After Installation

SSH Key Change

Depending on what kind of installation you did, you may have seen a warning at the end of Setup about SSH key changes.


For more information, see the SSH section.

Adjust firewall rules using so-allow

Depending on what kind of installation you did, the Setup wizard may have already walked you through adding firewall rules to allow your analyst IP address(es). If you need to allow other IP addresses, you can manually run so-allow.


  • Verify services are running with the so-status command:
sudo so-status

Data Retention

  • Review the Curator and Elasticsearch sections to see if you need to change any of the default index retention settings.


  • Full-time analysts may want to connect using a dedicated Analyst VM.
  • Any IDS/NSM system needs to be tuned for the network it’s monitoring. Please see the Tuning section.
  • Configure the OS to use your preferred NTP server.