Elastic showing 0 count for heavy nodes

[stondino00]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

1TB

Storage for /nsm

1TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

All heavy nodes show services running fine. Kibana is showing 0 count for logs. Nothing is showing.

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[its-a-me-mario-the-og]

I would make sure that you have the managed switch setup correctly, do a ip a find which ethernet port is being used as the tap port then do a tcpdump -i on that ethernet port to check what is coming in or not coming in.

If you don't see anything besides ssh traffic then check the switch and make sure you have the port configuration setup may it be a span port or mirror port setup. Could possibly be a bad ethernet cable, its slim but it is possible.

If you already tried these, check the logs and see whats going on there, might be a kibana problem or logstash problem.

Hope this helps you get everything figured out!

[stondino00]

No still no solution for this. Does something need done with elasticsearch or logstash?

[cm-ops]

What is your cluster settings on your manager - sudo so-elasticsearch-query _cluster/settings?pretty do you see your heavy nodes as remote? If so, what is your cluster health on your heavy nodes - sudo so-elasticsearch-query _cluster/health?pretty?

[stondino00]

Ok I see. Yeah I was questioning that when I did the reinstall of the manager. I think in the past I did make the manager a search node as well. I'll do another reinstall and see if that fixes the issue. Thanks so much for your help on this.

[stondino00]

So that reinstall seems to have fixed the elastic not showing anything, but I'm still not seeing those heavy nodes in the lower RIGHT.

[cm-ops]

Do the logs coming in show observer.name.keyword field? That is what will populate that panel. But looking at what you have there, it appears to be logs from your managersearch.

[stondino00]

Yes there only appears to be logs from the managersearch. Just super strange that this doesn't work on a brand new install on all nodes.

[cm-ops]

Check _cluster/settings again, the managersearch would need the remote heavynodes and allowances to query them to return data in SOC. Do you see any issues in the SOC log? /opt/so/log/soc/sensoroni-server.log