Per sensor to ELSA

  1. Activate ELSA in SO configuration (easy way as root or edit the file withsudo vi /etc/nsm/securityonion.conf + )
  2. Configure node for ELSA logging … the initial sphinx indexing may take little while, so run this in screen/tmux
  3. Make sure SphinxSearch, mysql is up and listening
  4. Restart autossh, wait one minute, check tunnels
  5. Check tunnels from server, look for two per log node (inc web node)
  6. Register node on server
  7. Reload apache on server to reload ELSA web
  8. Verification:

Sphinx conf bug

You may need this to get sphinxsearch service to start:

Seems like the "binlog_path" config param is actually required; I kept getting the error<o:p></o:p>

until i added "binlog_path ="(empty string) into searchd section of the sphinx.conf file.<o:p></o:p>

From a thread on the SO support list here:!topic/security-onion/3Wzf7baqb0s