No Alerts on fresh install on NUC (tried multiple versions)

[s0meguy1]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Eval

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

1TB

Storage for /nsm

627G

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Hello,

I am not receiving any kind of alerts on a default setup. bond0 is seeing traffic, I have the default alert rules setup, and when I replay test data in the grid area, it fails to produce alerts. I have seen other complaints of this in the discussion area, however they are referred to the setup guide. I have followed it exactly with no luck. I've also tried installing the older versions of SO via ISO (2.4.20, 2.4.10) on bare metal, along with installing proxmox on the bare metal NUC and installing the ISO, installing Debian/Ubuntu on bare metal and installing SO - also with no luck. 2.3 worked great on this device and I wanted to upgrade to 2.4 because of the feature set, but I just cannot get it working. I don't know where to begin looking for an issue like this. I would appreciate some guidance. Here are almost all logs from /opt/so/log/:
https://drive.google.com/drive/folders/1jPV6VuN1abFbcFzHFvnl3BdLKI31uLD5

I've also attached some screenshots of when I replay test data in grid, along with an influxdb screenshot to show that it is seeing network traffic

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[dougburks]

Have you tried following the Troubleshooting Alerts section in the documentation?
https://docs.securityonion.net/en/2.4/suricata.html#troubleshooting-alerts

[s0meguy1]

Heads up, I did get an error during install. I am not sure if I got the same error during the last install of 2.4.30. I've attached the error.log and sosetup.log, I'll leave it at that since I don't want to "contaminate" this clean install test. Standard Eval setup, I had the NUC management interface connected to internet during install, but nothing was connected to listening interface.

errors.log
sosetup.log

[dougburks]

That's definitely a problem. Looks like the Elastic Agent installation timed out and didn't install correctly. If Elastic Agent is not running correctly, then alerts will never be picked up.

The most likely culprit is disk I/O. Does this NUC have NVME, SSD, or rotational storage? If rotational, please try SSD or NVME and then perform a fresh installation to see if that helps.

If you already have NVME or SSD, then are you still running Security Onion as a VM under Proxmox and do you have other VMs running? If so, then make sure that there are no other guests running and then perform a fresh installation to see if that helps. Also try a fresh installation of our latest ISO on bare metal (no Proxmox) to see if that helps.

[s0meguy1]

This is a bare metal (no VM) install on an NVME. You think this could be a bad drive? I will smack myself its its a bad drive...

[dougburks]

Interesting. It's possible that it's a bad drive, but can you share /opt/so/SO-Elastic-Agent_Installer.log so that we can see if there any other reasons why it may have timed out?

[s0meguy1]

Sure, I've attached.
SO-Elastic-Agent_Installer.log

[defensivedepth]

@s0meguy1

Let's double-check to confirm that the Elastic Agent was not installed:

sudo elastic-agent status

If that comes back with an error about elastic-agent not found, you can try manually installing the Elastic Agent:

sudo salt-call state.apply elasticfleet.install_agent_grid

[s0meguy1]

sudo elastic-agent status failed as in not found, so I raned the salt-call command and got an error:

[ERROR   ] {'pid': 58546, 'retcode': 1, 'stdout': '\nInstallation initiated, view install log for further details.', 'stderr': '\n\nInstalling in non-interactive mode.: signal: killed'}
[INFO    ] Completed state [salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64] at time 13:39:48.840923 (duration_in_ms=185371.619)
local:
----------
          ID: run_installer
    Function: cmd.script
        Name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64
      Result: False
     Comment: Attempt 1: Returned a result of "False", with the following comment: "Command 'salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64' run"
              Command 'salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64' run
     Started: 13:36:03.219803
    Duration: 225596.244 ms
     Changes:
              ----------
              pid:
                  58546
              retcode:
                  1
              stderr:


                  Installing in non-interactive mode.: signal: killed
              stdout:

                  Installation initiated, view install log for further details.

Summary for local
------------
Succeeded: 0 (changed=1)
Failed:    1

I ran again and got the same error. Sorry that its cut off, I was running it in a screen session (bash from another machine, not screen in SO) because I was leaving my place and wanted to allow it to run. But it failed fairly quickly so I posted here

[s0meguy1]

Hi - I nabbed an SSD on black Friday, installed it and installed SO on it. Install went through with zero issues. SO is working as expected. I can't believe it was a bad drive. In any case, closing this