There may come a time when you need to disable a sensor interface, delete a sensor's configuration, or get rid of an entire sensor and its data altogether. The steps below outline what is required to accomplish each objective.
To disable a sensor interface:
- stop all sensor processes:
sudo so-sensor-stop
- edit
/etc/nsm/sensortaband comment out the sensor interface line - edit
/opt/bro/etc/node.cfgand comment out the sensor interface stanza - start all sensor processes:
sudo so-sensor-start
- To delete the configuration for a sensor, run
/usr/sbin/nsm_sensor_delon the sensor box for which you wish to delete the configuration.
- To completely wipe sensor configuration and data, run
sudo sosetupon the sensor box for which you wish to wipe the data and configuration.
- In MySQL database
securityonion_db, editsensortable (you can simply set active='N'), then restart sguild. - Stop sguild
sudo so-sensor-stop - Show sensor entries:
sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'select * from sensor';
- Set sensor as inactive:
sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e "update sensor set active='N' where sid in (<SID1>,<SID2>)";
- Start sguild:
sudo so-sensor-start
- If running salt, remove the sensor from
/opt/onionsalt/salt/top.slsand then delete the key from salt:
sudo salt-key -d sensor_key_name
- PLEASE NOTE: This step is only required if you are still running ELSA. ELSA reached EOL on October 9, 2018. On the master server, edit
/etc/elsa_web.conf, remove the sensor from thepeerssection, then restart Apache (sudo service apache2 restart).
From Kibana, navigate to Dev Tools and paste the following text into
the window (modifying nodename to match the name of your node):
PUT _cluster/settings
{
"persistent": {
"search": {
"remote": {
"nodename": {
"skip_unavailable": null,
"seeds":null
}
}
}
}
}
Click the play button to send the request to Elasticsearch.