No traffic between Forward & Manager node

[YvesEutelsat]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Distributed

Location

airgap

Hardware Specs

Meets minimum requirements

CPU

8

RAM

32

Storage for /

82G

Storage for /nsm

159G

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Good day,

Manager (Qty: 1), Search (Qty: 1), and Forward (Qty: 1) nodes have been installed. They are all able to communicate together. Every nodes have been added to "Grid Members". The issue is there is no data/logs from Forward to Manager. When I verify the Dashboard or Alerts section, there is nothing showing up. On the Forward node monitor interface, I did a "tcpdump -i interface". There are traffic on that interface.

It seems there is a setting that I have to turn on or off in order for the data to go to Manager. Is there a line I need to add into a file either on Manager or Forward node?

Any assistance or guidance would be much appreciated.

Thanks

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[dougburks]

The forward node should automatically send alerts and metadata to the manager. Is there a firewall or other network device between the forward node and manager that may be interfering with the traffic? Have you run tcpdump on the manager's management interface to see if the forward node's traffic is reaching the manager?

[YvesEutelsat]

There is no firewall nor other network device between those nodes. All connected to the same switch. When looking at the Manager node logstash log, I get the error message "Failed to send backlog of events to Redis" From Influxdb i see Redis queue is over 4 millions. Every ports have been configured by default from the installation. I think it might be something within the Manager node or the Search node.

I have ran tcpdump on each interface of every node. I can see that each node are talking to each other. I feel that i just missing a small details either in the Grid configuration or on a node.

[TOoSmOotH]

There is no traffic between them because Logstash is telling the agents to back off. You need to look at why Elastic is not ingesting the redis queue. Check the elastic logs on the manager and the search node.