Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

RemovingASensor

Jump to bottom
doug edited this page Aug 27, 2019 · 17 revisions

Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/RemovingASensor.

There may come a time when you need to disable a sensor interface, delete a sensor's configuration, or get rid of an entire sensor and its data altogether. The steps below outline what is required to accomplish each objective.

Disable sensor interface

To disable a sensor interface:

  • stop all sensor processes:
    sudo so-sensor-stop
  • edit /etc/nsm/sensortab and comment out the sensor interface line
  • edit /opt/bro/etc/node.cfg and comment out the sensor interface stanza
  • start all sensor processes:
    sudo so-sensor-start

Delete sensor configuration

  • To delete the configuration for a sensor, run /usr/sbin/nsm_sensor_del on the sensor box for which you wish to delete the configuration.

Wipe sensor configuration and data

  • To completely wipe sensor configuration and data, run sudo sosetup on the sensor box for which you wish to wipe the data and configuration.

Remove sensor reference from master server

  • PLEASE NOTE: This step is only required if you are still running ELSA. ELSA is set for EOL on October 9, 2018. On the master server, edit /etc/elsa_web.conf, remove the sensor from the peers section, then restart Apache (sudo service apache2 restart).

  • In MySQL database securityonion_db, edit sensor table (you can simply set active='N'), then restart sguild.

    • Stop sguild
      sudo nsm_server_ps-stop
    • Show sensor entries
      sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'select * from sensor';
    • Set sensor as inactive
      sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e "update sensor set active='N' where sid in (<SID1>,<SID2>)";
    • Start sguild
      sudo nsm_server_ps-start

  • If running salt:

    • Remove the sensor from /opt/onionsalt/salt/top.sls.
    • Delete the key from salt: sudo salt-key -d sensor_key_name

Remove storage node reference from Master server Elasticsearch _cluster/settings

From Kibana, navigate to Dev Tools and paste the following text into the window (modifying nodename to match the name of your node):

PUT _cluster/settings
{
  "persistent": {
    "search": {
      "remote": {
        "nodename": {
          "skip_unavailable": null,
          "seeds":null
        }
      }
    }
  }  
}

Click the play button to send the request to Elasticsearch.

Getting Started

Update/Upgrade

Analyst Tools

Network Visibility

Host Visibility

Elastic Stack

Customizing for your network

Tuning

Tricks and Tips

Help

Issues

Other

Scripts

Clone this wiki locally