Forward node not sending data to Manager Search #12620

its-a-me-mario-the-og · 2024-03-20T15:57:11Z

its-a-me-mario-the-og
Mar 20, 2024

Version

2.4.50

Installation Method

Network installation on Debian

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

6

RAM

20

Storage for /

2 TB

Storage for /nsm

2 TB

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I have a distributed setup with two forward nodes, one forward node is at one office by itself. The other forward node is at an office with the manager search node. The one at the other office by itself is sending data from what it is seeing to the manager and it is showing up in the web interface. The forward node that is at the same office as the manager is seeing traffic as well, but it is not forwarding data to the manager and it is not showing up in the web interface.

I looked into the logs on the manager to get an idea of what it might be, looked at log-stash, Redis, and then Elasticsearch and nothing unusual there. Got into the forward node in question and looked at the logs there and the Telegraf log showed a problem with one of the scripts, the suriloss.sh was the problem script. I believe this might be pointing towards InfluxDB, I've tested the port connections to the firewall and it was all successful. I've been looking around but don't have a good idea of where else to look, any help is appreciated!

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by its-a-me-mario-the-og

Mar 21, 2024

That looks to be the fix, it finally got added to Elastic Fleet I know can see the data from the office that I couldn't see to begin with. Thank you @cm-ops for pointing me in the right direction!

View full answer

cm-ops · 2024-03-21T13:13:06Z

cm-ops
Mar 21, 2024
Maintainer

On the sensor that is not sending logs, chech the Elastic Agent, elastic-agent status make sure that is showing healthy. If it is showing healthy, check connectivity to the manager (Logstash) port 5055.

2 replies

its-a-me-mario-the-og Mar 21, 2024
Author

I found something interesting, I checked the forward node and I couldn't find elastic agent anywhere, I went and checked Elastic Fleet. The sensor that is sending data is showing in Elastic Fleet, but the one that isn't sending data is not in Elastic Fleet. I'm doing the Elastic Agent script to add it to the fleet and see if that is the problem.

its-a-me-mario-the-og Mar 21, 2024
Author

That looks to be the fix, it finally got added to Elastic Fleet I know can see the data from the office that I couldn't see to begin with. Thank you @cm-ops for pointing me in the right direction!

Answer selected by its-a-me-mario-the-og

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Forward node not sending data to Manager Search #12620

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Forward node not sending data to Manager Search #12620

Uh oh!

its-a-me-mario-the-og Mar 20, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment · 2 replies

Uh oh!

cm-ops Mar 21, 2024 Maintainer

Uh oh!

its-a-me-mario-the-og Mar 21, 2024 Author

Uh oh!

its-a-me-mario-the-og Mar 21, 2024 Author

its-a-me-mario-the-og
Mar 20, 2024

Replies: 1 comment 2 replies

cm-ops
Mar 21, 2024
Maintainer

its-a-me-mario-the-og Mar 21, 2024
Author

its-a-me-mario-the-og Mar 21, 2024
Author