Request failed with status code 502 (Alerts, Dashboard, Hunt, Cases)

[ponte19]

Version

2.4.10

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Standalone

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

48

RAM

256GB

Storage for /

293GB

Storage for /nsm

1.9TB

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

My security onion instance is active since October and I did not change settings except the certificate for nginx.

Since two weeks I cannot open Alerts, Dashboard, Hunt and Cases anymore. There is a red window like in discussion #11500.

When I check the disk usage:
/dev/mapper/system-nsm 1.9T 1.7T 216G 89% /nsm

exactly like in discussion #11500, 89% full.

All services are running fine and Administration interface is working as well. How can I solve that problem? What can I delete? What script can I start to delete old captured packages?

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[ponte19]

so-nsm-clear and so-elastic-clear did not help.
According to this https://github.com/Security-Onion-Solutions/securityonion/blob/master/salt/common/tools/sbin/so-nsm-clear pcap should be deleted after it but it is not.

[ponte19]

I deleted /nsm/pcap/ manually and finally dashboard, hunt etc. started to work again after a reboot and highstate.

Atm I did not know if there are problems associated with manually deleting pcap but it seems to work fine.
Although this process of deleting pcaps should be handled by Security Onion.

[dougburks]

You specify above the you're running version 2.4.10. There was a fix in 2.4.20 that should help avoid this issue:
https://docs.securityonion.net/en/2.4/release-notes.html#id32
#11305

Please update to the latest version. As of today, that is 2.4.30 and you can read more about that here:
https://blog.securityonion.net/2023/11/security-onion-2430-now-available.html

[ponte19]

Thank you, today I upgraded to 2.4.30-20231219
Upgrade went well without errors.