LME v2.2.0

[2.2.0] - Timberrrrr! - 2025-12-08

Summary

LME v2.2.0 expands deployment flexibility and accessibility by introducing support for Red Hat Enterprise Linux (RHEL) 9 and enabling air-gapped installation. We also updated the Elastic stack version from 8.18.3 to 8.18.8 and adjusted our default index template settings to be optimized for single-node clusters.

What's Changed

Added support for RHEL 9

• Added RHEL 9 support, including Dockerfile, ansible roles, and installer updates.
• Enhanced SELinux compatibility with container-wide policies, modular policy setup, and context fixes.
• Updated disk expansion script to double root and home partition sizes.
• Introduced firewall configuration scripts and connectivity tests for RHEL 9.
• Improved workflows and documentation for RHEL 9 installation and testing.
• Added CodeReady Builder and EPEL repository support for RHEL 9.
• Cleaned up and optimized SELinux setup, firewall scripts, and related configurations.

Added support for air-gapped deployments

• Added support for offline installation on Ubuntu 24.04 and RHEL 9+.
• Introduced prepare_offline.sh script to download and package all required resources (container images, system packages, agent installers, CVE database) into a compressed archive for offline use.
• Enhanced disk space requirements and allocation for offline preparation and installation (50GB+ recommended for both preparation and installation machines).
• Improved offline installation process to:
  • Install required system packages.
  • Configure container runtime and load container images.
  • Set up CVE database and air-gapped operation.
• Simplified agent deployment for air-gapped environments using a local HTTP server.
• Fixed issues with package installation, SELinux policies, and container loading for offline mode.
• New Air-Gapped Installation documentation.

Updated index template settings

• Updated index template settings to set replica shards to 0 and removed templates for data streams.

Upgrade Elastic to v 8.18.8

• Updated Elastic stack version from 8.18.3 to 8.18.8 across all configurations, scripts, and workflows.

--

Full Changelog: v2.1.1...v2.2.0

LME v2.1.1

[2.1.1] - Timberrrrr! - 2025-08-19

Summary

Fixes LME installs breaking on Ubuntu 22.04 and Debian 12 by switching Nix installation from apt to the official Nix installer

What's Changed

• Adds a fix to not install nix from apt by @cbaxley in #703

• Install Nix via official script (--daemon) instead of apt; enable nix-daemon, create nix-users, add install_user.
• Add nixpkgs-unstable channel, update channels, and install required tools (podman, docker-compose) with nix-env.
• Debian 12: add curl to base packages to support the installer
• Ansible role now prefers version-specific tasks (e.g., ubuntu-22.04.yml) via with_first_found.
• Minor: update a test Dockerfile base image (burndown chart).

Full Changelog: v2.1.0...v2.1.1

LME v2.1.0

[2.1.0] - Timberrrrr! - 2025-06-13

What's Changed

Elasticsearch Upgrade Support

LME now provides robust support for upgrading Elasticsearch in line with new versions of Elastic.

• Includes tested procedures for upgrade, rollback, and backup.
• Ensures continued compatibility with Elastic features while maintaining data integrity.

Updates to Install Automations

The Ansible playbooks utilized for installing LME have been modularized, enabling a streamlined, one-click installation process across various Linux distributions. Supported distributions include:

• Ubuntu 22.04
• Ubuntu 24.04
• Debian 12.10

This modular approach simplifies the deployment process, offering users greater flexibility and efficiency across different environments.

Documentation Repository Split

In a bid to enhance organization and contributor workflows, LME’s documentation is now maintained in a separate GitHub repository.

• Code and documentation are versioned and managed separately, ensuring clarity and ease of access.
• The new documentation repository can be found at this link and can also be found in the LME repository README.

SBOM Generation

LME now includes scripts for generating a Software Bill of Materials (SBOM) specific to each deployment.

• Output formats include SPDX (machine-readable) and syft-table (human-readable).

Sigma Rule Integration

LME now supports Sigma rules for detection use cases.

• Sigma rules are integrated into the native Kibana alert index.
• ElastAlert2 monitors the Kibana alert index and generates alerts based on Sigma rule matches.

Password Changer Enhancements

• Improvements have been made to the password changer script, ensuring it accurately updates credentials within containers.
• Supports more secure post-installation configuration and credential rotation.

Full Changelog: v2.0.2...v2.1.0

CISA's LME Webinar Recording (June 16, 2025)

This webinar is geared towards small- to medium-sized organizations with limited resources and is ideal for IT administrators, cybersecurity defenders, and decision-makers seeking to optimize their logging processes and enhance their organization's security posture. Learn how LME can save time, improve incident response, and help your team focus on critical security tasks, keeping your organization ahead of cyber threats.

Webinar Highlights:

• Discover what LME is and how it operates
• Explore LME’s key features and capabilities
• Learn how LME is deployed
• Demonstration on how to configure ElastAlart2
• Integrate Sigma rules into LME
• Learn about LME’s new documentation repository

LME v2.0.2

[2.0.2] - Timberrrrr! - 2025-01-30

What's Changed

• Add fixes for improving installation of containers and Ansible post install script by @mreeve-snl and @cbaxley in #555

Full Changelog: v2.0.1...v2.0.2

LME v2.0.1

[2.0.1] - Timberrrrr! - 2025-01-14

What's Changed

• Update LME v2.0 architecture diagram and add documentation fixes by @tylmorr-snl in #512
• Update git flow convention in documentation by @mreeve-snl in #527
• Hotfix to remove inline comments by @aarz-snl in #536
• Update the build release workflow by @mitchelbaker-cisa in #539
• Updates to README content to include PRA and section reordering by @NVivero in #541

New Contributors

• @tylmorr-snl made their first contribution in #512
• @NVivero made their first contribution in #541

Full Changelog: v2.0.0...v2.0.1

LME v2.0.0

[2.0.0] - Timberrrrr! - 2024-11-08

What's Changed

• Install v2 pipeline by @cbaxley in #392
• Create Readme and scripts to upgrade from v1.x to v2.0 by @cbaxley in #428
• Update API and Selenium tests to validate Raw Access Read panel on User Security Dashboard by @rishagg01 in #426
• Install pipeline and tests by @cbaxley in #429
• Upgrade API tests by @rishagg01 in #465
• Add vault user password encryption by @cbaxley in #458
• Add new post install scripts and documentation by @mreeve-snl in #477
• Add Sysmon Install Powershell Script by @rgbrow1949 in #480
• Add elastalert2 and small container updates by @mreeve-snl in #483
• Make the pipeline use the post install Ansible playbook script by @cbaxley in #481
• Refactor v2.0 dashboards by @ddiabe in #486
• Harden the pipeline steps by @cbaxley in #493
• LME v2.0 dashboard updates and bug fixes by @aarz-snl in #501
• Update selenium tests by @rishagg01 in #499
• Update API & Selenium tests for Powershell Network Connections panel on User Security Dashboard by @rishagg01 in #415
• Update API & Selenium tests for Create Remote Threads panel by @rishagg01 in #408
• Update API & Selenium tests for suspicious powershell panel by @rishagg01 in #405

Documentation

• Documentation update to volume and index management by @aarz-snl in #468
• Add updated LME v2.0 documentation by @mreeve-snl in #506

Bugs Fixed

• Fix tests after password encryption by @cbaxley in #466
• Clean up a couple of install bugs by @cbaxley in #487

Full Changelog: v1.4.0...v2.0.0

LME v1.4.0

[1.4.0] - Timberrrrr! - 2024-09-04

What's Changed

• AD ID Logging Dashboards and New Wec Config XML File #347, #388
• New API and Selenium tests for dashboard panels #343, #395, #400, #405, #408, #415

Notes

• Adds more security visibility on the network through windows event logs and dashboards that curate the new information
• Four new dashboards to use the new AD ID logs captured through the new audit policies in the Chapter 1 Group Policy Objects
• Changed lme_wec_config.xml file to forward the new logs

LME v1.3.3

[1.3.3] - Timberrrrr! - 2024-02-12

What's Changed

• Fix deploy.sh data retention failure error by @aarz-snl in #179
• Update documentation to use "no cost to user" instead of "free" by @llwaterhouse in #188
• Update upgrading.md to include guidance on data retention failure error by @mitchelbaker-cisa in #189

Notes

• This is a hotfix to address an error with data retention failure in the deploy.sh script during a fresh LME install. We recommend you upgrade to the latest version if you require disk sizes of 1TB or greater.
• If you already have LME installed then no further action is necessary.

Full Changelog: v1.3.2...v1.3.3

LME v1.3.2

[1.3.2] - Timberrrrr! - 2024-01-24

What's Fixed

• Fixes dashboard_update.sh script not importing dashboards on a fresh install by @cbaxley in #167

Notes

• This is a hotfix to address dashboards which failed to load on a fresh install of v1.3.1. If you are currently running v1.3.0, you do not need to upgrade at this time. If you are running versions before 1.3.0 or are running v1.3.1, we recommend you upgrade to the latest version.
• Please refer to Upgrading to latest version to apply the hotfix.

Full Changelog: v1.3.1...v1.3.2