The 2.4 series of Security Onion retires its three former endpoint agents — Wazuh, Elastic’s Beats and osquery — and replaces them with a single Elastic Agent, managed centrally through Fleet. The Network Security Monitoring (NSM) distribution that Doug Burks started in 2008 reached 2.4 general availability with 2.4.10, on 23 August 2023; 2.4.20, the latest of the series for now, is from 6 October 2023.

Context

Security Onion puts the reference Open Source tools for network analysis, log management and incident response into a single installer: Suricata and Zeek for network visibility, Stenographer for full-packet capture, Strelka for file analysis, the Elastic stack for indexing and search. Through the 2.3 series, host data came from separate agents: Wazuh for host-based detection, Beats (Filebeat above all) for log transport, osquery for point-in-time queries against endpoint state. Three agents, three configuration cycles, three transport channels, three management models.

Architecture

The deployment model still rests on three profiles — Evaluation (everything on one node, for the lab), Standalone (manager and sensor on the same host), Distributed (a grid with separated roles). In the distributed profile the roles are: the manager (web console, Kibana, Elasticsearch cluster management, Redis queues, Logstash); the search nodes, which pull from the Redis queue and index into Elasticsearch; the sensors, where Suricata and Zeek generate events and forward them; the heavy nodes, a self-contained Elasticsearch cluster with sensor capability on board; the receiver nodes, with Logstash and Redis to take load off the manager and split it active-active; and the Intrusion Detection Honeypot (IDH) nodes, which emulate common services and flag any interaction.

The 2.4 series also reworks the underlying system. The base moves from CentOS 7 to Oracle Linux 9, and behind the choice is CentOS 7 reaching end of support, set for 30 June 2024. Grafana drops out of the health dashboard: status metrics now go into InfluxDB, which the web console queries directly.

Orchestration goes through Salt: so-setup assigns roles to nodes, and Salt distributes states and configuration. Services run in Docker containers, so updating a component means promoting a new image under the control of Salt states, not recompiling packages on every single host.

The change that counts

Putting a single Fleet-governed Elastic Agent in place of the three agents is the change you feel most in day-to-day use. Elastic Agent is a single binary that absorbs what Beats and osquery did before, and with the Elastic Defend integration it adds endpoint event collection and live queries, again through Fleet. Anyone keeping a distributed grid running notices it straight away: one agent identity per host, one centrally managed policy, one channel to the manager. You no longer configure agent by agent; you assign policies from Fleet.

The price of consolidation is a tie to a single agent vendor. Wazuh brought along its own host-based detection rules and File Integrity Monitoring, with its own alert format and a rule base built up over years. Moving that data onto Elastic Agent and the Elastic integrations means realigning the rules to the Elastic Common Schema (ECS) data model and to Fleet’s integration packages. Detection content written for Wazuh does not carry over to the new agent on its own: either you port it by hand, or you keep it separate.

Licensing

The 2.4 series tightens the dependency on Elastic components, and the licence of those components is not OSI-approved. Since 7.11 (February 2021) Elasticsearch and Kibana no longer sit under Apache 2.0: they ship dual-licensed under the Elastic License 2.0 and the Server Side Public License (SSPL), and the Open Source Initiative recognises neither as Open Source. Elastic Agent and Elastic Defend fall within the same frame. The Elastic License 2.0 in particular forbids offering the software as a managed service to third parties and circumventing its licence keys.

For almost all internal uses — a SOC, a CERT, a university lab — the restriction does not bite: the stack runs for your own monitoring and nothing more. It becomes a problem for anyone who wants to resell Security Onion or run it as a service on behalf of third parties, and there the Elastic License 2.0 clause needs reading carefully. The rest of the distribution holds together a mosaic of licences: Suricata and Zeek under permissive and GPL terms, Strelka under Apache 2.0, Security Onion’s own scripts under Apache 2.0 or related licences, while TheHive and Cortex — when you hook them into the case-management flow — sit under AGPLv3.

Limits

The 2.4 series raises the bar on requirements: Oracle Linux 9 and a containerised Elastic 8 stack want more RAM and more disk than 2.3 needed, and for anyone standing up an Evaluation install on a modest lab machine that is a concrete detail. There is no painless in-place upgrade from 2.3 to 2.4 that holds for every configuration: with the agent consolidation and the change of base operating system, in many cases it is better to reinstall from scratch and bring the endpoints back under Fleet than to migrate in place. A note on the version numbers cited here: they capture the situation as of 6 October 2023, and the 2.4 series goes on across later point releases, with network-component updates and fixes that change the details above.


Cover image: Security Onion desktop showing the distribution’s logo centred on a dark blue background, with Home and Trash icons and an… — logo by Skarz, CC BY-SA 4.0 — https://commons.wikimedia.org/wiki/File:Security_Onion_Desktop.png