Starting in Security Onion 2.3.60, we support Elastic authentication. This means that you will authenticate to Elasticsearch and Kibana using the same username and password that you use for Security Onion Console (SOC).

Please note that if Elastic auth is enabled and you add a new user directly in Kibana via the Kibana Users page, then that new user will only have access to Kibana and no other apps. If you want the user to have access to all apps, make sure you add the user as shown in the Adding Accounts section.

New Installations

New installations of Security Onion 2.3.60 and later will automatically enable Elastic auth. If for some reason you want to disable Elastic auth, you can do so as shown in the Disabling section below.

Existing Installations

If you have an older installation that you’ve upgraded to Security Onion 2.3.60 or later and would like to enable Elastic auth, you can do so as shown in the Enabling section below. After manually enabling Elastic auth, each user will need to reset their password inside of Security Onion Console (SOC) as shown in the Passwords section and this will update their username and password in Elastic.


so-elastic-auth <true|false>


To enable Elastic auth, run so-elastic-auth with the true option:

sudo so-elastic-auth true


To disable Elastic auth, run so-elastic-auth with the false option:

sudo so-elastic-auth false