so-monitor-add : NetworkManager is not running

[ricamz]

Hi.

I am running SO in a standalone version, in 2.3.270.

I had the system running for some months and now I want to add a network interface for traffic monitoring (suricata).

When I perform the so-monitor-add eth1 command (for the second interface) it issues the error:

Error: NetworkManager is not running.
Error: NetworkManager is not running.

Do you know what could be the problem?

Regards

Ricardo

[cm-ops]

#1720 Can you give some more information about your server?

[ricamz]

The server is a VMWare virtual machine. The network traffic is collected using one Great Scott Gadgets Throwing Star LAN Tap Pro
that is connected to a hub to have both traffic directions. Then a virtual switch is added with the collection physical interface a virtual interface is created on the virtual machine in that vswitch.

The server has 4 core and 16GB RAM.

Regards

RS

[dougburks]

@ricamz I think cm-ops was asking for more information about how you installed Security Onion. Did you use our Security Onion ISO image or did you do a network installation on some other Linux distribution?

Please note that 2.3 reaches End Of Life in less than 4 months:
https://blog.securityonion.net/2023/12/4-month-end-of-life-eol-reminder-for.html

So this might be a good opportunity to move to 2.4 anyway.

The network traffic is collected using one Great Scott Gadgets Throwing Star LAN Tap Pro
that is connected to a hub to have both traffic directions.

Depending on how much traffic you're monitoring, this could result in packet loss. So you may want to consider replacing with an actual tap:
https://docs.securityonion.net/en/2.4/hardware.html#packets

[ricamz]

Hi Doug.

I installed via the Security Onion ISO. I believe it is based on a Cent OS 7.

I haven't upgraded because of another issue I have opened regarding having the same kind of alerts that Wazuh provides with the Elastic agent.

My main input is based on Wazuh agents and the Elastic didn't provide any alerts. I undertood that playbooks have to be configured, but it's too many for a Linux machine, so I was asking if there is anyway simpler to enable similar alerts with the elastic agent.

Regards

RS

[dougburks]

I am running SO in a standalone version, in 2.3.270.
I had the system running for some months and now I want to add a network interface for traffic monitoring (suricata).
When I perform the so-monitor-add eth1 command (for the second interface) it issues the error:

Looking back at your original description, you say standalone which would imply that you already had a sniffing interface. But when you say so-monitor-add eth1 command (for the second interface) it seems like you didn't already have a sniffing interface and so maybe instead of standalone you configured as manager or managersearch? You can check with the following command:

sudo grep role /etc/salt/grains

If it's so-manager or so-managersearch, then you have 2 options:

1. Wipe and perform a fresh installation choosing standalone (has higher hardware requirements)
   OR
2. Join a second node to the first and configure it as a forward node

In either case, we'd still recommend that you go ahead and move to 2.4 because you're going to have to at some point anyway and the advantages outweigh the differences between Wazuh and Elastic Agent.

[ricamz]

Hi Doug.

It gave me the following:

[admin@siem ~]$ sudo grep role /etc/salt/grains
[sudo] password for admin:
role: so-standalone
[admin@siem ~]$

Just to give a little background, at the time of installation there was no sniffing interface and the sniffing interface was added now.

Regards

RS

[ricamz]

Hi Doug.

I have installed a standalone version but didn't add a sniffing interface.

I am not able to access the server now, as I am on holidays.

But will confirm once I am there.

Thank you for your help.

For me the big issue with the Elastic agent is that I don't have the same level of alerts as in Wazuh (or at least it gives a little work to achieve the same level of alerts): file changes, logs, users activity, http errors (and other applications). I produce a weekly report that is based on those alerts and I still don't have the sniffing interface 100% operational.

I know that I will have to change to the 2.4 version, but for now the 2.3 is giving me the right level of alerts.

Regards

RS

[ricamz]

Hi all.

Still have this error:

When I perform the so-monitor-add eth1 command it issues the error:

Error: NetworkManager is not running.
Error: NetworkManager is not running.

Can anyone help on this?

RS