For best performance, we recommend starting with Ubuntu Server (no GUI) and adding our Security Onion packages as described in our ProductionDeployment guide.
If you're unable to start with Ubuntu Server (no GUI) as recommended above, you can disable the GUI after the system is installed.
When you run Setup, make sure you choose Best Practices.
Disable any other unnecessary services. For example, to disable bluetooth:
sudo systemctl stop bluetooth.service sudo systemctl disable bluetooth.service
For best performance, CPU intensive processes like Zeek, Suricata, and Snort should be pinned to specific CPUs. In most cases, you'll want to pin sniffing processes to the same CPU that your sniffing NIC is bound to.
If you have plenty of RAM, disable swap altogether.
hdparm to gather drive statistics and alter settings, as described here:vm.dirty_ratio is the maximum amount of system memory that can be filled with dirty pages before everything must get committed to disk.
vm.dirty_background_ratio is the percentage of system memory that can be filled with “dirty” pages, or memory pages that still need to be written to disk -- before the pdflush/flush/kdmflush background processes kick in to write it to disk.
You will want to make sure that each part of the pipeline is operating at maximum efficiency. Depending on your configuration, this may include syslog-ng, Logstash, Redis, and Elasticsearch. For really high volume logs, you may want to consider the LOGSTASH_MINIMAL option.