Can not open port for pfsense integration #12210

sleepingbel · 2024-01-19T10:19:26Z

sleepingbel
Jan 19, 2024

Version

2.4.40

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

32C/64T

RAM

124 GB

Storage for /

314 GB

Storage for /nsm

1271 GB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello all

I have followed the documentation for the Elastic Integration for pfSense for a opnsense firewall/router.

The opnsense is configured for udp forwarding on port 9001 and states in his log that the connection is established and then broken.

If I do a nmap scan the port is not marked as open.

with the so-firewall command you can not check all the open ports.

I did a iptables grep and this is the result
230 55285 ACCEPT udp -- * * x.x.x.x 0.0.0.0/0 udp dpt:9001
But the kibana dashboards for this integration stays empty.

What could be cause of this?

For being complete currently we receive the log over syslog (port 514).

regards
Bart

Guidelines

I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

Answered by TotieBash

Jan 24, 2024

I figured out my issue, check #12055

I was incorrect on my assumption that so-logstash should be listening on port 9001. Apparently there is "elastic-agent" that is managed by fleeet installed on the standalone host itself so it is not a docker container. You can verify this when you issue "systemctl status elastic-agent"

View full answer

TotieBash · 2024-01-19T18:15:47Z

TotieBash
Jan 19, 2024

For what its worth I also has similar issue #12055. When you issue cmd "docker ps" one of those docker container should show that it is listening on port 9001. I think it should be so-logstash. Also when you issue cmd "ss -tulpn" you should see the system listening on port 9001. However I don't know the missing step to get to that. I have done it on SO2.3 Filebeat method but this SO2.4 method is new to me.

0 replies

TotieBash · 2024-01-24T03:15:08Z

TotieBash
Jan 24, 2024

I figured out my issue, check #12055

I was incorrect on my assumption that so-logstash should be listening on port 9001. Apparently there is "elastic-agent" that is managed by fleeet installed on the standalone host itself so it is not a docker container. You can verify this when you issue "systemctl status elastic-agent"

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Can not open port for pfsense integration #12210

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Can not open port for pfsense integration #12210

Uh oh!

Uh oh!

sleepingbel Jan 19, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 2 comments

Uh oh!

TotieBash Jan 19, 2024

Uh oh!

Uh oh!

TotieBash Jan 24, 2024

sleepingbel
Jan 19, 2024

TotieBash
Jan 19, 2024

TotieBash
Jan 24, 2024