Production Deployment

If you’re going to be deploying Security Onion in production, please use the following steps.

Hardware Requirements

First, check the Hardware Requirements section.

Download and Verify

download and verify the ISO image for your preferred flavor of Ubuntu 16.04 64-bit.

Distributed Deployments

If deploying a distributed environment, you’ll need to perform the remaining steps on the server, as well as all forward and storage nodes, but make sure you install and configure the master server first. For best performance, the master server should be dedicated to just being a server for the other nodes (the master server should have no sniffing interfaces of its own). Please note that forward and heavy nodes need to connect to the master server on ports 22 and 7736. If you choose to enable salt for node management, nodes will need to be able to connect to the master server on ports 4505 and 4506.


  1. Using the downloaded ISO, install the operating system. If the boot menu has a Boot and Install with the HWE kernel option, select this option. If prompted with an encrypt home folder option, DO NOT enable this feature. If asked about automatic updates, DO NOT enable automatic updates. If prompted to install any additional packages, leave standard system utilities selected and also select OpenSSH Server (openssh-server). Do NOT choose MySQL at this point. All other required dependencies will be installed automatically.
  2. When asked about partitioning, there are a few things to keep in mind:
    • If you have more than 2TB of disk space, you will probably want to create a dedicated /boot partition at the beginning of the disk to ensure that you don’t have any Grub booting issues. Choosing the LVM option should do this automatically.
    • Check to see if the installer allocates a large amount of space to /home. If this is the case, you may want to shrink /home to give more space to /.
    • The Sguil database on the server (doesn’t exist on other node types) can grow fairly large (100GB or more for decent-size networks). It’s stored at /var/lib/mysql/, so you may want to put /var on a dedicated partition or disk and assign a good amount of disk space to it. Also see the DAYSTOKEEP instructions on the Post-Installation page.
    • Forward, Heavy, and Standalone nodes store full packet captures at /nsm/sensor_data/, so you may want to put /nsm on a dedicated partition/disk and assign as much disk space as possible (1TB or more). For larger volumes you might also consider using XFS for the /nsm partition.
    • For Heavy, Standalone, and Storage Nodes, it is highly recommended to place /nsm/elasticsearch and /nsm/logstash on SSD or fast spinning disk in a RAID 10 configuration. See Hardware Requirements for more details.
  3. When installation completes, reboot into your new installation and login with the credentials you specified during installation.
  4. If you’re running a VM, now would be a good time to snapshot it so you can revert later if you need to.


  1. If this box is going to be a node (forward, heavy, or storage), make sure that your master server and all other nodes in your deployment are fully updated with sudo soup before adding a new node.

  2. Verify that you have Internet connectivity. If necessary, configure your proxy settings.

  3. If you installed from the Security Onion 16.04 ISO image, run sudo soup and reboot if prompted, then skip to the Setup section below (if you get any errors relating to MySQL, please see the MySQL-Upgrade-Errors section). Otherwise, if you’re installing on Ubuntu, continue to the next step.

  4. Install all Ubuntu updates and reboot:

    sudo apt update && sudo apt dist-upgrade && sudo reboot
  5. Log back in and configure MySQL not to prompt for root password (Setup will generate a random password later):

    echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections
  6. Install software-properties-common if it’s not already installed:

    sudo apt -y install software-properties-common
  7. Add the Security Onion stable repository:

    sudo add-apt-repository -y ppa:securityonion/stable
  8. Update:

    sudo apt update
  9. Install the securityonion-all metapackage (or one of the more focused metapackages). This could take 15 minutes or more depending on the speed of your CPU and Internet connection.

    sudo apt -y install securityonion-all syslog-ng-core
  10. If you want to use Salt to manage your deployment, also install securityonion-onionsalt. You can do this before or after Setup, but it’s much easier if you do it before Setup.

    sudo apt -y install securityonion-onionsalt
  11. Update all packages:

    sudo soup


  1. Run the Setup wizard. If you are locally on the box, you can run the GUI by double-clicking the Desktop shortcut or running the following from a terminal:

    sudo sosetup

    Alternatively, you can run sosetup-minimal if you prefer the minimal configuration or you can automate Setup using sosetup.conf. For more information, please see /usr/share/securityonion/sosetup.conf.

  2. The Setup wizard will walk you through configuring /etc/network/interfaces and will then reboot.

  3. When prompted whether you would like to configure /etc/network/interfaces now, choose Yes, configure /etc/network/interfaces!.

  4. If you have more than one network interface, you’ll be asked to specify which one should be the management interface.

  5. You’ll then be asked to choose DHCP or static addressing for the management interface. It is highly recommended you choose static.

  6. Choosing static, you’ll be prompted to enter a static IP address for your management interface, the network’s subnet mask, gateway IP address, DNS server IP addresses (separated by spaces), and your local domain.

  7. You’ll then be prompted to select any additional interfaces that will be used for sniffing/monitoring network traffic.

  8. When prompted, choose Yes, make changes!.

  9. If you need to adjust any network settings manually (e.g. MTU), you may edit /etc/network/interfaces before rebooting.

  10. When ready to reboot, click Yes, reboot!.

  11. After rebooting, log back in and start the Setup wizard again the same as you did before. It will detect that you have already configured /etc/network/interfaces and will walk you through the rest of the configuration.

  12. Select Production Mode.

  13. Select New or Existing (New if this is a master or standalone, and Existing for forward, heavy, and storage nodes).

  • New (Master Server or Standalone)

    1. Provide a username and password for the analyst user.
    2. Select Best Practices.
    3. Choose your IDS ruleset.
    4. Choose your IDS engine (Snort or Suricata).
    5. Choose whether or not to enable sensor services. If this is going to be a standalone box with no other nodes connected, you can enable sensor services. Otherwise, if this going to be a distributed deployment with multiple nodes connected, we recommend disabling sensor services on this master server.
    6. Choose whether or not to use storage nodes for log storage. Please note that, if you choose to use storage nodes, then until a storage node is configured and Logstash has intialized on the storage node, you will not be able to review log data for configured forward nodes.
    7. Select Yes to proceed with your changes.
  • Existing (Forward Node, Heavy Node, or Storage Node)

    1. Provide the hostname or IP address of the master server (some folks may want to specify the IP/hostname of the master server in /etc/hosts and use the specified hostname during setup – this may help in the event the master server IP changes.)

    2. Provide a username to SSH to the master for the node (should have already been created on the master and added to the sudo group). Please make sure that your server has been set up and you have network connectivity and no firewall rules that would block this traffic. Additionally, consider creating a separate SSH account on the master server for each node so that if a node is ever compromised, its individual account can be disabled without affecting the other nodes. If you need to create a user account on the Master, you can do something like the following (where $nodeuser is your specified user): sudo adduser $nodeuser && sudo adduser $nodeuser sudo The new account must have a full home directory. If you do not create it when you create the account, copy /etc/skel to /home/$nodeuser and do chown -R $nodeuser:$nodeuser /home/$nodeuser. This is needed so the .ssh directory may be created to manage the connection. NOTE: This user should be removed from the sudo group on the master server after setup.

    3. Select Node Type:

      • Forward Node
        • Select Best Practices.
        • Keep the default for PF-RING min_num_slots, unless you would like to change it.
        • Modify the selected sniffing interfaces if necessary – otherwise, continue.
        • Modify HOME_NET as desired.
        • Select Yes to proceed with your changes.
        • Please note: If you chose to use one or more storage nodes with your master server, you will be able to receive IDS alerts and pull PCAPs from the forward node once setup completes, however, you will not be able to review other logs (i.e. Zeek logs in Kibana) from the node until a storage node has been configured for the master server and Logstash on the storage node has initialized.
      • Heavy Node
        • Select Best Practices.
        • Keep the default for PF-RING min_num_slots, unless you would like to change it.
        • Modify the selected sniffing interfaces if necessary – otherwise, continue.
        • Modify HOME_NET as desired.
        • Provide amount of disk space to be used for Elasticsearch to store logs (default is half of available disk space).
        • Select Yes to proceed with your changes.
      • Storage Node
        • Provide amount of disk space to be used for Elasticsearch to store logs (default is half of available disk space).
        • Select Yes to proceed with your changes.
    4. Remove $nodeuser from the sudo group on the master server:

      sudo deluser $nodeuser sudo

Proceed to PostInstallation.