Can't add a replacement forward sensor #11812

sam-mfb · 2023-11-17T11:34:27Z

sam-mfb
Nov 17, 2023

Version

2.4.20

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

14

RAM

64GB

Storage for /

500GB

Storage for /nsm

500GB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

No, one or more services are failed (please provide detail below)

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I have a distributed installation of SO 2.4.20 that has been working well, consisting of manager, search, and forward nodes. Recently, I had a hardware failure on the VM host that is hosting the forward sensor and, when everything was restored, the forward node was not working properly. Specifically, so-steno was showing as a missing service. I played with trying to fix that for a while but couldn't, and so, on the theory that "it's just a sensor," I went a head and reinstalled SO on the forward node.

The problem I'm having is that the install goes fine, the forward node connects to the manager, and I approve the addition tot he grid on the manager, but then the forward node never shows up in the Grid.

This seemed a little like this user's issue but I've tried all the steps in that, including, most recently, assigning the forward sensor host an entirely different IP and DNS name. Still no luck.

As noted in the comments to the issue above, I have looked in the sensoroni logs, but don't see anything obviously interesting there. I've restarted SOC and I've restarted both the manager node and the forward node, but no luck.

Any ideas of further troubleshooting to try?

Guidelines

I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

Answered by jasondad36

Nov 17, 2023

Its a bug on 2.4.20. It is fixed on 2.4.30.
FIX: Global BPF prevents new sensor from applying highstate #11610

View full answer

jasondad36 · 2023-11-17T16:46:29Z

jasondad36
Nov 17, 2023

Its a bug on 2.4.20. It is fixed on 2.4.30.
FIX: Global BPF prevents new sensor from applying highstate #11610

1 reply

sam-mfb Nov 18, 2023
Author

this fixed it. marking as answered. thank you!!

sam-mfb · 2023-11-17T16:48:16Z

sam-mfb
Nov 17, 2023
Author

Got it. Updating to 2.4.30 now--will report if/when that fixes it. Thanks!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Can't add a replacement forward sensor #11812

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Can't add a replacement forward sensor #11812

Uh oh!

Uh oh!

sam-mfb Nov 17, 2023

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 2 comments · 1 reply

Uh oh!

jasondad36 Nov 17, 2023

Uh oh!

sam-mfb Nov 18, 2023 Author

Uh oh!

sam-mfb Nov 17, 2023 Author

sam-mfb
Nov 17, 2023

Replies: 2 comments 1 reply

jasondad36
Nov 17, 2023

sam-mfb Nov 18, 2023
Author

sam-mfb
Nov 17, 2023
Author