false positive

ensure docker cp command follows container symlinks
deprecated kibana config
2026-01-16 05:01:31 +01:00 · 2026-01-15 15:25:28 -06:00 · 2026-01-15 15:18:18 -06:00 · 2026-01-15 15:17:22 -06:00 · 2026-01-15 14:43:57 -06:00 · 2026-01-15 15:11:00 -05:00
8 changed files with 88 additions and 34 deletions
--- a/.github/DISCUSSION_TEMPLATE/2-4.yml
+++ b/.github/DISCUSSION_TEMPLATE/2-4.yml
@@ -33,6 +33,7 @@ body:
        - 2.4.180
        - 2.4.190
        - 2.4.200
+        - 2.4.201
        - 2.4.210
        - Other (please provide detail below)
    validations:
--- a/DOWNLOAD_AND_VERIFY_ISO.md
+++ b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,17 +1,17 @@
-### 2.4.200-20251216 ISO image released on 2025/12/16
+### 2.4.201-20260114 ISO image released on 2026/1/15


 ### Download and Verify

-2.4.200-20251216 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.200-20251216.iso
+2.4.201-20260114 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.201-20260114.iso
 
-MD5: 07B38499952D1F2FD7B5AF10096D0043  
-SHA1: 7F3A26839CA3CAEC2D90BB73D229D55E04C7D370  
-SHA256: 8D3AC735873A2EA8527E16A6A08C34BD5018CBC0925AC4096E15A0C99F591D5F  
+MD5: 20E926E433203798512EF46E590C89B9  
+SHA1: 779E4084A3E1A209B494493B8F5658508B6014FA  
+SHA256: 3D10E7C885AEC5C5D4F4E50F9644FF9728E8C0A2E36EBB8C96B32569685A7C40  

 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.200-20251216.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.201-20260114.iso.sig

 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.

 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.200-20251216.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.201-20260114.iso.sig
 ```

 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.200-20251216.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.201-20260114.iso
 ```

 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.200-20251216.iso.sig securityonion-2.4.200-20251216.iso
+gpg --verify securityonion-2.4.201-20260114.iso.sig securityonion-2.4.201-20260114.iso
 ```

 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Mon 15 Dec 2025 05:24:11 PM EST using RSA key ID FE507013
+gpg: Signature made Wed 14 Jan 2026 05:23:39 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/salt/common/tools/sbin/so-log-check
+++ b/salt/common/tools/sbin/so-log-check
@@ -130,6 +130,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process_cluster_event_timeout_exception" # logstash waiting for elasticsearch to start
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not configured for GeoIP"     # SO does not bundle the maxminddb with Zeek
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|HTTP 404: Not Found"          # Salt loops until Kratos returns 200, during startup Kratos may not be ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Cancelling deferred write event maybeFenceReplicas because the event queue is now closed" # Kafka controller log during shutdown/restart
 fi

 if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
@@ -160,6 +161,7 @@ if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding ingest pipeline"       # false positive (elasticsearch ingest pipeline names contain 'error') 
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|updating index template"      # false positive (elasticsearch index or template names contain 'error') 
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|updating component template"  # false positive (elasticsearch index or template names contain 'error') 
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|upgrading component template"  # false positive (elasticsearch index or template names contain 'error')
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|upgrading composable template" # false positive (elasticsearch composable template names contain 'error')
 fi

--- a/salt/elasticsearch/tools/sbin_jinja/so-catrust
+++ b/salt/elasticsearch/tools/sbin_jinja/so-catrust
@@ -14,8 +14,9 @@ set -e
 # Check to see if we have extracted the ca cert.
 if [ ! -f /opt/so/saltstack/local/salt/elasticsearch/cacerts ]; then
    docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:$ELASTIC_AGENT_TARBALL_VERSION -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt
-    docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/elasticsearch/cacerts
-    docker cp so-elasticsearchca:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
+    # Make sure symbolic links are followed when copying from container
+    docker cp -L so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/elasticsearch/cacerts
+    docker cp -L so-elasticsearchca:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
    docker rm so-elasticsearchca
    echo "" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
    echo "sosca" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
--- a/salt/kibana/defaults.yaml
+++ b/salt/kibana/defaults.yaml
@@ -25,11 +25,10 @@ kibana:
      discardCorruptObjects: "8.18.8"
    telemetry:
      enabled: False
-    security:
-      showInsecureClusterWarning: False
    xpack:
      security:
        secureCookies: true
+        showInsecureClusterWarning: false
      reporting:
        kibanaServer:
          hostname: localhost
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -433,7 +433,8 @@ preupgrade_changes() {
    [[ "$INSTALLEDVERSION" == 2.4.170 ]] && up_to_2.4.180
    [[ "$INSTALLEDVERSION" == 2.4.180 ]] && up_to_2.4.190
    [[ "$INSTALLEDVERSION" == 2.4.190 ]] && up_to_2.4.200
-    [[ "$INSTALLEDVERSION" == 2.4.200 ]] && up_to_2.4.210
+    [[ "$INSTALLEDVERSION" == 2.4.200 ]] && up_to_2.4.201
+    [[ "$INSTALLEDVERSION" == 2.4.201 ]] && up_to_2.4.210
    true
 }

@@ -448,25 +449,26 @@ postupgrade_changes() {
    [[ "$POSTVERSION" == 2.4.10 ]] && post_to_2.4.20
    [[ "$POSTVERSION" == 2.4.20 ]] && post_to_2.4.30
    [[ "$POSTVERSION" == 2.4.30 ]] && post_to_2.4.40
-    [[ "$POSTVERSION"  == 2.4.40 ]] && post_to_2.4.50
-    [[ "$POSTVERSION"  == 2.4.50 ]] && post_to_2.4.60
-    [[ "$POSTVERSION"  == 2.4.60 ]] && post_to_2.4.70
-    [[ "$POSTVERSION"  == 2.4.70 ]] && post_to_2.4.80
-    [[ "$POSTVERSION"  == 2.4.80 ]] && post_to_2.4.90
-    [[ "$POSTVERSION"  == 2.4.90 ]] && post_to_2.4.100
-    [[ "$POSTVERSION"  == 2.4.100 ]] && post_to_2.4.110
+    [[ "$POSTVERSION" == 2.4.40 ]] && post_to_2.4.50
+    [[ "$POSTVERSION" == 2.4.50 ]] && post_to_2.4.60
+    [[ "$POSTVERSION" == 2.4.60 ]] && post_to_2.4.70
+    [[ "$POSTVERSION" == 2.4.70 ]] && post_to_2.4.80
+    [[ "$POSTVERSION" == 2.4.80 ]] && post_to_2.4.90
+    [[ "$POSTVERSION" == 2.4.90 ]] && post_to_2.4.100
+    [[ "$POSTVERSION" == 2.4.100 ]] && post_to_2.4.110
    [[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.111
-    [[ "$POSTVERSION"  == 2.4.111 ]] && post_to_2.4.120
-    [[ "$POSTVERSION"  == 2.4.120 ]] && post_to_2.4.130
-    [[ "$POSTVERSION"  == 2.4.130 ]] && post_to_2.4.140
-    [[ "$POSTVERSION"  == 2.4.140 ]] && post_to_2.4.141
-    [[ "$POSTVERSION"  == 2.4.141 ]] && post_to_2.4.150
-    [[ "$POSTVERSION"  == 2.4.150 ]] && post_to_2.4.160
-    [[ "$POSTVERSION"  == 2.4.160 ]] && post_to_2.4.170
-    [[ "$POSTVERSION"  == 2.4.170 ]] && post_to_2.4.180
-    [[ "$POSTVERSION"  == 2.4.180 ]] && post_to_2.4.190
-    [[ "$POSTVERSION"  == 2.4.190 ]] && post_to_2.4.200
-    [[ "$POSTVERSION"  == 2.4.200 ]] && post_to_2.4.210
+    [[ "$POSTVERSION" == 2.4.111 ]] && post_to_2.4.120
+    [[ "$POSTVERSION" == 2.4.120 ]] && post_to_2.4.130
+    [[ "$POSTVERSION" == 2.4.130 ]] && post_to_2.4.140
+    [[ "$POSTVERSION" == 2.4.140 ]] && post_to_2.4.141
+    [[ "$POSTVERSION" == 2.4.141 ]] && post_to_2.4.150
+    [[ "$POSTVERSION" == 2.4.150 ]] && post_to_2.4.160
+    [[ "$POSTVERSION" == 2.4.160 ]] && post_to_2.4.170
+    [[ "$POSTVERSION" == 2.4.170 ]] && post_to_2.4.180
+    [[ "$POSTVERSION" == 2.4.180 ]] && post_to_2.4.190
+    [[ "$POSTVERSION" == 2.4.190 ]] && post_to_2.4.200
+    [[ "$POSTVERSION" == 2.4.200 ]] && post_to_2.4.201
+    [[ "$POSTVERSION" == 2.4.201 ]] && post_to_2.4.210
    true
 }

@@ -650,6 +652,11 @@ post_to_2.4.200() {
  POSTVERSION=2.4.200
 }

+post_to_2.4.201() {
+  echo "Nothing to apply"
+  POSTVERSION=2.4.201
+}
+
 post_to_2.4.210() {
  echo "Rolling over Kratos index to apply new index template"

@@ -935,6 +942,12 @@ up_to_2.4.200() {
  INSTALLEDVERSION=2.4.200
 }

+up_to_2.4.201() {
+  echo "Nothing to do for 2.4.201"
+
+  INSTALLEDVERSION=2.4.201
+}
+
 up_to_2.4.210() {
  # Elastic Update for this release, so download Elastic Agent files
  determine_elastic_agent_upgrade
--- a/salt/sensoroni/files/templates/reports/standard/case_report.md
+++ b/salt/sensoroni/files/templates/reports/standard/case_report.md
@@ -130,4 +130,42 @@ Security Onion Case Report
 | ---- | ---- | ------ | --------- |
 {{ range sortHistory "CreateTime" "asc" .History -}}
 | {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .CreateTime}} | {{getUserDetail "email" .UserId}} | {{.Kind}} | {{.Operation}} |
+{{end}}
+
+## Attached Onion AI Sessions
+
+{{ range $idx, $session := sortAssistantSessionDetails "CreateTime" "desc" .AssistantSessions }}
+
+#### Session {{ add $idx 1 }}
+
+**Session ID:** {{$session.Session.SessionId}}
+
+**Title:** {{$session.Session.Title}}
+
+**User ID:** {{getUserDetail "email" $session.Session.UserId}}
+
+**Created:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $session.Session.CreateTime}}
+
+**Updated:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $session.Session.UpdateTime}}
+
+{{ if $session.Session.DeleteTime }}
+**Deleted:** {{ formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $session.Session.DeleteTime}}
+{{ end }}
+
+#### Messages
+
+{{ range $index, $msg := sortAssistantMessages "CreateTime" "asc" $session.History }}
+{{ range $i, $block := $msg.Message.ContentBlocks }}
+
+{{ if eq $block.Type "text" }}
+
+**Role:** {{$msg.Message.Role}}
+
+{{ stripEmoji $block.Text }}
+
+---
+
+{{ end }}{{ end }}
+
+{{end}}
 {{end}}
--- a/sigs/securityonion-2.4.201-20260114.iso.sig
+++ b/sigs/securityonion-2.4.201-20260114.iso.sig
Author	SHA1	Message	Date
reyesj2	d430ed6727	false positive	2026-01-15 15:25:28 -06:00
reyesj2	596bc178df	ensure docker cp command follows container symlinks	2026-01-15 15:18:18 -06:00
reyesj2	0cd3d7b5a8	deprecated kibana config	2026-01-15 15:17:22 -06:00
reyesj2	349d77ffdf	exclude kafka restart error	2026-01-15 14:43:57 -06:00
Josh Patterson	c3283b04e5	Merge pull request #15390 from Security-Onion-Solutions/fixmerge201210 Fixmerge201210	2026-01-15 15:11:00 -05:00
Josh Patterson	0da0788e6b	move function to be with the rest of its friends	2026-01-15 14:56:36 -05:00
Jason Ertel	6f7e249aa2	Merge pull request #15389 from Security-Onion-Solutions/jertel/wip Add version 2.4.201 to discussion template	2026-01-15 14:56:25 -05:00
Josh Patterson	dfaeed54b6	Merge remote-tracking branch 'origin/2.4/main' into fixmerge201210	2026-01-15 14:44:33 -05:00
Jason Ertel	4f59e46235	Add version 2.4.201 to discussion template	2026-01-15 14:38:40 -05:00
Mike Reeves	bf4cc7befb	Merge pull request #15386 from Security-Onion-Solutions/patch/2.4.201 2.4.201	2026-01-15 14:21:38 -05:00
Mike Reeves	c63c6dc68b	Merge pull request #15385 from Security-Onion-Solutions/2.4.201 2.4.201	2026-01-15 10:45:05 -05:00
Mike Reeves	e4225d6e9b	2.4.201	2026-01-15 10:40:21 -05:00
Mike Reeves	3fb153c43e	Add support for version 2.4.201 upgrades	2026-01-13 16:41:39 -05:00
Mike Reeves	6de20c63d4	Update VERSION	2026-01-13 16:20:57 -05:00
Matthew Wright	c99dd4e44f	Merge pull request #15367 from Security-Onion-Solutions/mwright/assistant-case-reports	2026-01-08 15:33:53 -05:00
Jorge Reyes	541b8b288d	Merge pull request #15363 from Security-Onion-Solutions/reyesj2/elastic9-autosoup ES 9.0.8	2026-01-08 14:19:19 -06:00
Matthew Wright	db168a0452	update case report for attached ai sessions	2026-01-08 13:59:51 -05:00
Mike Reeves	8ff0c6828b	Merge pull request #15319 from Security-Onion-Solutions/2.4/dev 2.4.200	2025-12-16 11:10:30 -05:00
Jason Ertel	33ada95bbc	Merge pull request #15167 from Security-Onion-Solutions/2.4/dev 2.4.190	2025-10-24 16:01:05 -04:00