I ran a Security Onion 2.3 setup on CentOS 7.9 until I started having problems with it related to my hardware. I want to set up SO 2.4 on the same, but beefed up, hardware. The boxes refuse to boot from a flash disk and the standard ISO won’t fit on a DVD. There is a network install option which ran on a fresh install of 7.9 for version 2.3. Version 2.4 was slated to use Rocky 9 as its OS until they switched to Oracle Linux. I get failures trying to install Oracle Linux 9 on my hardware now. SO says that Rocky will run SO but there was no testing and of course no support. So I am wondering if installing SO 2.4 on a fresh Rocky 9 install is worth a try. I use a Dell Poweredge R710 for a sensor node, a Poweredge T110 II for a search node, and a 2012 mac mini for the manager node by the way.
What failures? Due to lack of x86_64-v2 CPU support or something else? Rocky 9 will also have the same problems if it’s due to that.
That’s only really a decision you can make, since you’ll be the one having to support it yourself if SecurityOnion will not help. If you require help/assistance from then, then you’ll need to use the versions that they support.
The install fails due to a missing RPM, using the boot ISO like Rocky has. No idea why when it has worked previously. The R710 has Nehalem chips so it meets the v2 requirement, barely. The mini has a 3rd gen i7.
It would be interesting to know which rpm it’s failing on. But if you downloaded the Security Onion ISO where they have it all ready to install along with their package that would potentially suggest something is wrong with their image. Maybe check the md5sum, shasum for the downloaded Security Onion ISO to make sure it matches whatever they have on their site in case it’s a corrupt download. But using their embedded ISO with everything you could get support from them not only for when using it, but also for installing it.
I’ve got an old DL360 or DL380 which is compliant for x86_64-v2 and see if it will install as a VM, since I use the server for KVM virtual machines, but as the CPU is passed through that shouldn’t be an issue, but also it could also confirm if I can install it OK, or if their ISO is the problem.
I tried again and got the error:
The following error occurred while installing the payload. This is a fatal error and installation will be aborted.
Failed to download the following packages:libtdb-1.4.12-1.el9.x86_64:
Cannot download, all mirrors were already tried without success
This is using a DVD copy of the Oracle Linux 9.5 boot ISO.
You could do with explaining what you are actually installing and how. Because from what I see here: Installation — Security Onion Documentation 2.4 documentation you boot from their ISO to install Security Onion. And from what I see that ISO image is Debian-based.
I don’t see any mention in their documentation about installation from Oracle Linux or anything like. Up until now, I was under the impression their ISO was based on Oracle Linux, but since you are using a boot ISO, that would suggest you are doing something entirely different to the instructions that I have linked.
The boot iso needs access to mirrors on the internet, perhaps use minimal ISO instead for installing things like Rocky Linux. Maybe Oracle also has a minimal ISO you can use. But we don’t offer support for Oracle here on these forums.
As I mentioned, there is an install option from the network onto EL9:
–Excerpt–
–
It seems that Oracle Linux 9.6 came out while I have been futzing around this morning. I just burned the boot ISO and will try it with fingers crossed that all libraries are online for an install with it.
OK, so I would say using Rocky 9 isn’t a problem. They just say it’s not fully tested. Since pretty much any EL9 version is the same, then it shouldn’t matter if it’s Oracle, RHEL, Rocky, Alma, etc. You don’t really need to do a network installation. I would just do a minimal installation, and then follow the remainder of their instructions. Obviously with a minimal installation, once it’s running, you can do:
dnf update
and then do the remainder of their documentation to get Security Onion installed.
Also note, none of the network installations are supported, not even Oracle Linux.
and also this:
seems they prefer their ISO image to be used for installation.
As discussed in my original post, my hardware simply does not allow any other type of install. Boxes will not boot from flash disks, and ISO will not fit on a DVD. I ran SO 2.3 on CentOS 7.9 for a long time on this same hardware using this same install method, but 2.3 as well as EL7 are all end of life.
I have now tried Oracle Linux 9.2, 9.5, and 9.6 and all fail because they can’t find something in online mirrors, different things for each version. I believe the next thing to try is an install of Rocky then going through the network install process.
When SO 2.4 was in development, their announcements stated that Rocky was their original choice for underlying OS, but the Red Hat you-don’t-get-source-any more announcement spooked them into choosing Oracle apparently. I guess I get to be the one to try it out. The original intent of the thread was to see if anyone else had tried but it seems I will get to go first.
Forgot about the ISO, USB thing. Just one more thing, do these servers have the equivalent of ILO on HP servers? I have a HP server (already mentioned), and I just use the ILO for connecting ISO images to boot from and it works across the network. I never have to connect CD’s, DVD’s or USB sticks to the server physically. Maybe that’s an option unless you don’t have anything like this?
Anyway, good luck, I’m sure the Rocky boot will install easier than the Oracle one.
The R710 has Dell’s DRAC hardware installed, the same as HP’s iLO. It supports virtual DVDs or somesuch but I have never tried that.
I am about to try a Rocky 9.5 boot DVD and then attempt the network install, will let everyone know.