Security Onion performs a daily backup of some critical files so that you can recover your grid from a catastophic failure of the manager. Daily backups create a tar file located in the /nsm/backup/ directory located on the manager. You may want to replicate this backup directory to a location outside of your manager in case the manager ever needs to be rebuilt.

Here is what gets backed up automatically:

  • /etc/pki/ - All of the certs including the CA are backed up. Restoring this would allow you to communicate with your salt minions again.

  • /opt/so/saltstack/local/ - This includes all customizations done via Administration –> Configuration.

You can configure backups by going to Administration –> Configuration –> backup.



Elasticsearch data is not automatically backed up. This includes things that may be important to you like Kibana customizations and Cases data. Kibana customizations are located in the .kibana indices and Cases data is stored in the so-case and so-casehistory indices. If you have a distributed deployment with Elasticsearch clustering, then you can enable replicas to have redundancy in case of a single node failure. Of course, please keep in mind that enabling replicas doubles your storage needs.

Another option is to use Elasticsearch’s built-in support for snapshots:

This option requires that you configure Elasticsearch with a path.repo setting where it can store the snapshots. Once Elasticsearch has the path.repo setting, you should be able to log into Kibana and configure snapshots as shown in the link above. Those snapshots will then be accessible in /nsm/elasticsearch/repo/.