Skip to content

SELKS 5.0 Beta1

Peter Manev edited this page Nov 6, 2018 · 19 revisions


Short admin and config intro

You can download SELKS 5 from here -

Our blog about the release -

Virtual machines import note - Recommended initial set up for SELKS 5.0 is 2vCPUs 5-6Gb RAM

Credentials and log in

Usage and logon credentials (OS/ssh and web management user):

  • user: selks-user
  • password: selks-user

(password in Live mode is live)

The default root password is StamusNetworks

First time setup

NOTE: Internet access is needed to complete the first time setup.



On Desktop versions of SELKS:

Double click "FirstTimeSetup" icon on the desktop

NOTE: The first time set up script can take about 2-5 min to finish up. Logs from the first time set up process and tasks are located in - /opt/selks/log/

Follow the instructions and type in the desired sniffing interface(s) and choose a Full Packet Capture (FPC) option or not.

After the script is finished you can access the web management interface and GUI via which provides a landing page for :

  • Scirius ruleset management and Suricata administration management
  • Kibana dashboards – providing links/connections to rules and alert event drill down management, correlation and Full Packet Capture
  • EveBox alert,event, correlation management
  • Moloch viewer for pcap export and packet capture drill down
  • Scirius Hunt interface – once logged in , right upper corner, click and choose Hunt.


To see the status of the critical services

systemctl status suricata elasticsearch logstash kibana evebox molochviewer-selks molochpcapread-selks
supervisorctl status scirius


All configs for elasticsearch kibana logstash scirius share their default locations. For example /etc/{service_name_here}/

For Moloch:


For Suricata:


selks5-addin.yaml contains SELKS 5 and Suricata specific setup selks5-interfaces-config.yaml contains auto generated (by First Time Setup script) interface configuration for the chosen sniffing interfaces.


First time set up script can be run from the command line:


or from the desktop shortcut (if using the desktop version of SELKS) by doubleclicking on the FirstTimeSetup icon

Data, Logs and Full Packet Capture












Full Packet Capture (FPC)

Full Packet Capture on SELKS 5 is done by Suricata. During the first time set up you will be asked to make a choice of:

1) FPC - Full Packet Capture. Suricata will rotate and delete the pcap captured files.
2) FPC_Retain - Full Packet Capture with having Moloch's pcap retention/rotation. Keeps the pcaps as long as there is space available.
3) None - disable packet capture\n

How it all comes together

The default settings for SELKS 5 are located in /etc/suricata/selks5-addin.yaml and in terms of FPC are:

- pcap-log:
    enabled: yes
    filename: log.%n.%t.pcap
    #filename: log.pcap

    # File size limit.  Can be specified in kb, mb, gb.  Just a number
    # is parsed as bytes.
    limit: 10mb

    # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
    max-files: 20

    mode: multi # normal, multi or sguil.

    # Directory to place pcap files. If not provided the default log
    # directory will be used. Required for "sguil" mode.
    dir: /data/nsm/

Which means that every Suricata thread will write a pcap for each of its threads (by default as many as the CPUs available). When that pcap reaches 10 MB of size it will be closed and a new one will be started to be written into.

NOTE: When the pcap is closed for writing by Suricata - it will then be picked up by the Moloch reader and digested onto Elasticsearch. This would also explain why in certain cases you can see an alert but the FPC would not be immediately available in the Moloch viewer.

The pcaps will be rotated on a per thread basis once a thread has reached 20 pcaps written (for a particular thread). So in the default config setup you could theoretically have a maximum of:

20 * #number_of_threads * 10MB

For a 4 CPU machine with the default settings this would be:

20 * 4 * 10MB = 800MB of data max.

After that it will get rotated and would never go over 800MB.

If you choose to adjust those default settings you would need to restart the service for the changes to take effect systemctl restart suricata

Option 1

Pcaps get stored in:


If you choose Option 1 the pcaps will be rotated by Suricata.

Keeping smaller pcap files would make sure you get the data more often digested. However it would need to be tried/tested out for each particular deployment depending on what the size of the sniffing traffic is.

Moloch's config.ini settings are explained here -

Option 2

Pcaps get stored in:


The pcap storage is being handled by Moloch. In that case Suricata would write the FPC pcaps in /data/nsm/ but when done writing (file is closed for example as it reaches the default 10MB set limit) they would be digested and then immediately deleted from /data/nsm/ but would be kept in /data/moloch/raw/. The rotation policy of Moloch is described here - The settings if needed then can be adjusted here on SELKS - /data/moloch/etc/config.ini. You would need to restart the service for the changes to take effect systemctl status molochpcapread-selks.

Moloch's config.ini settings are explained here -

Moloch's storage handling is explained here -

Option 3

In this option there will be no pcap capture and digestion into the Elasticsearch DB. Suricata would still do FPC however. If you would like to completely disable that - you can switch it off completely in the suricata config - /etc/suricata/selks5-addin.yaml:

- pcap-log:
    enabled: no
    filename: log.%n.%t.pcap
    #filename: log.pcap

FPC data deletion/rotation

Moloch and Elasticsearch clean up procedure located in :


With respect to pcap storage - depending on if you have chosen Option 1 or Option 2 the pcaps rotation and deletion will be handled either by Suricata or Moloch. It is explained how in the sections above.

To clean up and delete all (wipe everything out) logs, pcaps and flush the Elasticsearch DB you could use:


The PCAP storage rotation policy of Moloch (if it is chosen) is described here -

To see the size of indices into Elasticsearch:

curl -X GET "localhost:9200/_cat/indices?v&s=store.size"

To check specifically Suricata's logs created indices in Elasticsearch:

curl -X GET "localhost:9200/_cat/indices?v&s=store.size"  |grep logstash


Handy scripts -

Clean all logs and flush DBs:


First time setup. Can be run multiple times, as many as needed/wanted:


Set up and configure Moloch (already included in execution sequence):


Set up sniffing interface for Suricata(already included in execution sequence):


SELKS Upgrade:


Data storage considerations

For the purpose of speed the OS and /data/nsm/ can reside on the SSDs. Depending on your FPC needs you can consider mounting /data/moloch/raw/ onto separate partitions/disks. Those could be slower.

Kibana dashboards

To reload/reset the dashboards from the cmd/shell :

cd /usr/share/python/scirius/ && . bin/activate && python bin/ kibana_reset && deactivate

To reload/reset the dashboards from Scirius -

Go to System settings (from the Stamus logo drop down menu in the left upper corner) -> Kibana -> choose the desired action.

Source location:


Performance optimizations and docs



A quick try to do some performance optimization could be looking at /etc/elasticsearch/jvm.options and increasing the heap

## JVM configuration

## IMPORTANT: JVM heap size
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
## -Xms4g
## -Xmx4g
## See
## for more information

# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space


A more thorough guide for Elasticsearch performance tuning



For a quick try/fix do some performance optimization you could try increasing the heap in /etc/logstash/jvm.options:

# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space


Also in /etc/logstash/logstash.yml:

# This defaults to the number of the host's CPU cores.
# pipeline.workers: 2
# How many events to retrieve from inputs before sending to filters+workers
# pipeline.batch.size: 125

A more thorough guide for Performance tuning and troubleshooting



Performance tuning:



Performance tuning (for advanced users):

Clone this wiki locally