Security Onion 2.4.10 Virtual Machine Import PCAP Failure #12031

Keith-2nd · 2023-12-15T19:28:50Z

Keith-2nd
Dec 15, 2023

Version

2.4.10

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Import

Location

airgap

Hardware Specs

Meets minimum requirements

CPU

4

RAM

16GB

Storage for /

200GB

Storage for /nsm

I am unsure

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

[ERROR ] Command '/usr/sbin/so-elastic-fleet-es-url-update' failed with return code: 1
[ERROR ] stdout: Failed to query for current Fleet Server URLs...
/usr/sbin/so-elastic-agent-grid-upgrade failed to run. I am assuming because there is no connection to the internet.

This is a part of an isolated student lab set up with a Security Onion 2 VM and Ubuntu 22.04 VM within VMware Workstation with the intent to move it onto an ESXi environment. The Ubuntu VM can access the SO VM with no issues. Neither VM has internet access. My goal is to be able to import PCAPs from the Ubuntu 22 VM and use the SOC for analysis. When using Grid or so-import-pcap no alerts show on the Dashboard. I have tried running the url-update script from the error log, that did not work. In Grid, it states Kibana is running and healthy; however, when I try to access Kibana it states the server is not ready. This is the same for Elastic Fleet and Osquery Manager.

Guidelines

I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

Answered by defensivedepth

Dec 15, 2023

Have you tried the latest version, 2.4.30? There have been alot of stability fixes from .10 to .30

View full answer

defensivedepth · 2023-12-15T19:32:21Z

defensivedepth
Dec 15, 2023
Maintainer

Have you tried the latest version, 2.4.30? There have been alot of stability fixes from .10 to .30

3 replies

Keith-2nd Dec 21, 2023
Author

No I have not. Would upgrading be the best solution for this situation?

defensivedepth Dec 21, 2023
Maintainer

With it being just an import node, I would suggest a fresh install of the latest version.

Keith-2nd Dec 21, 2023
Author

Thank you. These logs are tough to track with everything in Elastic failing.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security Onion 2.4.10 Virtual Machine Import PCAP Failure #12031

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Security Onion 2.4.10 Virtual Machine Import PCAP Failure #12031

Uh oh!

Keith-2nd Dec 15, 2023

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment · 3 replies

Uh oh!

Uh oh!

defensivedepth Dec 15, 2023 Maintainer

Uh oh!

Keith-2nd Dec 21, 2023 Author

Uh oh!

defensivedepth Dec 21, 2023 Maintainer

Uh oh!

Keith-2nd Dec 21, 2023 Author

Keith-2nd
Dec 15, 2023

Replies: 1 comment 3 replies

defensivedepth
Dec 15, 2023
Maintainer

Keith-2nd Dec 21, 2023
Author

defensivedepth Dec 21, 2023
Maintainer

Keith-2nd Dec 21, 2023
Author