After Installation


You can check the Grid page to see if all services are running correctly.



Please note that new nodes start off showing a red Fault and may take a few minutes to fully initialize before they show a green OK.

You can also verify services are running from the command line with the so-status command:

sudo so-status

Adjust firewall rules

Depending on what kind of installation you did, the Setup wizard may have already walked you through adding firewall rules to allow your analyst IP address(es). If you need to make other adjustments to firewall rules, you can do so by going to Administration –> Configuration –> firewall –> hostgroups.



You should be able to do most administration from Security Onion Console (SOC) but if you need access to the command line then we recommend using SSH rather than the Console.


  • Review the Elasticsearch section to see if you need to change any of the default settings.

  • Review the Stenographer and Suricata sections to see if you need to change the PCAP retention settings.


  • Go to Administration and then click Configuration to see some of the options that you may want to configure. For example, you may want to enable reverse DNS lookups when viewing IP addresses in Security Onion Console (SOC). For more information, please see the SOC Customization section.

  • While on the Administration page, you may want to set your preferred NTP server.

  • Full-time analysts may want to connect using a dedicated Security Onion Desktop.

  • Any IDS/NSM system needs to be tuned for the network it’s monitoring. Please see the Detections and Rules sections.