No Alerts in Dashboard

[anitatata]

Version

2.4.40

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

cloud

Hardware Specs

Meets minimum requirements

CPU

8

RAM

20

Storage for /

100

Storage for /nsm

200

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello,
Previously I installed version 2.4.30 but there is no Alerts in Alerts tab, so I try to installed Security Onion 2.4.40 but Alerts tab still did not showing anything.

Below elastic-agent status

Do we need to configure anything to make Alerts tab have data?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[0nc3B1tt3n]

You can run a watch 'so-redis-count' to see if there is a backlog of logs. If there is a backlog of logs run a so-logstash-restart. Then run the first command again to see if logs begin ingesting.

[anitatata]

Thanks for replying,

Below the capture of so-redis-count

Thanks

[sandraimmaculate]

Even I'm also facing same issues when i installed security onion 2.3 the alerts been displayed in dashboard soon after the installation but in 2.4 its not happening IDK why my alert dashboard is empty. Is this because we add another NIC card for monitoring if this is a reason how to make it work
even I'm also getting same output for the command so-redis-count the output is 0
help us to solve this issues

[sandraimmaculate]

yea! now i got the alerts in dashboard u can perform the command so-test and then check in alert dashboard your getting alert are not. if still not enable suricata and zeek in administration > configuration.

and execute the command:
(nids testing)

1. curl testmynids.org/uid/index.html for
2. curl -sSL https://raw.githubusercontent.com/0xtf/testmynids.org/master/tmNIDS -o /tmp/tmNIDS && chmod +x /tmp/tmNIDS && /tmp/tmNIDS

[anitatata]

Thanks for your suggestion.

I try the command so-test

And also make sure suricata and zeek enabled

But still the alerts tab did not show anything.
Is there other configuration that I missed?

Thanks

[sandraimmaculate]

did you do NIDS test is that showing output.
and did you enabled idstools which is in administration > configuration

[anitatata]

Yes, I can curl to the NIDS test

1. curl testmynids.org/uid/index.html

2. curl -sSL https://raw.githubusercontent.com/0xtf/testmynids.org/master/tmNIDS -o /tmp/tmNIDS && chmod +x /tmp/tmNIDS && /tmp/tmNIDS (but I not using /tmp but my home directory)

and also already enabled idstools

[anitatata]

Do you use suricata or zeek in your mdengine?
currently i'm using zeek, should I change to suricata? and follow this link?
https://docs.securityonion.net/en/2.4/suricata.html

[reyesj2]

Are you deploying via one of our cloud images?

[anitatata]

Yes I'm deploying via this link
https://download.securityonion.net/file/securityonion/securityonion-2.4.40-20240116.iso

[anitatata]

Any suggestion guys? My security onion still has no alerts
Please Help

[anitatata]

Below is the capture

[cm-ops]

Those eve logs look empty.

[anitatata]

Yes the log is empty, is there anything I can do to make the alerts tab showing?

[cm-ops]

Do you see a Suricata index if you run sudo so-elasticsearch-indices-list?

[anitatata]

Below is the output when I run

[zazman49]

solved , by moving the endpoints from Elastic fleet policies into so-grid and it worked

[anitatata]

Hello can you tell more about how to do it?

[zazman49]

first step click on elastic fleet --> choose agents endpoint ---> select the three dots on the right --> move them to so-grid policy or the policy you chosse