failed in fleet agent final_pipeline field [created] not present as part of path [event.created]

[pietjuu]

Version

2.4.40

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

96

Storage for /

200

Storage for /nsm

200

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

I have installed securityonion 2.4.40 and I dont get any syslog logs.
My test setup is build with a server that runs esxi 8. On that server there are 3 virtual Machines: 1 SecurityOnion, 2 windows desktop, 3 debian webserver.

I noticed that in my dashboard there is a lot of syslogs, elastic_Agent.filebeat and other elastic logs from the securityunion are missing. I did configure the syslog firewall to allow all traffic on my network (allow 192.168.159.0/27)
How can i get the syslog data in my securityonion dashboards?

I tried to install the agent again on the Union but i got the message that it is already installed so I assume that it is working.
Below are some screenshots that hopefully help!

FYI: salt status returns that it is running as PID and was started at [Timestamp] but it wasnt able to compile the data.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[pietjuu]

After rerunning the command so-checkin (as root user and not like sudo so-checkin) it returned fully healthy

[pietjuu]

What maybe the problem could be is this?
I have no clue but i found this in /var/log/messages

[ryan-donat]

I am also having this issue. Similar specs (SO iso and status, but this is a distributed setup), all docker containers appear healthy. I believe this error is also preventing my elastic agents from working correctly. On fleet, all dashboards and elastic point to healthy status. The same error: "failed in Fleet agent final_pipeline: field [created] not present as part of path [event.created]" is observed on all of my sensor nodes.

Please let me know if you figure anything out.

[pietjuu]

Do you have also the same error in the log files like I have?

[ryan-donat]

No I do not see that error anywhere in /var/log/messages

[rigbyst]

I am running into the same issue, however I have syslogs pointing to an elastic agent which sends it to SO Manager.

[ryan-donat]

@rigbyst How did you go about doing that?

[rozahp]

I have the exact same issue after ISO install on 2 systems: Eval and Standalone.

Tried a lot of trick without any result.

I did an upgrade to the latest version 2.4.60 but that didn't help.

Could it have to do with DNS? Just thinking loud...

[alveare1]

I am seeing the same issue. I wish I had more to add. I am also on 2.4.60 distributed setup.

[foxman0719]

Even if I had copied it, I have the same problem as I described it to our friend, can anyone from the community help us?
I am also on the distributed configuration 2.4.60 which was supposed to solve the problem and nothing.