------------------------------<wbr>-------------<br>
<br>
Netsniff-NG:<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +234012 Lost: -1503<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +342673 Lost: -32804<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +285747 Lost: -1192<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +251171 Lost: -1<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +416690 Lost: -247132<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +358628 Lost: -3<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +348527 Lost: -2104<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +290883 Lost: -4<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +481973 Lost: -5200<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +293023 Lost: -5097<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +424731 Lost: -11533<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +365627 Lost: -12<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +287252 Lost: -5916<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +276616 Lost: -13<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +285411 Lost: -2649<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +344345 Lost: -8592<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +327307 Lost: -3<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +314197 Lost: -4473<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +398740 Lost: -12206<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +339085 Lost: -12<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +330692 Lost: -16609<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +270147 Lost: -3<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +275869 Lost: -29673<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +242993 Lost: -7<br>
File: /var/log/nsm/SO-server-eth4/<wbr>netsniff-ng.log \
Processed: +312980 Lost: -16361<br> <br>
==============================<wbr>==============================<wbr>=============<br>
PF_RING<br>
==============================<wbr>==============================<wbr>=============<br>
PF_RING Version : 6.4.1 (unknown)<br>
Total rings : 2<br>
<br>
Standard (non ZC) Options<br>
Ring slots : 4096<br>
Slot version : 16<br>
Capture TX : Yes [RX+TX]<br>
IP Defragment : No<br>
Socket Mode : Standard<br>
Total plugins : 0<br>
Cluster Fragment Queue : 2808<br>
Cluster Fragment Discard : 0<br>
<br>
==============================<wbr>==============================<wbr>=============<br>
Log Archive<br>
==============================<wbr>==============================<wbr>=============<br>
/nsm/sensor_data/SO-server-<wbr>eth0/dailylogs/ - 0 days<br>
4.0K .<br>
<br>
/nsm/sensor_data/SO-server-<wbr>eth1/dailylogs/ - 0 days<br>
4.0K .<br>
<br>
/nsm/sensor_data/SO-server-<wbr>eth2/dailylogs/ - 0 days<br>
4.0K .<br>
<br>
/nsm/sensor_data/SO-server-<wbr>eth3/dailylogs/ - 0 days<br>
4.0K .<br>
<br>
/nsm/sensor_data/SO-server-<wbr>eth4/dailylogs/ - 1 days<br>
508G .<br>
508G ./2017-04-24<br>
<br>
/nsm/bro/logs/ - 1 days<br>
1.1G .<br>
1.1G ./2017-04-24<br>
60K ./stats<br>
<br>
<br>
<br>
On Monday, April 24, 2017 at 11:17:17 AM UTC-4, Marcus Liberto wrote:<br>
> No luck. Fresh install without soup updates. Attached screenshots for \
reference.<br> ><br>
> On Friday, April 21, 2017 at 5:29:30 PM UTC-4, Justin Henderson wrote:<br>
> > You are welcome.<br>
> ><br>
> > If for some reason it doesn't work after a reinstall let me know. \
I'll<br> > > spin off my own and then we can try to pinpoint what's \
going on.<br> > ><br>
> > On 4/21/17, Marcus Liberto <<a \
href="mailto:marcusliberto@gmail.com">marcusliberto@gmail.com</a>> wrote:<br> > \
> > Yep fresh install of the 14.04.5.2 iso, ran soup updates, ran the .sh \
file,<br> > > > edited ES_HEAP_SIZE as mentioned earlier. I'm throwing \
about 100Mbit/s,<br> > > > negligible packet loss, CPU usage is moderately \
low, memory is high but not<br> > > > hitting swap significantly (HP DL390G7 \
12 cores, 128GB ram). I'll attempt a<br> > > > reinstall without doing \
soup updates next week and report back to the<br> > > > thread. Thanks for \
the quick reply Justin!<br> > > ><br>
> > > On Friday, April 21, 2017 at 4:12:32 PM UTC-4, Justin Henderson \
wrote:<br> > > >> Marcus, did you start with a fresh install when setting \
up this technology<br> > > >> preview? This feature is one of the \
technology preview components and<br> > > >> should be working.<br>
> > >><br>
> > >><br>
> > >> Also, it is possible that if updates were installed after running \
the<br> > > >> technology preview bash script that it may have broke \
something.<br> > > >><br>
> > >><br>
> > >> This is one of the core features I am hoping to see moving \
forward.<br> > > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >> Sincerely,<br>
> > >><br>
> > >><br>
> > >> Justin Henderson<br>
> > >> (312) 857-5755<br>
> > >> Systems and Security Architect<br>
> > >> GSE # 108, Cyber Guardian Red / Blue<br>
> > >> <a href="http://www.linkedin.com/in/justinhenderson2014/" \
rel="noreferrer" target="_blank">http://www.linkedin.com/in/<wbr>justinhenderson2014/</a><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >> On Fri, Apr 21, 2017 at 3:08 PM, Marcus Liberto <<a \
href="mailto:marcus...@gmail.com">marcus...@gmail.com</a>><br> > > >> \
wrote:<br> > > >><br>
> > >> When clicking on the pcaps that pivot me over to capme...every \
pcap says<br> > > >> "No Data Sent" and when I download sample \
pcaps and open in wireshark<br> > > >> there is no data. Is this a \
future feature?<br> > > >> -Marcus<br>
> > >><br>
> > >><br>
> > >> On Fri, Apr 14, 2017 at 8:27 AM, Justin Henderson<br>
> > >> <<a \
href="mailto:jhend...@tekrefresh.com">jhend...@tekrefresh.com</a>> wrote:<br> > \
> >><br> > > >> I think you may be right. The setting is already \
in the file. It just<br> > > >> needs uncommented.<br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >> On Apr 14, 2017 6:24 AM, "Doug Burks" <<a \
href="mailto:doug....@gmail.com">doug....@gmail.com</a>> wrote:<br> > > \
>> On Thu, Apr 13, 2017 at 11:47 PM, Justin Henderson<br> > > \
>><br> > > >> <<a \
href="mailto:jhend...@tekrefresh.com">jhend...@tekrefresh.com</a>> wrote:<br> > \
> >><br> > > >> > Thanks all to the feedback on performance \
and stability. For this<br> > > >> > preview we<br>
> > >><br>
> > >> > intentionally have not put these settings in. However, we \
will try to<br> > > >><br>
> > >> > anticipate and design around this assuming we move forward \
with the new<br> > > >><br>
> > >> > additions.<br>
> > >><br>
> > >> ><br>
> > >><br>
> > >> > Also note, if you are trying to tune Elasticsearch you can \
also get a<br> > > >> > boost<br>
> > >><br>
> > >> > by enabling the bootstrap.mlockall: true setting in<br>
> > >><br>
> > >> > /etc/elasticsearch/<wbr>elasticsearch.yml<br>
> > >><br>
> > >><br>
> > >><br>
> > >> Hi Justin,<br>
> > >><br>
> > >><br>
> > >><br>
> > >> To clarify, I think this setting is now called \
bootstrap.memory_lock,<br> > > >><br>
> > >> right? From /etc/elasticsearch/<wbr>elasticsearch.yml:<br>
> > >><br>
> > >><br>
> > >><br>
> > >> # ------------------------------<wbr>----- Memory<br>
> > >> ------------------------------<wbr>-----<br>
> > >><br>
> > >> #<br>
> > >><br>
> > >> # Lock the memory on startup:<br>
> > >><br>
> > >> #<br>
> > >><br>
> > >> # bootstrap.memory_lock: true<br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >> --<br>
> > >><br>
> > >> Doug Burks<br>
> > >><br>
> > >><br>
> > >><br>
> > >> --<br>
> > >><br>
> > >> Follow Security Onion on Twitter!<br>
> > >><br>
> > >> <a href="https://twitter.com/securityonion" rel="noreferrer" \
target="_blank">https://twitter.com/<wbr>securityonion</a><br> > > >><br>
> > >> ---<br>
> > >><br>
> > >> You received this message because you are subscribed to a topic in \
the<br> > > >> Google Groups "security-onion" group.<br>
> > >><br>
> > >> To unsubscribe from this topic, visit<br>
> > >> <a \
href="https://groups.google.com/d/topic/security-onion/ReAPgPn746M/unsubscribe" \
rel="noreferrer" target="_blank">https://groups.google.com/d/<wbr>topic/security-onion/<wbr>ReAPgPn746M/unsubscribe</a>.<br>
> > >><br>
> > >> To unsubscribe from this group and all its topics, send an email \
to<br> > > >> <a \
href="mailto:security-onio...@googlegroups.com">security-onio...@googlegroups.<wbr>com</a>.<br>
> > >><br>
> > >> To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com">securit...@googlegroups.com</a>.<br> > \
> >><br> > > >> Visit this group at <a \
href="https://groups.google.com/group/security-onion" rel="noreferrer" \
target="_blank">https://groups.google.com/<wbr>group/security-onion</a>.<br> > \
> >><br> > > >> For more options, visit <a \
href="https://groups.google.com/d/optout" rel="noreferrer" \
target="_blank">https://groups.google.com/d/<wbr>optout</a>.<br> > > \
>><br> > > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >> --<br>
> > >><br>
> > >> Follow Security Onion on Twitter!<br>
> > >><br>
> > >> <a href="https://twitter.com/securityonion" rel="noreferrer" \
target="_blank">https://twitter.com/<wbr>securityonion</a><br> > > >><br>
> > >> ---<br>
> > >><br>
> > >> You received this message because you are subscribed to a topic in \
the<br> > > >> Google Groups "security-onion" group.<br>
> > >><br>
> > >> To unsubscribe from this topic, visit<br>
> > >> <a \
href="https://groups.google.com/d/topic/security-onion/ReAPgPn746M/unsubscribe" \
rel="noreferrer" target="_blank">https://groups.google.com/d/<wbr>topic/security-onion/<wbr>ReAPgPn746M/unsubscribe</a>.<br>
> > >><br>
> > >> To unsubscribe from this group and all its topics, send an email \
to<br> > > >> <a \
href="mailto:security-onio...@googlegroups.com">security-onio...@googlegroups.<wbr>com</a>.<br>
> > >><br>
> > >> To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com">securit...@googlegroups.com</a>.<br> > \
> >><br> > > >> Visit this group at <a \
href="https://groups.google.com/group/security-onion" rel="noreferrer" \
target="_blank">https://groups.google.com/<wbr>group/security-onion</a>.<br> > \
> >><br> > > >> For more options, visit <a \
href="https://groups.google.com/d/optout" rel="noreferrer" \
target="_blank">https://groups.google.com/d/<wbr>optout</a>.<br> > > \
>><br> > > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >><br>
> > >> --<br>
> > >><br>
> > >> Follow Security Onion on Twitter!<br>
> > >><br>
> > >> <a href="https://twitter.com/securityonion" rel="noreferrer" \
target="_blank">https://twitter.com/<wbr>securityonion</a><br> > > >><br>
> > >> ---<br>
> > >><br>
> > >> You received this message because you are subscribed to a topic in \
the<br> > > >> Google Groups "security-onion" group.<br>
> > >><br>
> > >> To unsubscribe from this topic, visit<br>
> > >> <a \
href="https://groups.google.com/d/topic/security-onion/ReAPgPn746M/unsubscribe" \
rel="noreferrer" target="_blank">https://groups.google.com/d/<wbr>topic/security-onion/<wbr>ReAPgPn746M/unsubscribe</a>.<br>
> > >><br>
> > >> To unsubscribe from this group and all its topics, send an email \
to<br> > > >> <a \
href="mailto:security-onio...@googlegroups.com">security-onio...@googlegroups.<wbr>com</a>.<br>
> > >><br>
> > >> To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com">securit...@googlegroups.com</a>.<br> > \
> >><br> > > >> Visit this group at <a \
href="https://groups.google.com/group/security-onion" rel="noreferrer" \
target="_blank">https://groups.google.com/<wbr>group/security-onion</a>.<br> > \
> >><br> > > >> For more options, visit <a \
href="https://groups.google.com/d/optout" rel="noreferrer" \
target="_blank">https://groups.google.com/d/<wbr>optout</a>.<br> > > ><br>
> > > --<br>
> > > Follow Security Onion on Twitter!<br>
> > > <a href="https://twitter.com/securityonion" rel="noreferrer" \
target="_blank">https://twitter.com/<wbr>securityonion</a><br> > > > ---<br>
> > > You received this message because you are subscribed to a topic in \
the<br> > > > Google Groups "security-onion" group.<br>
> > > To unsubscribe from this topic, visit<br>
> > > <a href="https://groups.google.com/d/topic/security-onion/ReAPgPn746M/unsubscribe" \
rel="noreferrer" target="_blank">https://groups.google.com/d/<wbr>topic/security-onion/<wbr>ReAPgPn746M/unsubscribe</a>.<br>
> > > To unsubscribe from this group and all its topics, send an email \
to<br> > > > <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@<wbr>googlegroups.com</a>.<br>
> > > To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.<wbr>com</a>.<br>
> > > Visit this group at <a \
href="https://groups.google.com/group/security-onion" rel="noreferrer" \
target="_blank">https://groups.google.com/<wbr>group/security-onion</a>.<br> > \
> > For more options, visit <a href="https://groups.google.com/d/optout" \
rel="noreferrer" target="_blank">https://groups.google.com/d/<wbr>optout</a>.<br> \
> > ><br> > ><br>
> ><br>
> > --<br>
> ><br>
> ><br>
> > Sincerely,<br>
> ><br>
> > Justin Henderson<br>
> > <a href="tel:%28312%29%20857-5755" value="+13128575755">(312) \
857-5755</a><br> > > Systems and Security Architect<br>
> > GSE # 108, Cyber Guardian Red / Blue<br>
> > <a href="http://www.linkedin.com/in/justinhenderson2014/" rel="noreferrer" \
target="_blank">http://www.linkedin.com/in/<wbr>justinhenderson2014/</a><br> <br>
--<br>
Follow Security Onion on Twitter!<br>
<a href="https://twitter.com/securityonion" rel="noreferrer" \
target="_blank">https://twitter.com/<wbr>securityonion</a><br>
---<br>
You received this message because you are subscribed to a topic in the Google Groups \
"security-onion" group.<br> To unsubscribe from this topic, visit <a \
href="https://groups.google.com/d/topic/security-onion/ReAPgPn746M/unsubscribe" \
rel="noreferrer" target="_blank">https://groups.google.com/d/<wbr>topic/security-onion/<wbr>ReAPgPn746M/unsubscribe</a>.<br>
To unsubscribe from this group and all its topics, send an email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@<wbr>googlegroups.com</a>.<br>
To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.<wbr>com</a>.<br>
Visit this group at <a href="https://groups.google.com/group/security-onion" \
rel="noreferrer" target="_blank">https://groups.google.com/<wbr>group/security-onion</a>.<br>
For more options, visit <a href="https://groups.google.com/d/optout" \
rel="noreferrer" target="_blank">https://groups.google.com/d/<wbr>optout</a>.<br> \
</blockquote></div></div>
<p></p>
-- <br />
Follow Security Onion on Twitter!<br />
<a href="https://twitter.com/securityonion">https://twitter.com/securityonion</a><br \
/>
--- <br />
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion+unsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br \
/> To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br \
/> Visit this group at <a \
href="https://groups.google.com/group/security-onion">https://groups.google.com/group/security-onion</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic