No Alert showing on Web Interface

[YvesEutelsat]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Distributed

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

64

Storage for /

300G

Storage for /nsm

1T

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Good day,

Under this distributed deployment (version 2.4.30-20231219), when I logged into the Web Interface, there is no Alerts showing. Under "Dashboards, and Hunt" there are event that populate daily. Looking in /nsm/pcap folder on the Sensor node, PCAP are generated daily.

I do have a Standalone configuration which is getting the same traffic as the Distributed Deployment. Post Standalone installation, Alerts started to populate with no extra configuration from me.

Not sure which setting I have to turn ON in other to get Alerts on the Manager node. I looked at the Troubleshooting Guidelines in the Security Onion documentation, I verified everything that it is mention in the guidelines.

Any assistance would be much appreciated

Thanks

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[cm-ops]

On your distributed grid, what does sudo elastic-agent status return?

[YvesEutelsat]

I performed the command line on each nodes

Search & Manager node return : Fleet & Elastic Agent : Healthy status - Running

Forward nodes return below message :
fleet
│ └─ status: (FAILED) fail to checkin to fleet-server: all hosts failed: 2 errors occurred:
│ * requester 0/2 to host https://x.x.x.x: xxxx/ errored: Post "https://x.x.x.x: xxxx/api/fleet/agents/eaefaa0a-659b-4aaa-9589-9afee1adaf8f/checkin?": dial tcp x.x.x.x: xxxx: connect: connection timed out
│ * requester 1/2 to host https://so-managersearch:8220/ errored: Post "https://so-managersearch:8220/api/fleet/agents/eaefaa0a-659b-4aaa-9589-9afee1adaf8f/checkin?": lookup so-managersearch on x.x.x.x: xxxx: server misbehaving

elastic-agent
└─ status: (HEALTHY) Running

Looking in the Dashboard & Hunt, it seems Suricata does not forward any data.

Thanks again for your assistance

[cm-ops]

Looks like there is a problem connecting with your Fleet server:

fleet
│ └─ status: (FAILED) fail to checkin to fleet-server: all hosts failed: 2 errors occurred:
│ * requester 0/2 to host https://x.x.x.x: xxxx/ errored: Post "https://x.x.x.x: xxxx/api/fleet/agents/eaefaa0a-659b-4aaa-9589-9afee1adaf8f/checkin?": dial tcp x.x.x.x: xxxx: connect: connection timed out
│ * requester 1/2 to host https://so-managersearch:8220/ errored: Post "https://so-managersearch:8220/api/fleet/agents/eaefaa0a-659b-4aaa-9589-9afee1adaf8f/checkin?": lookup so-managersearch on x.x.x.x: xxxx: server misbehaving

Have you tried to restart the elastic agent on the sensors? sudo elastic-agent restart

[YvesEutelsat]

I restarted "elastic-agent" and still coming up with same error.

I went in the Playbook to activate some plays and still no alerts.

[YvesEutelsat]

Looking into Kibana - Fleet - Agents, the sensor/forward node is not display on the list. Should the sensor be display? If yes, how can I add it to the list?

I tried to upload a print screen below.

Thanks

[cm-ops]

Try unitstalling the agent on the sensor, elastic-agent unistall and then running a highstate.

[YvesEutelsat]

I uninstalled elastic-agent from the sensor. Now I have Alerts coming to the Manager. The sensor appeared under the Fleet server.

As I'm new with Security Onion, does the elastic-agent important to be install on the sensor?

Thanks for your support

[cm-ops]

Glad it is working for you, here is a link to the docs about EA https://docs.securityonion.net/en/2.4/elastic-agent.html