Forward Node not sending Suricata data

[jrmsq]

Good morning all, I am not sure what happened one of my forward nodes stop sending Suricata data to the manager.

Currently have 2x forward nodes, one search node and a manager. Node 2 has a monitoring port. When I do tcpdump -i eth0 I can see all traffic but when I got to the manager Kibana or No alerts in SOC I can see the node is communicating because I see zeek data but not Suricata.

Can someone please help me. I am on using Version: 2.3.250 I can't really tell if it started after I upgraded but. Any help?

When I check the suricata.log and docker log I am not seeing any errors.

[InfosecGoon]

A few spots to check:

• Are there Suricata logs being written to /nsm/suricata on the Forward Node?
• Is Filebeat on the Forward Node configured to read Suricata logs? Check /opt/so/conf/filebeat/etc/filebeat.yml to confirm.
• Are there any errors in the logstash logs on the Manager? /opt/so/log/logstash/logstash.log
• Are there any errors in the Elasticsearch logs on the Manager? /opt/so/log/elasticsearch/*log

[jrmsq]

Thank you @InfosecGoon for the recommdations:

1. I checked the /nsm/suricata on the forward and I noticed that it stopped writing to the log folder as of a couple of days ago. When I try to see the log that is in the file it was empty.
2. I checked the Filebeat and yes it still has all the same config to read logs from Suricata. - type: filestream
   id: import-suricata
   paths:
   • /nsm/import//suricata/eve.json
     fields:
     module: suricata
     dataset: common
     category: network
     imported: true
     processors:

• add_tags:
  tags: ["import"]
• dissect:
  tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}"
  field: "log.file.path"
  target_prefix: ""
• drop_fields:
  fields: ["source", "prospector", "input", "offset", "beat"]

3. N errors point that I can see related to the forward node or log connection.
4. Only some certificate error message.

I don't know if this might be related but lately my SOC alerts or dashboard show shows up empty and then try again a different time it shows data.

[jrmsq]

I found a solution to the Suricata issue with the Tap port on the Forward node. Please follow these steps:

Set the monitoring port (ens224) to promiscuous mode and disable NOARP:

1. Run: ifconfig ens224 promisc NOARP
   Bring down the ens224 interface:

2. Run: ifdown ens224
   Configure the ens224 interface:

3. Run: sudo ip link set ens224 up arp on promisc
   Set ens224 to promiscuous mode on the bond0 interface:

4. Run: sudo ip link set ens224 up promisc on bond0
   Assign ens224 as the master interface of bond0:

5. Run: sudo ip link set ens224 master bond0

6. Restart the network service:
   Run: sudo systemctl restart network

These steps should fix the problem. Make sure to adjust the interface names according to your setup.