You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Security Onion version as seen in the lower left corner of SOC and in /etc/soversion.
2.3.260
Is this a cloud deployment or on-prem? If on-prem, do you have Internet access or this an airgap installation?
On premise, internet access
Did you install from our Security Onion ISO image or did you perform a network installation?
Network install
If network installation, what distro and version did you install on?
Ubuntu 20.04
How many nodes do you have?
5
What are the hardware specs of each of those nodes?
Managersearch: 12c, 128gb RAM, 512gb + 4tb drives with /nsm on the 4tb
Forward/Sensor: 4c, 32gb RAM, 2tb
IDH: 4c, 8gb RAM, 256gb
How are each of those nodes configured? (ex. manager with 2 search nodes and 3 forward nodes)
Managersearch with 2 forward/sensor nodes
2 IDH nodes
Are you experiencing issues monitoring network traffic? If so, are you sniffing from a tap or span port and what is the traffic volume?
Unrelated to issue, but no problems with monitoring network traffic via SPAN switch, around 1Gbps max but really only 20Mbps.
Does so-status show all services running?
Yes
Do you get any failures when you run sudo salt-call state.highstate?
Yes* I have Wes Lambert's velociraptor running on the Managersearch. I have had to edit several of the files to reflect 2.3.260's files while allowing Velociraptor to run. Perhaps there is a file I've missed here, but I have added agents since this, and just today it stopped at 93 agents.
Does the SOC Grid page show any failures?
No
Explain your issue. For example: Installation fails when I select this series of options...
Provide applicable logs. If you are having problems right after setup, provide /root/sosetup.log. If you are having problems during soup, provide /root/soup.log. If you are having problems with a specific component, provide that component's logs from /opt/so/log/.
I examined today's log from /opt/so/log/fleet/status.log . There are quite a few for particular scheduled packs failing to grab particular data, or 'manifest.json' unable to be read from a path going to their Edge browser.
I currently have 88 windows agents, and 5 linux agents visible from FleetDM. I can query those agents and return results. However, I have added several more today, and those are not appearing. I see the service running on the endpoint, can use 'Test-NetConnection' to verify that those endpoints are able to reach :8090 over TCP so the host-based firewall on the endpoint and SO's firewall aren't blocking the connections. I have restarted the Fleet docker container via "sudo so-fleet-restart", re-run the salt states for everything and for fleet specifically via "sudo salt-call state.highstate" and "sudo salt-call state.apply fleet" to no avail.
Is there anywhere I can look to see why these new agents can't connect? Any other commands to try?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Security Onion version as seen in the lower left corner of SOC and in /etc/soversion.
Is this a cloud deployment or on-prem? If on-prem, do you have Internet access or this an airgap installation?
Did you install from our Security Onion ISO image or did you perform a network installation?
If network installation, what distro and version did you install on?
How many nodes do you have?
What are the hardware specs of each of those nodes?
How are each of those nodes configured? (ex. manager with 2 search nodes and 3 forward nodes)
Are you experiencing issues monitoring network traffic? If so, are you sniffing from a tap or span port and what is the traffic volume?
Does so-status show all services running?
Do you get any failures when you run sudo salt-call state.highstate?
Does the SOC Grid page show any failures?
Explain your issue. For example: Installation fails when I select this series of options...
Provide applicable logs. If you are having problems right after setup, provide /root/sosetup.log. If you are having problems during soup, provide /root/soup.log. If you are having problems with a specific component, provide that component's logs from /opt/so/log/.
Thank you for any help you provide!
Beta Was this translation helpful? Give feedback.
All reactions