Getting Started

If you’re ready to get started with Security Onion, you may have questions like:

What are the recommended best practices?

See the Best Practices section.

How many machines do I need?

Depending on what you’re trying to do, you may need anywhere from one machine to thousands of machines. The Architecture section will help you decide.

What kind of hardware does each of those machines need?

This could be anything from a small virtual machine to a large rack mount server with lots of CPU cores, lots of RAM, and lots of storage. The Hardware Requirements section provides further details.

Which ISO image should I download?

We recommend our Security Onion ISO image for most use cases, but you should review the Operating System, Partitioning, Release Notes, and Download sections for more information.

If I just want to try Security Onion in a virtual machine, how do I create a virtual machine?

See the VMware, VirtualBox, and Proxmox sections.

How do I deploy Security Onion in the cloud?

See the Amazon Cloud Image, Azure Cloud Image, and Google Cloud Image sections.

What if I have trouble booting the ISO image?

Check out the Booting Issues section.

What if I’m on an airgap network?

Review the Airgap section.

Once I’ve booted the ISO image, how do I install it?

The Installation section has steps for our Security Onion ISO image and for other ISO images.

After installation, how do I configure Security Onion?

The Configuration section covers many different use cases.

Is there anything I need to do after configuration?

See the After Installation section.

• Best Practices
  • Installation
  • Configuration
  • Avoid Third Party Software and Modifications
  • Stay Up To Date
• Architecture
  • Import
  • Evaluation
  • Standalone
  • Distributed
  • Node Types
• Hardware Requirements
  • CPU Architecture
  • Minimum Specs
  • Production Deployments
  • Storage
  • NIC
  • UPS
  • Elastic Stack
  • Standalone Deployments
  • Manager node with local log storage and search
  • Manager node with separate search nodes
  • Search Node
  • Forward Node (Sensor)
  • Heavy Node (Sensor with Elasticsearch components)
  • Receiver Node
  • Intrusion Detection Honeypot (IDH) Node
  • Sensor Hardware Considerations
• Operating System
  • Support
• Partitioning
  • Minimum Storage
  • ISO
  • LVM
  • /boot
  • /nsm
  • /
  • Docker
  • Other
  • Example
• Download
• VMware
  • Overview
  • Workstation Pro
  • Fusion
  • ESXi
  • VMware Tools
• VirtualBox
  • Creating VM
  • Guest Additions
• Proxmox
  • CPU
  • Display
  • NIC
• Booting Issues
• Airgap
  • Rule Updates
• Installation
  • Installation using Security Onion ISO Image
  • Manual Installation via other ISO image
• Amazon Cloud Image
  • Requirements
  • Create Monitoring Interface
  • Create Security Onion Instances
  • Manager Setup
  • Search Node Setup
  • AWS Sensor Setup
  • Remote Sensor Setup
  • AWS Traffic Mirroring
• Azure Cloud Image
  • Requirements
  • Create Monitoring Interface
  • Create Security Onion Instances
  • Manager Setup
  • Search Node Setup
  • Remote Sensor Setup
  • Azure Sensor Setup
• Google Cloud Image
  • Requirements
  • Setup Traffic Mirroring
  • Create Security Onion Instances
  • Manager Setup
  • Search Node Setup
  • GCP Sensor Setup
  • Remote Sensor Setup
  • Verifying Traffic Mirroring
• Configuration
  • Import
  • Evaluation
  • Production Server - Standalone
  • Production Server - Distributed Deployment
• After Installation
  • Services
  • Adjust firewall rules
  • SSH
  • Data Retention
  • Other