Elastalert error "Name or service not known"

[Chris-GNS]

Version

2.4.50

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

384GB

Storage for /

2.5TB

Storage for /nsm

1.5TB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

After a fresh bare metal install of 2.4.50 I receive an error when I run so-elastalert-test. The test is successful but fails to connect to the elastalert docker. It looks like a DNS issue but I don't know.

Error running your filter:
ConnectionError('N/A', "HTTPSConnectionPool(host='security-onion', port=9200): Max retries exceeded with url: /%3Aso-ids-/_search?ignore_unavailable=true&size=1 (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f0d4b611c90>: Failed to establish a new connection: [Errno -2] Name or service not known'))", ConnectionError(MaxRetryError("HTTPSConnectionPool(host='security-onion', port=9200): Max retries exceeded with url: /%3Aso-ids-/_search?ignore_unavailable=true&size=1 (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f0d4b611c90>: Failed to establish a new connection: [Errno -2] Name or service not known'))")))

Any help is appreciated the elastalert rule worked before a fresh install.

TIA,
Chris

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

sudo so-status shows all services running?

From SOC go to grid then click the drop down icon next to your standalone node and look at the 'Elasticsearch Status:' Does it also show as 'OK'?
https://docs.securityonion.net/en/2.4/grid.html#grid

[Chris-GNS]

Yes, all services or dockers are running and green.

                    Security Onion Status                        
                     Container ¦ Status  ¦               Details 

-----------------------------------+---------+-----------------------
so-dockerregistry ¦ running ¦ Up 23 hours
so-elastalert ¦ running ¦ Up 23 hours
so-elastic-fleet ¦ running ¦ Up 23 hours
so-elastic-fleet-package-registry ¦ running ¦ Up 23 hours (healthy)
so-elasticsearch ¦ running ¦ Up 23 hours
so-idstools ¦ running ¦ Up 15 hours
so-influxdb ¦ running ¦ Up 23 hours (healthy)
so-kibana ¦ running ¦ Up 23 hours
so-kratos ¦ running ¦ Up 23 hours
so-logstash ¦ running ¦ Up 23 hours
so-mysql ¦ running ¦ Up 23 hours (healthy)
so-nginx ¦ running ¦ Up 23 hours (healthy)
so-playbook ¦ running ¦ Up 23 hours
so-redis ¦ running ¦ Up 23 hours
so-sensoroni ¦ running ¦ Up 23 hours
so-soc ¦ running ¦ Up 23 hours
so-soctopus ¦ running ¦ Up 23 hours
so-steno ¦ running ¦ Up 23 hours
so-strelka-backend ¦ running ¦ Up 23 hours
so-strelka-coordinator ¦ running ¦ Up 23 hours
so-strelka-filestream ¦ running ¦ Up 23 hours
so-strelka-frontend ¦ running ¦ Up 23 hours
so-strelka-gatekeeper ¦ running ¦ Up 23 hours
so-strelka-manager ¦ running ¦ Up 23 hours
so-suricata ¦ running ¦ Up 15 hours
so-telegraf ¦ running ¦ Up 23 hours
so-zeek ¦ running ¦ Up 23 hours (healthy)

? This onion is ready to make your adversaries cry!

[Chris-GNS]

I resolved this by putting the elasticsearch docker ip address in the rule.

Thanks,
Chris