2.4.40 Integrations Index Templates not showing in Kibana.

[BiggTuna]

Version

2.4.40

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

64 GB

Storage for /

315 GB

Storage for /nsm

8.5 TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

After updating to 2.4.40, we are not seeing the index templates for the newest integrations show in Kibana, or the integration showing under the "installed" section from Kibana.

From previous releases, we usually see newly added integrations under the "installed" section, and all of the integration index templates/component templates are present. After the upgrade to 2.4.40, the templates for the newly supported integrations, cisco_ftd, cisco_ios, iis, etc, are not present when looking in stack management from Kibana, nor are they "installed" when looking at integrations from Kibana.

We do see the all index settings for these new integrations in the SOC console under Administration > Configuration > index_settings > $index (eg., so-logs-cisco_ftd_x_log).

Will this cause a problem if we start trying to use the 2.4.40 newly supported integrations without the index/component templates being present in stack management?

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[weslambert]

Do you see eaintegrations.txt present if you look in /opt/so/state on the manager?

If so, try the following:

sudo rm -f /opt/so/state/eaintegrations.txt
sudo salt-call state.apply elasticfleet

[BiggTuna]

That did the trick. We are now seeing the newly supported integrations as "installed" and the corresponding index/component templates in stack management. Thanks a ton!