Security Onion Requires too much Data and SSD's are expensive so it's only best to run Security Onion on an SSD and the data on a traditional hard drive
Here's how to do that
let's pretend my second hard drive will be called "SoData" and mounted at "/mnt/SoData"
1. first we have to format the new drive and mount it(make sure to run it with sudo)
terminal:
sudo gnome-disks
-- format the disk, name it "SoData", once completed, edit mount options and disable auto mount and set "Identify As" label "SoData" choosen
--restart
2. change permissions of "SoData" of /mnt/SoData to 755
terminal:
sudo chmod -R 755 /mnt/SoData
3. make a "nsm" folder in /mnt/SoData and change permissions
sudo mkdir /mnt/SoData/nsm
sudo chmod -R 755 /mnt/SoData/nsm
4. run the sguil setup, after completed run in terminal:
sudo ufw allow 443
5. then we have to move nsm files to the new location, run in terminal(bold is to show you your new HDD location):
sudo so-stop
sudo cp -av /nsm/* /mnt/SoData/nsm
sudo mv /nsm /nsm-backup
sudo ln -s /mnt/SoData/nsm /nsm
cd /etc/apparmor.d/local/
sudo gedit usr.sbin.mysqld
/mnt/SoData/nsm/server_data/** r,
sudo gedit usr.sbin.tcpdump
/mnt/SoData/nsm/sensor_data/** r,
sudo service apparmor restart
sudo so-start
6. update the securityonion.conf file with the new size of your hard drive,
terminal:
sudo gedit /etc/nsm/securityonion.conf change "300" GB to your new size
# Log size limit (GB) for Elasticsearch logs
LOG_SIZE_LIMIT=300
Done!
source:
Here's how to do that
let's pretend my second hard drive will be called "SoData" and mounted at "/mnt/SoData"
1. first we have to format the new drive and mount it(make sure to run it with sudo)
terminal:
sudo gnome-disks
-- format the disk, name it "SoData", once completed, edit mount options and disable auto mount and set "Identify As" label "SoData" choosen
--restart
2. change permissions of "SoData" of /mnt/SoData to 755
terminal:
sudo chmod -R 755 /mnt/SoData
3. make a "nsm" folder in /mnt/SoData and change permissions
sudo mkdir /mnt/SoData/nsm
sudo chmod -R 755 /mnt/SoData/nsm
4. run the sguil setup, after completed run in terminal:
sudo ufw allow 443
5. then we have to move nsm files to the new location, run in terminal(bold is to show you your new HDD location):
sudo so-stop
sudo cp -av /nsm/* /mnt/SoData/nsm
sudo mv /nsm /nsm-backup
sudo ln -s /mnt/SoData/nsm /nsm
cd /etc/apparmor.d/local/
sudo gedit usr.sbin.mysqld
/mnt/SoData/nsm/server_data/** r,
sudo gedit usr.sbin.tcpdump
/mnt/SoData/nsm/sensor_data/** r,
sudo service apparmor restart
sudo so-start
6. update the securityonion.conf file with the new size of your hard drive,
terminal:
sudo gedit /etc/nsm/securityonion.conf change "300" GB to your new size
# Log size limit (GB) for Elasticsearch logs
LOG_SIZE_LIMIT=300
Done!
source:
Last edited: