so-strelka-backend ------------ [ PENDING ]

[vanh20]

I'm using a standalone deployment with enough disk and memory (32GB) to work on. Not short of CPU cores either (4 cores/8 threads). This was never a problem before. This happened after the upgrade, first of the OS (CentOS7), then through sudo soup. A new SOUP version was installed. Then it went on to do updates. Finally I was asked to agree on Elastic 8 license with a warning of breaking things. I did. Then it gave me problems like ElastAlert and ElasticSearch, both [MISSING]. So, I tried doing a ./so-setup-network. There was error, but when I checked sudo less /root/errors.log, it's empty.

Security Onion is not working at this time. SOC on my webbrowser doesn't display a complete page. Hangs up. Operating system wise, everything looks fine, except I noticed my sniffing NIC isn't installed. Did the driver install quickly and it was ok. So I realized I needed to revamp the whole installaton. Downloaded 2.3.260 iso, mounted it, changed directory to ./SecurityOnion/setup and did "sudo ./so-setup iso". Everything went well. Rebooted and all is fine and dandy. Then I installed Sysmon for Linux and configured my manager.

So, again, everything went well. Alerts are being generated and the Hunt interface records zeek and sysmon traffic. Did a sudo so-status then I noticed so-strelka-backend --------------------- [ PENDING ] when all the others are [OK]. I did a sudo soup update, sudo so-strelka-restart,sudo salt \* state.highstate, to no avail. To get further information I did "sudo docker logs 69afd42cb2-cut". The logs of the previous commands (strelka-restart/salt..) are without failures and are quite lengthy. Will post when requested. The docker logs output is below:

$ sudo docker logs 69afd42cb2-cut 
2023-08-01 11:34:17 - [DEBUG] root [strelka.__init__]: coordinator up
2023-08-01 11:34:17 - [INFO] root [strelka.work]: starting up
2023-08-01 11:34:17 - [INFO] root [strelka.check_scanners]: checking scanners
Traceback (most recent call last):
  File "/usr/local/bin/strelka-backend", line 4, in <module>
    __import__('pkg_resources').run_script('strelka==0.0.0', 'strelka-backend')
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 656, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1453, in run_script
    exec(code, namespace, namespace)
  File "/usr/local/lib/python3.10/dist-packages/strelka-0.0.0-py3.10.egg/EGG-INFO/scripts/strelka-backend", line 42, in <module>
    main()
  File "/usr/local/lib/python3.10/dist-packages/strelka-0.0.0-py3.10.egg/EGG-INFO/scripts/strelka-backend", line 36, in main
    backend.work()
  File "/usr/local/lib/python3.10/dist-packages/strelka-0.0.0-py3.10.egg/strelka/strelka.py", line 266, in work
    self.check_scanners()
  File "/usr/local/lib/python3.10/dist-packages/strelka-0.0.0-py3.10.egg/strelka/strelka.py", line 253, in check_scanners
    importlib.import_module(scanner_import)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1004, in _find_and_load_unlocked
ModuleNotFoundError: No module named 'strelka.scanners.scan_ruby``

For some reason, that message above was repeated 27 times. Any help or direction is greatly appreciated. Many thanks.

[dougburks]

We recently released Security Onion 2.4:
https://blog.securityonion.net/2023/08/security-onion-24-has-reached-general.html

You might want to try a fresh installation using our 2.4 ISO image and see if that helps.