Failed to query for current Logstash Outputs | Failed to query for current Fleet Server Elasticsearch URLs

[bigdaddyschaefer]

Version
2.4.30

Installation Method
Security Onion ISO image

Installation Type
Standalone

Location
On-Prem with Internet access

Hardware Specs
Exceeds minimum requirements

CPU
24

RAM
32GB on install, now changed to 64GB

Storage for /
150GB

Storage for /nsm
20TB

Status

Salt Status
Yes, there are salt failures (please provide detail below)

Logs
From sosetup.log (same errors are seen when soup is ran)

From /opt/so/log/logstash/logstash.log

From /opt/so/log/elasticsearch/securityonion.log

Detail
Good Afternoon,

I am encountering a few different errors during the installation script using the SO ISO image (see first screenshot under Logs). I have tried installing from the ISO image three different times and the same errors appeared every time. When I run soup, they appear as well.

After the third installation, I let it run all the way through and started looking at the logstash and elasticsearch logs (second and third images under Logs). What I found interesting was the 'bad_certificate' errors between docker containers and the host in the logstash log. The IP/Hostname of Security Onion has not changed since installation. I also did not run setup with proxy settings.

For giggles, I installed ElasticAgent on one of our machines and I see its' IP in the errors of the logstash log as well now.

My dashboards are also empty and it looks like I'm having the same salt issues as in this thread (I uninstalled the Elastic Agent and reinstalled it as mentioned): #11611

----------
          ID: so-elastic-fleet-auto-configure-logstash-outputs
    Function: cmd.run
        Name: /usr/sbin/so-elastic-fleet-outputs-update
      Result: False
     Comment: Attempt 1: Returned a result of "False", with the following comment: "Command "/usr/sbin/so-elastic-fleet-outputs-update" run"
              Command "/usr/sbin/so-elastic-fleet-outputs-update" run
     Started: 23:24:38.852112
    Duration: 30121.624 ms
     Changes:
              ----------
              pid:
                  1324496
              retcode:
                  1
              stderr:
                    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                                   Dload  Upload   Total   Spent    Left  Speed

                    0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
                  100    98  100    98    0     0   4666      0 --:--:-- --:--:-- --:--:--  4666
              stdout:
                  Failed to query for current Logstash Outputs...

and

          ID: so-elastic-fleet-auto-configure-elasticsearch-urls
    Function: cmd.run
        Name: /usr/sbin/so-elastic-fleet-es-url-update
      Result: False
     Comment: Attempt 1: Returned a result of "False", with the following comment: "Command "/usr/sbin/so-elastic-fleet-es-url-update" run"
              Command "/usr/sbin/so-elastic-fleet-es-url-update" run
     Started: 23:25:12.164461
    Duration: 30121.529 ms
     Changes:
              ----------
              pid:
                  1325989
              retcode:
                  1
              stderr:
                    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                                   Dload  Upload   Total   Spent    Left  Speed

                    0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
                  100    98  100    98    0     0   4666      0 --:--:-- --:--:-- --:--:--  4666
              stdout:
                  Failed to query for current Fleet Server Elasticsearch URLs...

I am unsure where to go from here, any ideas?

[dougburks]

Is it possible that your network is already using the 172.17.x.x range? If so, have you tried adjusting the Docker network range as shown at https://docs.securityonion.net/en/2.4/docker.html#networking-and-bridging?

[bigdaddyschaefer]

Not to my knowledge, but we do use the 172.16.0.0/16 range. Let me adjust the Docker range and get back to you! Thanks.

[bigdaddyschaefer]

Looks like that did the trick. I completely redid the install and specified the Docker IP range to be 172.24.1.0/24 instead of 172.17.1.0 and I have not gotten any error and SOC is reporting data. Still unsure why this worked since we do not use the 172.17.0.0/24 network but I'll take it!

Thanks @dougburks