You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ran into an issue where receiver nodes were not ingesting events from forward nodes. For SOv2.4.30 Elastic Fleet is only adding the receiver node to the logstash outputs via hostname and not updating /etc/hosts accordingly across the fleet. In deployments where SO node hostnames are not backed by DNS, this is breaking receiver functionality.
Manually adding the receiver IP via the Fleet UI worked, at least temporarily until the next Salt refresh. Work around (other than manually updating /etc/hosts) was to modify so-elastic-fleet-outputs-update to also add the IP. Hope this helps!
# Query for Receiver Nodes & add them to the list
if grep -q "receiver" <<< $LOGSTASHNODES; then
readarray -t RECEIVERNODES < <(jq -r ' .receiver | keys_unsorted[]' <<< $LOGSTASHNODES)
readarray -t RECEIVERIPS < <(jq -r ' .receiver | .[].ip' <<< $LOGSTASHNODES)
for NODE in "${RECEIVERNODES[@]}"
do
NEW_LIST+=("$NODE:5055")
done
for IP in "${RECEIVERIPS[@]}"
do
NEW_LIST+=("$IP:5055")
done
fi
Guidelines
I have read the above statement and can confirm my post is relevant to Security Onion 2.4.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.30
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Distributed
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
8
RAM
32
Storage for /
256
Storage for /nsm
256
Network Traffic Collection
tap
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
Ran into an issue where receiver nodes were not ingesting events from forward nodes. For SOv2.4.30 Elastic Fleet is only adding the receiver node to the logstash outputs via hostname and not updating
/etc/hostsaccordingly across the fleet. In deployments where SO node hostnames are not backed by DNS, this is breaking receiver functionality.Manually adding the receiver IP via the Fleet UI worked, at least temporarily until the next Salt refresh. Work around (other than manually updating /etc/hosts) was to modify
so-elastic-fleet-outputs-updateto also add the IP. Hope this helps!Guidelines
Beta Was this translation helpful? Give feedback.
All reactions