Suricata not generating alerts

[Maji-Shan]

Hello, I am having issues on my distributed SO 2.3.190 build. Currently on one of them, Suricata alerts are no longer populating within the /nsm/suricata/* on the sensor. TCPDUMP on the sensor returns data flow for bond0. Redis queue shows change for manager. I am still getting Zeek alerts also. All services look good for the entire stack to, and so does the suricata log via 'docker logs so-suricata'. The Suricata.yaml also has the interface for bond0 within it.

What do you think could possibly be the problem here? I know alot of the time the best solution if data retention isn't a huge need is to redeploy, however I feel like this is a simple fix in some file. If you need anymore information, please let me know. Thank you.

[dougburks]

Hello, I am having issues on my distributed SO 2.3.190 build.

First, please note that 2.3.190 is from December of last year:
https://blog.securityonion.net/2022/12/security-onion-23190-now-available.html

We recommend updating to a more recent version of 2.3:
https://blog.securityonion.net/2023/06/security-onion-23260-now-available.html

or the new 2.4:
https://blog.securityonion.net/2023/08/security-onion-24-has-reached-general.html

Currently on one of them, Suricata alerts are no longer populating within the /nsm/suricata/* on the sensor.

Have you gone through all of the troubleshooting steps in the documentation?
https://docs.securityonion.net/en/2.3/suricata.html#troubleshooting-alerts