stand alone install Monitor adapter disconnected

[ehinkle27]

Version

2.4.2

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

78G

Storage for /nsm

1TB

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I have just done a clean install of SO via iso on hardware and everything seems to appear to work but I do not see it is picking up any network traffic. I have a separate adapter from the management interface that is configured on a span port but seems like zeek is not picking up the data. I can run a tcpdump on that interface and I am seeing traffic. I ran nmcli and it shows the adapter disconnected.

`bond0: connected to bond0
"bond0"
bond, 00:0E:C6:4A:55:8E, sw, mtu 9000

enp0s20f0u4: disconnected
"ASIX AX88179"
2 connections available
ethernet (ax88179_178a), 00:0E:C6:4A:55:8E, hw, mtu 1500

veth18c4228: unmanaged
"veth18c4228"
ethernet (veth), 3A:86:AF:B3:4F:7C, sw, mtu 1500

veth3b6cfd0: unmanaged
"veth3b6cfd0"
ethernet (veth), 3A:AE:E9:84:26:C4, sw, mtu 1500

veth41778c8: unmanaged
"veth41778c8"
ethernet (veth), 9A:E4:D9:C1:3C:7A, sw, mtu 1500`

running ifconfig it shows this for the adapter

`enp0s20f0u4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:0e:c6:4a:55:8e txqueuelen 1000 (Ethernet)
RX packets 2131816 bytes 135857225 (129.5 MiB)
RX errors 0 dropped 227496 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

`
What do I need to do to get the adapter connected, not sure if that is what the problem is ?

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[ehinkle27]

I do see the following in the zeek error logs, this seems to be the only entry in the current logs.

/opt/zeek/share/zeekctl/scripts/run-zeek: line 61: ulimit: core file size: cannot modify limit: Operation not permitted

this shows in the stdout

[root@securityonion log]# cat /nsm/zeek/logs/current/stdout.log
max memory size (kbytes, -m) unlimited
data seg size (kbytes, -d) unlimited
virtual memory (kbytes, -v) unlimited
core file size (blocks, -c) 0

[dougburks]

Did you verify the ISO image?

Do you have 2 NICs, one for management and one for sniffing?

Does your management NIC work correctly?

What brand and model of NICs are you using?

Have you tried rebooting?

Have you tried a fresh installation?