Shell scripts for Security Onion manager node

0

For some reason a rebooted Security Onion manager node is perceived as a combined manager-search node (this is my hypothesis), filling up the /nsm filesystem with unnecessary, large amounts of data. Here are four shell scripts I find useful.

See discussion #11062 over at GitHub.

As soon as I can login on the rebooted manager, I run this shell script:

#!/bin/sh

sudo so-elasticsearch-query _cluster/settings -d '{ "transient" : { "cluster.routing.allocation.exclude._ip" : "10.10.10.10" } }' -XPUT
echo

# EOF

Remember to change the IPv4 address to that of the manager node.

At some point, I might need to make this permanent:

#!/bin/sh

sudo so-elasticsearch-query _cluster/settings -d '{ "persistent" : { "cluster.routing.allocation.exclude._ip" : "10.10.10.10" } }' -XPUT
echo

# EOF

Use this shell script to detect any replicas:

#!/bin/sh

#sudo so-elasticsearch-query _cat/shards | awk '/UN/{print $1}'
sudo so-elasticsearch-shards-list | awk '/UN/{print $1}'

# EOF

Use this shell script to remove any replicas:

#!/bin/sh

#for index in `sudo so-elasticsearch-query _cat/shards | awk '/UN/{print $1}'`; do
for index in `sudo so-elasticsearch-shards-list | awk '/UN/{print $1}'`; do
  echo "${index}:";
  sudo so-elasticsearch-query $index/_settings -d '{"number_of_replicas":0}' -XPUT
  echo; echo
done

# EOF

If necessary, restart the elastalert container on the manager:

sudo so-elastalert-restart

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>