502 error in the SOC console(alerts, hunt and cases)

[krshnn]

Hi,

I'm getting 502 error for the SOC console pages and it seems like no logs are being generated too. discover page is empty. And grafana has some issues with reporting the metrics (EPS is 0, redis queue is at last reported metrics ) . I could see monitor traffic widget is working properly.

all containers are running. I got some logs from sensoroni and nginx, can anyone advise where to look or any ways that I could do a reinstall without running the ISO again?

192.168.1.10 - - [13/Jun/2006:11:33:51 +0000] "GET /grafana/api/live/ws HTTP/1.1" 502 19 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" "-"

192.168.1.10 - - [13/Jun/2006:11:35:11 +0000] "GET /api/events/?query=(_id:uLyXRYgBNvIbYIW6Tst5)+AND+NOT+_index:%22*:so-case*%22&range=2023%2F06%2F12+11:35:00+AM+-+2023%2F06%2F13+11:35:00+AM&format=2006%2F01%2F02+3:04:05+PM&zone=Asia%2FRiyadh&metricLimit=10&eventLimit=100 HTTP/2.0" 502 19 "https://192.168.1.35/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" "-"

2023/06/13 07:47:56 [error] 29#29: *28 auth request unexpected status: 502 while sending to client, client: 172.18.40.10, server: 192.168.1.35, request: "GET /grafana/api/datasources/proxy/1/query?db=telegraf&q=SELECT%20last(%22used_percent%22)%20FROM%20%22swap%22%20WHERE%20(%22host%22%20%3D%20%27securityonion%27)%20AND%20time%20%3E%3D%20now()%20-%205m%20and%20time%20%3C%3D%20now()%20GROUP%20BY%20time(30s)%20fill(null)&epoch=ms HTTP/2.0", host: "192.168.1.35", referrer: "https://192.168.1.35/grafana/d/CYuI3CwVk/standalone?orgId=1&refresh=5m&from=now-5m&to=now"

[InfosecGoon]

Sounds like you might be having some issues with Elasticsearch and possibly the pipeline feeding it.

A few questions for context:

• What version are you running?
• Is this a standalone or distributed installation?
• Is the system date and time correct? (I'm seeing timestamps from 2006 in those logs for some reason)
• Did it work previously and then stop displaying data in SOC, or is this a fresh install that was broken right away?

[krshnn]

Hi, it seems like it was a mistake from my side. I accidentally deleted some files from /NSM.