Questions Regarding Log Storage and Node Management in Security Onion

[SankaGamage]

Hello everyone,

I recently installed Security Onion on a server and accessed it via VPN through the web interface. I have a few questions regarding log storage and node management that I would like to clarify:

1. How long are logs typically stored in Security Onion by default?
2. Is it possible to change the log retention period? If so, how can this be configured?
3. Where are logs normally stored in Security Onion?
4. If logs are overwritten, how many days of logs are retained before they are overwritten?
5. Is it possible to store logs from different branches or data sources separately?
6. If I want to add additional nodes to my Security Onion setup, what are the steps to do so, and what challenges might I face during the process?

Any help or insights you can provide would be greatly appreciated. Thank you!

[dougburks]

How long are logs typically stored in Security Onion by default?

This depends on how much disk space you have:
https://docs.securityonion.net/en/2.4/elasticsearch.html#index-management

Is it possible to change the log retention period? If so, how can this be configured?

Yes:
https://docs.securityonion.net/en/2.4/elasticsearch.html#index-management

Where are logs normally stored in Security Onion?

/nsm:
https://docs.securityonion.net/en/2.4/directory.html

If logs are overwritten, how many days of logs are retained before they are overwritten?

This depends on how much disk space you have:
https://docs.securityonion.net/en/2.4/elasticsearch.html#index-management

Is it possible to store logs from different branches or data sources separately?

You probably want some kind of distributed deployment:
https://docs.securityonion.net/en/2.4/architecture.html#distributed

If I want to add additional nodes to my Security Onion setup, what are the steps to do so, and what challenges might I face during the process?

Read through the Enterprise Deployment options at the end of the Use Cases page:
https://docs.securityonion.net/en/2.4/use-cases.html

[SankaGamage]

How long are logs typically stored in Security Onion by default?

This depends on how much disk space you have: https://docs.securityonion.net/en/2.4/elasticsearch.html#index-management

Is it possible to change the log retention period? If so, how can this be configured?

Yes: https://docs.securityonion.net/en/2.4/elasticsearch.html#index-management

Where are logs normally stored in Security Onion?

/nsm: https://docs.securityonion.net/en/2.4/directory.html

If logs are overwritten, how many days of logs are retained before they are overwritten?

This depends on how much disk space you have: https://docs.securityonion.net/en/2.4/elasticsearch.html#index-management

Is it possible to store logs from different branches or data sources separately?

You probably want some kind of distributed deployment: https://docs.securityonion.net/en/2.4/architecture.html#distributed

If I want to add additional nodes to my Security Onion setup, what are the steps to do so, and what challenges might I face during the process?

Read through the Enterprise Deployment options at the end of the Use Cases page: https://docs.securityonion.net/en/2.4/use-cases.html

Thank you for your response and for the link to the distributed deployment documentation. I understand most of the details provided, and I appreciate your guidance. However, I still have a problem regarding storing logs from different branches or data sources separately.

I’ve already set up a distributed node, but I’m unclear on how to configure this specific requirement. Could you please explain how to achieve it in simple terms?

Additionally, I encountered an issue while installing the agent. My setup involves a server machine, which I can access via a web interface on my laptop using OpenVPN. However, when I downloaded and installed the agent, I received the following error messages:

"
timestamp=2024-12-30T17:03:56.1946561+05:30 level=info message="Version Information" ElasticAgentVersion=8.7.0 WrapperVersion=2.4.2
timestamp=2024-12-30T17:03:56.195776+05:30 level=info message="Runtime Data" EnrollmentToken="MFJ2NF9aTUJ6c3hKZE05VEZ1Qlk6Rkdsc2FTQjdTYUtjRVIwRGtHUjBEQQ==" FleetURL/s=https://192.168.1.***:8220,https://seconion:8220
timestamp=2024-12-30T17:03:56.195776+05:30 level=info message="Installation Progress" Status="Starting Installation Precheck"
timestamp=2024-12-30T17:03:59.2032907+05:30 level=warn message="Installation Progress" FleetHostConnectivityCheck=Failed FleetHostURL=https://192.168.1.***:8220
timestamp=2024-12-30T17:04:01.8916712+05:30 level=warn message="Installation Progress" FleetHostConnectivityCheck=Failed FleetHostURL=https://seconion:8220
timestamp=2024-12-30T17:04:01.8928422+05:30 level=info message="Installation Progress" Status="No Fleet Hosts are accessible - Check connectivity to Fleet Host."
timestamp=2024-12-30T17:04:01.8928422+05:30 level=info message="Installation Progress" Status="Exiting Installer..."
"

[dougburks]

I’ve already set up a distributed node, but I’m unclear on how to configure this specific requirement. Could you please explain how to achieve it in simple terms?

One option would be to use a Heavy Node:
https://docs.securityonion.net/en/2.4/architecture.html#heavy-node

However, please note the WARNING:

Additionally, I encountered an issue while installing the agent. My setup involves a server machine, which I can access via a web interface on my laptop using OpenVPN.

This is unrelated to the topic of this discussion. If you have additional questions or problems, please start a new discussion with appropriate title.