Machine Learning

We have recently added a new tool (currently in beta) called logscan which utilizes machine learning models to detect anomalies in logs generated by Security Onion components.


Current and future ML components have dependencies that require special consideration to be made in regards to hardware or VM configurations prior to installation. Namely, a CPU/vCPU with AVX support is required, with AVX2 support recommended for better performance.

Listing components

To list all available ML components:

sudo so-learn list


Currently logscan is the only ML component available. (Initially unavailable on air gapped installations. See warning below for more info.)

Enabling components

To enable an ML component:

sudo so-learn enable <component> # --apply to immediately apply your changes

Disabling components

To disable an ML component:

sudo so-learn disable <component> # --apply to immediately apply your changes



Logscan will initially be unavailable on air gapped installations, therefore a networked installation is required to make use of the tool during this beta stage.

Logscan is log agnostic, but in its current implementation only scans logs from the built-in auth provider Kratos.

Important Files and Directories

  • App log: /opt/so/log/logscan/app.log

  • Alerts log: /opt/so/log/logscan/alerts.log

  • Data: /nsm/logscan/data


Logscan uses the following models to detect anomalous login activity on Security Onion Console:

  • K1: Searches for high numbers of login attempts from single IPs in a 1 minute window

  • K5: Searches for high ratios of login failures from single IPs in a 5 minute window

  • K60: Searches for abnormal patterns of login failures from all IPs seen within a 1 hour window