Not getting any logs after configuring Custom Log integration #12466

THExCAPN · 2024-02-29T16:57:46Z

THExCAPN
Feb 29, 2024

Version

2.4.50

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

32

RAM

800GB

Storage for /

256GB

Storage for /nsm

16TB

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

I was messing around with configuring a custom log integration through the Elastic Agent, and after I had I had configured it and got it to work all was fine until I started to notice that I was not getting any other logs.

During the configuration process I had had discovered that the custom logs were being indexed by the index template "so-logs" instead of the custom template I created so I increased the priority of my custom one to be above so-logs.

After discovering the issue I reverted all the changes I had made but am still not seeing any logs. I even spun up a fresh SO install on a test server and compared all the index templates side by side and everything matched what I have on my main server.

The only error I see in the logs is the following but google doesn't return anything useful

[WARN ][rest.suppressed          ] path: /.ds-logs-*/_eql/search, params: {ignore_unavailable=true, index=.ds-logs-*}
org.elasticsearch.action.search.SearchPhaseExecutionException: Partial shards failure

Any help at all would be appreciated.

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

cm-ops · 2024-03-01T17:59:53Z

cm-ops
Mar 1, 2024
Maintainer

Are you able to run sudo so-elasticsearch-query _cat/shards? Do you see shards that are failed?

7 replies

free-viruzdotorg Apr 3, 2024

oh man... dont i feel dumb.... PEBCAK error

looks like i have 3 duplicate indexes specifically here:

.items-default-000001	0	p	STARTED	0	248b	192.168.80.50	aaa004
.items-default-000001	0	r	UNASSIGNED				
.ds-.logs-endpoint.diagnostic.collection-default-2024.03.23-000010	0	p	STARTED	0	248b	192.168.80.50	aaa004
.ds-.logs-endpoint.diagnostic.collection-default-2024.03.23-000010	0	r	UNASSIGNED				
.lists-default-000001	0	p	STARTED	0	248b	192.168.80.50	aaa004
.lists-default-000001	0	r	UNASSIGNED

here is the output

.ds-.fleet-actions-results-2024.03.12-000002                       0 p STARTED           20   121kb 192.168.80.50 aaa004
.ds-logs-kratos-so-2024.01.13-000001                               0 p STARTED        64583 108.7mb 192.168.80.50 aaa004
.apm-custom-link                                                   0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-elastic_agent.osquerybeat-default-2024.01.13-000002       0 p STARTED        61022  82.1mb 192.168.80.50 aaa004
.ds-logs-windows.powershell-default-2024.02.11-000001              0 p STARTED           99 349.3kb 192.168.80.50 aaa004
.ds-logs-elastic_agent.osquerybeat-default-2024.02.04-000003       0 p STARTED            8    72kb 192.168.80.50 aaa004
.ds-logs-endpoint.events.api-default-2024.03.13-000002             0 p STARTED            0    248b 192.168.80.50 aaa004
elastalert_error                                                   0 p STARTED     16712877  13.3gb 192.168.80.50 aaa004
.internal.alerts-observability.apm.alerts-default-000001           0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-system.auth-default-2024.03.13-000003                     0 p STARTED         3977   6.1mb 192.168.80.50 aaa004
.ds-logs-osquery_manager.result-default-2024.03.12-000002          0 p STARTED         2400 620.5kb 192.168.80.50 aaa004
.ds-metrics-endpoint.metadata-default-2024.02.11-000001            0 p STARTED          123 852.7kb 192.168.80.50 aaa004
.ds-logs-elastic_agent.fleet_server-default-2024.01.13-000003      0 p STARTED         9016  19.9mb 192.168.80.50 aaa004
.ds-logs-elastic_agent-default-2024.02.04-000004                   0 p STARTED            1  18.7kb 192.168.80.50 aaa004
.kibana_alerting_cases_8.10.4_001                                  0 p STARTED          967     8mb 192.168.80.50 aaa004
.ds-logs-endpoint.events.network-default-2024.02.11-000001         0 p STARTED       851774 232.5mb 192.168.80.50 aaa004
.ds-logs-elastic_agent.filebeat-default-2024.01.13-000001          0 p STARTED          302 340.4kb 192.168.80.50 aaa004
.ds-logs-elastic_agent.filebeat-default-2024.02.04-000003          0 p STARTED           36 315.4kb 192.168.80.50 aaa004
.apm-agent-configuration                                           0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-suricata-so-2024.02.13-000002                             0 p STARTED         1814   1.9mb 192.168.80.50 aaa004
.ds-logs-elastic_agent.filebeat-default-2024.01.13-000002          0 p STARTED       254476  72.1mb 192.168.80.50 aaa004
.ds-ilm-history-5-2024.01.13-000001                                0 p STARTED          257   139kb 192.168.80.50 aaa004
.ds-logs-elastic_agent.osquerybeat-default-2024.01.13-000001       0 p STARTED           69 480.6kb 192.168.80.50 aaa004
.ds-.fleet-fileds-fromhost-meta-agent-2024.03.12-000002            0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-system.syslog-default-2024.01.13-000001                   0 p STARTED     12777878   1.8gb 192.168.80.50 aaa004
.ds-logs-elastic_agent.fleet_server-default-2024.03.05-000006      0 p STARTED        39087  45.9mb 192.168.80.50 aaa004
elastalert_silence                                                 0 p STARTED            0    248b 192.168.80.50 aaa004
.internal.alerts-security.alerts-default-000001                    0 p STARTED            2  76.7kb 192.168.80.50 aaa004
.ds-logs-system.system-default-2024.03.12-000002                   0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-elastic_agent-default-2024.01.13-000002                   0 p STARTED          101 286.8kb 192.168.80.50 aaa004
.ds-logs-windows.powershell-default-2024.03.12-000002              0 p STARTED            0    248b 192.168.80.50 aaa004
.security-7                                                        0 p STARTED         1062 759.1kb 192.168.80.50 aaa004
logs-ti_anomali_latest.threatstream-2                              0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-system.security-default-2024.03.12-000002                 0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-elastic_agent.filebeat-default-2024.02.04-000004          0 p STARTED       498591   149mb 192.168.80.50 aaa004
.ds-logs-suricata-so-2024.01.14-000001                             0 p STARTED          125 557.5kb 192.168.80.50 aaa004
.ds-logs-endpoint.events.api-default-2024.02.12-000001             0 p STARTED           12 139.7kb 192.168.80.50 aaa004
.fleet-policies-7                                                  0 p STARTED          197   2.5mb 192.168.80.50 aaa004
.kibana_security_session_1                                         0 p STARTED            3  19.7kb 192.168.80.50 aaa004
.ds-logs-system.syslog-default-2024.03.12-000005                   0 p STARTED    200401461    15gb 192.168.80.50 aaa004
.internal.alerts-observability.uptime.alerts-default-000001        0 p STARTED            0    248b 192.168.80.50 aaa004
.fleet-artifacts-7                                                 0 p STARTED           15  14.8kb 192.168.80.50 aaa004
.fleet-enrollment-api-keys-7                                       0 p STARTED            8  52.6kb 192.168.80.50 aaa004
.ds-logs-endpoint.events.library-default-2024.02.11-000001         0 p STARTED         3071   2.4mb 192.168.80.50 aaa004
.ds-logs-playbook.alerts-so-2024.02.11-000001                      0 p STARTED     12304781   4.8gb 192.168.80.50 aaa004
.logs-osquery_manager.action.responses-default                     0 p STARTED          131 303.2kb 192.168.80.50 aaa004
.ds-logs-suricata-so-2024.03.14-000003                             0 p STARTED            0    248b 192.168.80.50 aaa004
.logs-osquery_manager.actions-default                              0 p STARTED            5  85.3kb 192.168.80.50 aaa004
.fleet-agents-7                                                    0 p STARTED            7 285.2kb 192.168.80.50 aaa004
.ds-logs-elastic_agent.metricbeat-default-2024.02.11-000001        0 p STARTED           42 126.9kb 192.168.80.50 aaa004
.kibana_8.10.4_001                                                 0 p STARTED         1793 203.5kb 192.168.80.50 aaa004
.slo-observability.sli-v2                                          0 p STARTED            0    248b 192.168.80.50 aaa004
.kibana-observability-ai-assistant-conversations-000001            0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-elastic_agent.fleet_server-default-2024.02.04-000004      0 p STARTED            8 145.3kb 192.168.80.50 aaa004
.geoip_databases                                                   0 p STARTED           37  37.2mb 192.168.80.50 aaa004
.ds-logs-system.auth-default-2024.02.12-000002                     0 p STARTED         4315   7.8mb 192.168.80.50 aaa004
.ds-.logs-endpoint.diagnostic.collection-default-2024.03.23-000010 0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-.logs-endpoint.diagnostic.collection-default-2024.03.23-000010 0 r UNASSIGNED                                 
.ds-logs-soc-so-2024.03.13-000003                                  0 p STARTED      3606301     1gb 192.168.80.50 aaa004
.lists-default-000001                                              0 p STARTED            0    248b 192.168.80.50 aaa004
.lists-default-000001                                              0 r UNASSIGNED                                 
.ds-metrics-endpoint.metrics-default-2024.02.11-000001             0 p STARTED          123   1.3mb 192.168.80.50 aaa004
.ds-logs-elastic_agent.fleet_server-default-2024.01.13-000001      0 p STARTED          100 130.6kb 192.168.80.50 aaa004
.ds-logs-soc-so-2024.01.13-000001                                  0 p STARTED      5195774   1.5gb 192.168.80.50 aaa004
.ds-logs-system.syslog-default-2024.03.13-000006                   0 p STARTED    200824043  14.8gb 192.168.80.50 aaa004
.ds-logs-syslog-so-2024.03.19-000002                               0 p STARTED     19879901   7.6gb 192.168.80.50 aaa004
.transform-internal-007                                            0 p STARTED          177 157.8kb 192.168.80.50 aaa004
elastalert                                                         0 p STARTED      1230261 904.5mb 192.168.80.50 aaa004
.kibana_analytics_8.10.4_001                                       0 p STARTED         8857   7.3mb 192.168.80.50 aaa004
.ds-logs-osquery_manager.result-default-2024.02.11-000001          0 p STARTED         5674     2mb 192.168.80.50 aaa004
.ds-logs-elastic_agent-default-2024.03.05-000006                   0 p STARTED        10295   8.9mb 192.168.80.50 aaa004
.ds-logs-system.system-default-2024.02.11-000001                   0 p STARTED         6630   2.6mb 192.168.80.50 aaa004
.ds-.fleet-fileds-fromhost-meta-agent-2024.02.11-000001            0 p STARTED            1   7.2kb 192.168.80.50 aaa004
.ds-logs-system.application-default-2024.02.11-000001              0 p STARTED         1863   1.6mb 192.168.80.50 aaa004
.ds-behavioral_analytics-events-caresecall-2024.03.29-000001       0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-endpoint.events.security-default-2024.03.12-000002        0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-metrics-endpoint.policy-default-2024.02.11-000001              0 p STARTED          108 638.7kb 192.168.80.50 aaa004
.ds-logs-kratos-so-2024.02.12-000002                               0 p STARTED        74358 115.4mb 192.168.80.50 aaa004
.ds-logs-elastic_agent.metricbeat-default-2024.03.12-000002        0 p STARTED           42  80.4kb 192.168.80.50 aaa004
.ds-ilm-history-5-2024.02.12-000002                                0 p STARTED          466 408.2kb 192.168.80.50 aaa004
.ds-logs-system.application-default-2024.03.12-000002              0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-elasticsearch.server-default-2024.03.13-000003            0 p STARTED      8329078     1gb 192.168.80.50 aaa004
so-case                                                            0 p STARTED           13 161.6kb 192.168.80.50 aaa004
.internal.alerts-observability.logs.alerts-default-000001          0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-zeek-so-2024.03.13-000003                                 0 p STARTED         8994   7.3mb 192.168.80.50 aaa004
.ds-logs-zeek-so-2024.03.13-000003                                 1 p STARTED         8934   7.2mb 192.168.80.50 aaa004
.ds-.fleet-fileds-fromhost-data-agent-2024.02.18-000002            0 p STARTED            0    248b 192.168.80.50 aaa004
.metrics-endpoint.metadata_united_default                          0 p STARTED            7 354.2kb 192.168.80.50 aaa004
.ds-logs-system.syslog-default-2024.03.16-000008                   0 p STARTED     49255140   4.5gb 192.168.80.50 aaa004
so-casehistory                                                     0 p STARTED           25 311.1kb 192.168.80.50 aaa004
.tasks                                                             0 p STARTED          320 252.1kb 192.168.80.50 aaa004
.ds-logs-zeek-so-2024.01.13-000001                                 0 p STARTED        77617  54.8mb 192.168.80.50 aaa004
.ds-logs-zeek-so-2024.01.13-000001                                 1 p STARTED        77962  53.4mb 192.168.80.50 aaa004
elastalert_status                                                  0 p STARTED     32905045   4.9gb 192.168.80.50 aaa004
.kibana_ingest_8.10.4_001                                          0 p STARTED         8297  85.3mb 192.168.80.50 aaa004
.ds-logs-endpoint.events.registry-default-2024.03.12-000002        0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-syslog-so-2024.02.18-000001                               0 p STARTED     25664836   9.8gb 192.168.80.50 aaa004
.items-default-000001                                              0 p STARTED            0    248b 192.168.80.50 aaa004
.items-default-000001                                              0 r UNASSIGNED                                 
.ds-logs-kratos-so-2024.03.13-000003                               0 p STARTED        78022 159.3mb 192.168.80.50 aaa004
.ds-metrics-endpoint.metrics-default-2024.03.28-000002             0 p STARTED           13 393.7kb 192.168.80.50 aaa004
.ds-logs-elastic_agent-default-2024.02.04-000005                   0 p STARTED         8525   7.2mb 192.168.80.50 aaa004
.slo-observability.summary-v2.temp                                 0 p STARTED            0    248b 192.168.80.50 aaa004
.security-profile-8                                                0 p STARTED            1   9.1kb 192.168.80.50 aaa004
.ds-logs-endpoint.events.process-default-2024.03.12-000002         0 p STARTED      1333472     1gb 192.168.80.50 aaa004
.ds-logs-playbook.alerts-so-2024.03.12-000002                      0 p STARTED       295629 145.1mb 192.168.80.50 aaa004
.ds-logs-elastic_agent.endpoint_security-default-2024.02.11-000001 0 p STARTED       196236 166.6mb 192.168.80.50 aaa004
.ds-metrics-endpoint.policy-default-2024.03.28-000002              0 p STARTED           12 309.4kb 192.168.80.50 aaa004
.ds-logs-system.security-default-2024.02.11-000001                 0 p STARTED       103738  69.2mb 192.168.80.50 aaa004
.transform-notifications-000002                                    0 p STARTED          757 244.8kb 192.168.80.50 aaa004
.slo-observability.summary-v2                                      0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-zeek-so-2024.02.12-000002                                 0 p STARTED       294575 290.1mb 192.168.80.50 aaa004
.ds-logs-zeek-so-2024.02.12-000002                                 1 p STARTED       293385 191.7mb 192.168.80.50 aaa004
.ds-logs-elastic_agent.filebeat-default-2024.03.05-000005          0 p STARTED       567872 196.2mb 192.168.80.50 aaa004
.internal.alerts-observability.slo.alerts-default-000001           0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-system.auth-default-2024.01.13-000001                     0 p STARTED         1928   2.5mb 192.168.80.50 aaa004
.internal.alerts-security.alerts-default-000002                    0 p STARTED          555   3.9mb 192.168.80.50 aaa004
.kibana_task_manager_8.10.4_001                                    0 p STARTED          923 452.2kb 192.168.80.50 aaa004
.ds-logs-system.syslog-default-2024.02.12-000002                   0 p STARTED    200462635  15.9gb 192.168.80.50 aaa004
.ds-logs-import-so-2024.03.24-000001                               0 p STARTED           45 349.3kb 192.168.80.50 aaa004
.kibana_security_solution_8.10.4_001                               0 p STARTED         2779   3.8mb 192.168.80.50 aaa004
.ds-.fleet-actions-results-2024.02.11-000001                       0 p STARTED          116 231.1kb 192.168.80.50 aaa004
.internal.alerts-stack.alerts-default-000001                       0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-.kibana-event-log-8.10.4-2024.01.13-000001                     0 p STARTED            4  24.4kb 192.168.80.50 aaa004
elastalert_past                                                    0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-elastic_agent-default-2024.01.13-000001                   0 p STARTED           64   174kb 192.168.80.50 aaa004
.ds-logs-endpoint.events.registry-default-2024.02.11-000001        0 p STARTED        22968   9.7mb 192.168.80.50 aaa004
.ds-logs-system.syslog-default-2024.03.10-000004                   0 p STARTED    200228944  14.6gb 192.168.80.50 aaa004
.ds-logs-endpoint.events.library-default-2024.03.12-000002         0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-elastic_agent-default-2024.01.13-000003                   0 p STARTED          762 855.7kb 192.168.80.50 aaa004
.async-search                                                      0 p STARTED            0    257b 192.168.80.50 aaa004
.ds-logs-system.syslog-default-2024.03.15-000007                   0 p STARTED    200348464  14.8gb 192.168.80.50 aaa004
.ds-logs-elasticsearch.server-default-2024.01.13-000001            0 p STARTED        67729  27.5mb 192.168.80.50 aaa004
.ds-logs-elastic_agent.endpoint_security-default-2024.03.12-000002 0 p STARTED       137979 105.3mb 192.168.80.50 aaa004
.ds-.kibana-event-log-8.10.4-2024.02.12-000002                     0 p STARTED            4  24.4kb 192.168.80.50 aaa004
.ds-logs-endpoint.events.file-default-2024.02.11-000001            0 p STARTED     14012927   2.9gb 192.168.80.50 aaa004
.fleet-actions-7                                                   0 p STARTED           19    17kb 192.168.80.50 aaa004
.apm-source-map                                                    0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-ilm-history-5-2024.03.13-000003                                0 p STARTED          236 203.2kb 192.168.80.50 aaa004
logs-ti_recordedfuture_latest.threat-1                             0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-endpoint.events.file-default-2024.03.12-000002            0 p STARTED      9149250     2gb 192.168.80.50 aaa004
.ds-logs-endpoint.events.network-default-2024.03.12-000002         0 p STARTED       206231 229.6mb 192.168.80.50 aaa004
.ds-metrics-endpoint.metadata-default-2024.03.28-000002            0 p STARTED           13 302.9kb 192.168.80.50 aaa004
.fleet-policies-leader-7                                           0 p STARTED            8  33.9kb 192.168.80.50 aaa004
.internal.alerts-observability.metrics.alerts-default-000001       0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-elastic_agent.fleet_server-default-2024.01.13-000002      0 p STARTED           27 243.2kb 192.168.80.50 aaa004
.ds-.kibana-event-log-8.10.4-2024.03.13-000003                     0 p STARTED      1053216 193.7mb 192.168.80.50 aaa004
.ds-logs-soc-so-2024.02.12-000002                                  0 p STARTED      5176581   1.5gb 192.168.80.50 aaa004
.ds-logs-elastic_agent.osquerybeat-default-2024.02.04-000004       0 p STARTED       207462 240.3mb 192.168.80.50 aaa004
.ds-logs-endpoint.events.security-default-2024.02.11-000001        0 p STARTED        35300  24.4mb 192.168.80.50 aaa004
metrics-endpoint.metadata_current_default                          0 p STARTED            3  68.8kb 192.168.80.50 aaa004
.ds-logs-elastic_agent.osquerybeat-default-2024.03.05-000005       0 p STARTED       221822 262.4mb 192.168.80.50 aaa004
.ds-logs-system.syslog-default-2024.03.09-000003                   0 p STARTED    200670549  14.7gb 192.168.80.50 aaa004
.ds-logs-endpoint.events.process-default-2024.02.11-000001         0 p STARTED       955196 708.3mb 192.168.80.50 aaa004
.ds-logs-elasticsearch.server-default-2024.02.12-000002            0 p STARTED      5970647 809.8mb 192.168.80.50 aaa004
logs-ti_otx_latest.dest_pulses_subscribed-1                        0 p STARTED            0    248b 192.168.80.50 aaa004
.ds-logs-elastic_agent.fleet_server-default-2024.02.04-000005      0 p STARTED        27275  40.3mb 192.168.80.50 aaa004
.fleet-servers-7                                                   0 p STARTED            3  44.2kb 192.168.80.50 aaa004

cm-ops Apr 4, 2024
Maintainer

Check why they are unassigned - sudo so-elasticsearch-query _cluster/allocation/explain?pretty -d' { "index": ".items-default-000001", "shard": 0, "primary": false }' you can use the same command and check the other index as well.

free-viruzdotorg Apr 5, 2024

Just a note, ive had a lot of issues and am basically rebuilding this entire machine from the beginning as nothing literally was working out of the box. I have no clue why, but it's working as I go throughout the github. This is probably the biggest issue that is the last thing I have currently. I am extremely new to the whole ELK stack overall and trying to figure things out at this time. But here is the info you requested. version 2.3 didnt have these issues on 2.4. this is a personal project of mine.

input -

sudo so-elasticsearch-query _cluster/allocation/explain?pretty -d' { "index": ".ds-.logs-endpoint.diagnostic.collection-default-2024.03.23-000010", "shard": 0, "primary": false }'

Output below:

{
  "index" : ".ds-.logs-endpoint.diagnostic.collection-default-2024.03.23-000010",
  "shard" : 0,
  "primary" : false,
  "current_state" : "unassigned",
  "unassigned_info" : {
    "reason" : "CLUSTER_RECOVERED",
    "at" : "2024-04-04T12:58:21.451Z",
    "last_allocation_status" : "no_attempt"
  },
  "can_allocate" : "no",
  "allocate_explanation" : "Elasticsearch isn't allowed to allocate this shard to any of the nodes in the cluster. Choose a node to which you expect this shard to be allocated, find this node in the node-by-node explanation, and address the reasons which prevent Elasticsearch from allocating this shard there.",
  "node_allocation_decisions" : [
    {
      "node_id" : "Ac0z223IQd-UAZ8Ia896pw",
      "node_name" : "aaa004",
      "transport_address" : "192.168.80.50:9300",
      "node_attributes" : {
        "xpack.installed" : "true",
        "transform.config_version" : "10.0.0"
      },
      "node_decision" : "no",
      "deciders" : [
        {
          "decider" : "same_shard",
          "decision" : "NO",
          "explanation" : "a copy of this shard is already allocated to this node [[.ds-.logs-endpoint.diagnostic.collection-default-2024.03.23-000010][0], node[Ac0z223IQd-UAZ8Ia896pw], [P], s[STARTED], a[id=vag3r4t4REimJgsbYvILkA], failed_attempts[0]]"
        }
      ]
    }
  ]
}

Correct me if im wrong.. this is a standard installation for a management node and no other nodes are in my environment. This isn't mission critical but im learning throughout this entire process and just found out that shard replication errors is happening because of me having only 1 node on the network. BUT if i had (i think..) a sensor on my network on a separate i would assume this would not be an issue , correct? Im probably wrong.
I fixed the other 2 at this time by going into the salt master and changing the replicas from 1 to 0 and currently this is the only indice error im getting which isnt in the yaml file as far as i can see unless I completely messed something up (i think i did to be honest)

cm-ops Apr 8, 2024
Maintainer

Does this work on the replica shards? https://docs.securityonion.net/en/2.4/release-notes.html#known-issues

free-viruzdotorg Apr 9, 2024

(sorry if i explain this wrong)

Just an update here
I did what you said and it worked.
What was done:

Did the configuration of the data nodes for the replica shards as you linked
Restarted the elasticsearch container
Waited 20-25 minutes
verified the cluster health is allocated properly
verified the security onion console is healthy
all the indices are presented properly

Hopefully the original poster has the similar issue and can try that as well which sounded like it

Not getting any logs after configuring Custom Log integration #12466

Uh oh!

THExCAPN Feb 29, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment · 7 replies

Uh oh!

Uh oh!

cm-ops Mar 1, 2024 Maintainer

Uh oh!

Uh oh!

free-viruzdotorg Apr 3, 2024

Uh oh!

cm-ops Apr 4, 2024 Maintainer

Uh oh!

Uh oh!

free-viruzdotorg Apr 5, 2024

Uh oh!

cm-ops Apr 8, 2024 Maintainer

Uh oh!

free-viruzdotorg Apr 9, 2024

THExCAPN
Feb 29, 2024

Replies: 1 comment 7 replies

cm-ops
Mar 1, 2024
Maintainer

cm-ops Apr 4, 2024
Maintainer

cm-ops Apr 8, 2024
Maintainer