After Installation


You can check the Grid page to see if all services are running correctly.



Please note that new nodes start off showing a red Fault and may take a few minutes to fully initialize before they show a green OK.

You can also verify services are running from the command line with the so-status command:

sudo so-status

Adjust firewall rules

Depending on what kind of installation you did, the Setup wizard may have already walked you through adding firewall rules to allow your analyst IP address(es). If you need to make other adjustments to firewall rules, you can do so by going to Administration –> Configuration –> firewall –> hostgroups.



You should be able to do most administration from Security Onion Console (SOC) but if you need access to the command line then we recommend using SSH rather than the Console.

Data Retention

  • Review the Curator and Elasticsearch sections to see if you need to change any of the default index retention settings.


  • Full-time analysts may want to connect using a dedicated Security Onion Desktop.
  • Any IDS/NSM system needs to be tuned for the network it’s monitoring. Please see the Tuning section.
  • Configure the OS to use your preferred NTP server.