security onion install error. when execute /usr/sbin/so-elastic-fleet-es-url-update.

[wan-xiang]

Version

2.4.20

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Eval

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

12

Storage for /

200

Storage for /nsm

default

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

No, one or more services are failed (please provide detail below)

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

when I install fail security onion.there is a error in /root/errors.log.
[ERROR ] Command '/usr/sbin/so-elastic-fleet-es-url-update' failed with return code: 1
[ERROR ] stdout: Failed to query for current Fleet Server Elasticsearch URLs...

Then I check the scripts and err logs.
when I run /usr/sbin/so-elastic-fleet-es-url-update,the kibana logs notice Failed to decrypt "ssl" attribute: Unsupported state or unable to authenticate data
full log:
{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-11-02T12:28:40.709+00:00","message":"Failed to decrypt "ssl" attribute: Unsupported state or unable to authenticate data","log":{"level":"ERROR","logger":"plugins.encryptedSavedObjects"},"process":{"pid":7},"trace":{"id":"7badb0e32f911bb6ec9d22529e4d7d1a"},"transaction":{"id":"c70c1cc97d3e7465"}}
{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-11-02T12:28:40.710+00:00","message":"Unable to decrypt attribute "ssl"","error":{"message":"Unable to decrypt attribute "ssl"","type":"Error","stack_trace":"Error: Unable to decrypt attribute "ssl"\n at OutputService.get (/usr/share/kibana/node_modules/@kbn/fleet-plugin/server/services/output.js:377:13)\n at getOneOuputHandler (/usr/share/kibana/node_modules/@kbn/fleet-plugin/server/routes/output/handler.js:42:20)\n at Router.handle (/usr/share/kibana/node_modules/@kbn/core-http-router-server-internal/src/router.js:149:30)\n at handler (/usr/share/kibana/node_modules/@kbn/core-http-router-server-internal/src/router.js:115:50)\n at exports.Manager.execute (/usr/share/kibana/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n at Object.internals.handler (/usr/share/kibana/node_modules/@hapi/hapi/lib/handler.js:46:20)\n at exports.execute (/usr/share/kibana/node_modules/@hapi/hapi/lib/handler.js:31:20)\n at Request._lifecycle (/usr/share/kibana/node_modules/@hapi/hapi/lib/request.js:371:32)\n at Request._execute (/usr/share/kibana/node_modules/@hapi/hapi/lib/request.js:281:9)"},"log":{"level":"ERROR","logger":"plugins.fleet"},"process":{"pid":7},"trace":{"id":"7badb0e32f911bb6ec9d22529e4d7d1a"},"transaction":{"id":"c70c1cc97d3e7465"}}

when i run curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_elasticsearch'
notice {"statusCode":500,"error":"Internal Server Error","message":"Unable to decrypt attribute "ssl""}
I chek the error on the internet,all them not help.this is my first time install security onion.
https://discuss.elastic.co/t/kibana-fleet-management-failed-to-decrypt-attribute-ssl/324881
elastic/kibana#147350
and install security onion can access internet,not airgap.

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[wan-xiang]

Hi,I found the web console can access,only the fleet service is not avliable.
Container Status is all running, tools fleet server is not health:

Thank you, looking forward to your reply.

[dougburks]

Did you verify the ISO image as shown at https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/main/DOWNLOAD_AND_VERIFY_ISO.md?

12GB RAM is the absolute bare minimum for Eval mode:
https://docs.securityonion.net/en/2.4/hardware.html#minimum-specs

Do you have swap enabled?

Could you try a fresh installation with swap enabled and/or more RAM?

[wan-xiang]

Thank you for the reply ,I have verify the ISO image with windows tools certutil -hashfile .\securityonion-2.4.20-20231012.iso SHA256.
It's same to the web page SHA256: 5D511D50F11666C69AE12435A47B9A2D30CB3CC88F8D38DC58A5BC0ECADF1BF5
The mem is enough ,I have upgraded the memory to 16GB,and reboot the vm.

Fleet server still not healthy

And I reran the script /usr/sbin/so-elastic-fleet-es-url-update.The logs in kibana docker still have the same wrong.

[dougburks]

What are the other specs of the VM? How many CPU cores? Is the underlying disk SSD, NVME, or rotational media?

Now that you have 16GB RAM, have you tried a fresh installation?