Distributed Install - Storage and Forward Node Issues

[raphaeleid]

Version

2.4.40

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

cloud

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

500

Storage for /nsm

500

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

No, one or more services are failed (please provide detail below)

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I am trying to deploy SO, distributed. with 3 Nodes:

1- Manager Node (ManagerSearch), working well, I am able to access the dashboard and everything is working well.

2- Storage/Log Node (SearchNode), it was working well after install, out of nowhere after rebooting the machine, ls and cd and other commands arent working, and /SecurityOnion directory couldnt be found.

And after trying to connect SSH to this node it is closing the connection directly.

3- Forward Node (Sensor), is failing after the first install, then after re-installing it is working; two members are appearing under Administration -> Grid Members one Pending Member with different fingerprint than the one given after install, and the other under Denied Members with the right fingerprint, but I couldn't accept it at all.

why out of nowhere the Storage/Log Node is closing connection directly, and when trying to reach it I cant execute commands like cd ls it is saying bash: command not found (something close)

and why the forward node is showing two members with 2 different fingerprints?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Starting with #3 when you reinstalled there was a pending salt key or accepted salt key, The salt master rejected the key. Try launching setup again, but when you reach the continue screen, delete both salt keys and run through setup again.

For the second one, are you able to run salt commands from the manager to the search node? Something like salt \*searchnode test.ping or salt \*searchnode cmd.run "df -h"?

[raphaeleid]

Thank you for your response.

Regarding #3, where can I find the salt master key? or at least delete it? is there any steps in the documentation? Because when I reach the continue screen, it is not showing any salt key so I could delete it. I click continue and join it to the manager node.

And now when I deleted the pending grid in SOC, and re-ran the install on the Sensor node, it failed for the first time, I think it will succeed the second time I try.

I tried the second time and the install succeeded, with two different nodes, again, 1 node in the Pending Members with a different fingerprint, and other node on the Denied Members with the right fingerprint for the sensor node.

Regarding #2, I am not able to run both commands provided.
Error:

Minion did not return. [no response]
The minions may not have all finished running and any remaining minions will return upon completion. To look up the return data for this job later, run the following command:

salt-run jobs.lookup_jid <id>

After running salt-run jobs.lookup_jid <id> I am receiving [INFO] Runner Complete: <id>

[cm-ops]

You can see the salt keys in SOC > Administration > Grid Members or if you are in the CLI on the manager, sudo salt-key -L to list and sudo salt-key -d $minion to delete the minion key, replace $minion with your minion's name from the list. If there are two keys for the same minion one will be denied.