sensor node salt-call state.highstate failed

[witekenea]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

cloud

Hardware Specs

Meets minimum requirements

CPU

8

RAM

64

Storage for /

200

Storage for /nsm

300

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

I have installed security onion distributed and have a manager node, search node and sensor node. The installation of both manager node and search node went smooth and works fine.when we come to sensor node its installed and is shown in the grid members list but not in the grid. when running sudo so-status on the sensor node it says "not yet available "and sudo salt-call state.highstate on the sensor node says " Data failed to compile: Rendering SLS 'base:ssl' failed: Jinja variable list object has no element 0; line 48" how can i fix this?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

Does removing it from the grid members and re-running so-setup on the sensor get rid of the error?

[witekenea]

hello, thank you for the reply. Yes that fixed the error and now it is seen in the grid list. But for some reason if the manager node and sensor node is up the search node will be down ..it is like one of them has to be down for the other two to work. i try salt-call state.highstate on all of them and no error on the sensor and search node but the manager node will shutdown immediately. How can i fix this?

[reyesj2]

What hardware is this running on? Could you be hitting some resource limitation? I don't think I have ever ran into a scenario like you've described

[witekenea]

This installation is on proxmox and all vms (manager node, sensor node and search node) are under the same node(on the same server). what is the minimum requirement of cpu and ram for each node to function properly?

[witekenea]

Hello there, i have been able to fix the issues, it was a resource limitation problem and got it fixed. now that every node is up and so-status on all nodes are running i wanted to test it using so-test in the sensor node, but am getting "the search query encountered a failure with the elasticsearch cluster", even if elasticsearch is running and healthy on each node. I tried restarting elasticsearch but no luck. How can i fix this? below is the output of so-elasticsearch-query _cat/shards on the search node

[root@search elasticsearch]# so-elasticsearch-query _cat/shards
metrics-endpoint.metadata_current_default 0 p STARTED 0 249b 10.123.15.112 manager
metrics-endpoint.metadata_current_default 0 r STARTED 0 249b 10.123.15.116 search
.ds-logs-elasticsearch.server-default-2024.03.29-000001 0 p UNASSIGNED
.internal.alerts-observability.logs.alerts-default-000001 0 p STARTED 0 249b 10.123.15.112 manager
.internal.alerts-observability.logs.alerts-default-000001 0 r STARTED 0 249b 10.123.15.116 search
.ds-.kibana-event-log-8.10.4-2024.03.28-000001 0 p STARTED 45 95.2kb 10.123.15.112 manager
.ds-.kibana-event-log-8.10.4-2024.03.28-000001 0 r STARTED 45 95.2kb 10.123.15.116 search
.apm-source-map 0 p STARTED 0 249b 10.123.15.112 manager
.apm-source-map 0 r STARTED 0 249b 10.123.15.116 search
.ds-logs-syslog-so-2024.03.30-000001 0 p UNASSIGNED
.fleet-policies-leader-7 0 p STARTED 4 18.9kb 10.123.15.112 manager
.fleet-policies-leader-7 0 r STARTED 4 24.2kb 10.123.15.116 search
.internal.alerts-observability.uptime.alerts-default-000001 0 p STARTED 0 249b 10.123.15.112 manager
.internal.alerts-observability.uptime.alerts-default-000001 0 r STARTED 0 249b 10.123.15.116 search
elastalert_error 0 p UNASSIGNED
.apm-agent-configuration 0 p STARTED 0 249b 10.123.15.112 manager
.apm-agent-configuration 0 r STARTED 0 249b 10.123.15.116 search
elastalert_past 0 p STARTED 0 249b 10.123.15.112 manager
.logs-osquery_manager.action.responses-default 0 p UNASSIGNED
.kibana_task_manager_8.10.4_001 0 p STARTED 25 138.4kb 10.123.15.112 manager
.kibana_task_manager_8.10.4_001 0 r STARTED 25 111.4kb 10.123.15.116 search
.ds-logs-elastic_agent.osquerybeat-default-2024.03.29-000001 0 p STARTED 10492 3mb 10.123.15.112 manager
.transform-internal-007 0 p STARTED 120 253.1kb 10.123.15.112 manager
.transform-internal-007 0 r STARTED 120 275.3kb 10.123.15.116 search
.internal.alerts-observability.slo.alerts-default-000001 0 p STARTED 0 249b 10.123.15.112 manager
.internal.alerts-observability.slo.alerts-default-000001 0 r STARTED 0 249b 10.123.15.116 search
elastalert 0 p UNASSIGNED
.fleet-servers-7 0 p STARTED 3 44.2kb 10.123.15.112 manager
.fleet-servers-7 0 r STARTED 3 62kb 10.123.15.116 search
.ds-logs-kratos-so-2024.03.29-000001 0 p UNASSIGNED
.ds-logs-system.auth-default-2024.03.29-000001 0 p UNASSIGNED
.internal.alerts-stack.alerts-default-000001 0 p STARTED 0 249b 10.123.15.112 manager
.internal.alerts-stack.alerts-default-000001 0 r STARTED 0 249b 10.123.15.116 search
.ds-logs-elastic_agent.fleet_server-default-2024.03.29-000001 0 p UNASSIGNED
.security-profile-8 0 p STARTED 1 9.2kb 10.123.15.112 manager
.security-profile-8 0 r STARTED 1 9.2kb 10.123.15.116 search
.ds-ilm-history-5-2024.03.28-000001 0 p STARTED 82 106.8kb 10.123.15.112 manager
.ds-ilm-history-5-2024.03.28-000001 0 r STARTED 82 105.7kb 10.123.15.116 search
.ds-logs-elastic_agent.metricbeat-default-2024.03.29-000001 0 p STARTED 28 35.4kb 10.123.15.112 manager
.ds-logs-soc-so-2024.03.29-000001 0 p UNASSIGNED
.fleet-artifacts-7 0 p STARTED 15 14.8kb 10.123.15.112 manager
.fleet-artifacts-7 0 r STARTED 15 14.8kb 10.123.15.116 search
.internal.alerts-security.alerts-default-000001 0 p STARTED 0 249b 10.123.15.112 manager
.internal.alerts-security.alerts-default-000001 0 r STARTED 0 249b 10.123.15.116 search
.kibana_security_session_1 0 p STARTED 1 6.7kb 10.123.15.112 manager
.kibana_security_session_1 0 r STARTED 1 6.7kb 10.123.15.116 search
elastalert_silence 0 p STARTED 0 249b 10.123.15.112 manager
.metrics-endpoint.metadata_united_default 0 p STARTED 6 265kb 10.123.15.112 manager
.metrics-endpoint.metadata_united_default 0 r STARTED 6 188.2kb 10.123.15.116 search
.fleet-policies-7 0 p STARTED 38 443.5kb 10.123.15.112 manager
.fleet-policies-7 0 r STARTED 38 443.5kb 10.123.15.116 search
.apm-custom-link 0 p STARTED 0 249b 10.123.15.112 manager
.apm-custom-link 0 r STARTED 0 249b 10.123.15.116 search
.slo-observability.summary-v2 0 p STARTED 0 249b 10.123.15.112 manager
.slo-observability.summary-v2 0 r STARTED 0 249b 10.123.15.116 search
.transform-notifications-000002 0 p STARTED 1256 357.8kb 10.123.15.112 manager
.transform-notifications-000002 0 r STARTED 1256 357.8kb 10.123.15.116 search
.internal.alerts-observability.apm.alerts-default-000001 0 p STARTED 0 249b 10.123.15.112 manager
.internal.alerts-observability.apm.alerts-default-000001 0 r STARTED 0 249b 10.123.15.116 search
.ds-logs-system.syslog-default-2024.03.29-000001 0 p STARTED 603274 85.6mb 10.123.15.112 manager
.ds-logs-suricata-so-2024.03.30-000001 0 p STARTED 1255 6.4mb 10.123.15.112 manager
.security-7 0 p STARTED 159 476.9kb 10.123.15.112 manager
.security-7 0 r STARTED 159 462.2kb 10.123.15.116 search
.fleet-enrollment-api-keys-7 0 p STARTED 4 26.2kb 10.123.15.112 manager
.fleet-enrollment-api-keys-7 0 r STARTED 4 26.2kb 10.123.15.116 search
.kibana-observability-ai-assistant-conversations-000001 0 p STARTED 0 249b 10.123.15.112 manager
.kibana-observability-ai-assistant-conversations-000001 0 r STARTED 0 249b 10.123.15.116 search
.ds-logs-zeek-so-2024.03.29-000001 0 p STARTED 11545 13.5mb 10.123.15.112 manager
.ds-logs-zeek-so-2024.03.29-000001 1 p UNASSIGNED
.fleet-agents-7 0 p STARTED 6 219.9kb 10.123.15.112 manager
.fleet-agents-7 0 r STARTED 6 217.8kb 10.123.15.116 search
.async-search 0 p STARTED 1 9.5kb 10.123.15.112 manager
.async-search 0 r STARTED 1 9.3kb 10.123.15.116 search
.slo-observability.sli-v2 0 p STARTED 0 249b 10.123.15.112 manager
.slo-observability.sli-v2 0 r STARTED 0 249b 10.123.15.116 search
.geoip_databases 0 p STARTED 53 56.1mb 10.123.15.112 manager
.geoip_databases 0 r STARTED 53 56.1mb 10.123.15.116 search
.internal.alerts-observability.metrics.alerts-default-000001 0 p STARTED 0 249b 10.123.15.112 manager
.internal.alerts-observability.metrics.alerts-default-000001 0 r STARTED 0 249b 10.123.15.116 search
.kibana_security_solution_8.10.4_001 0 p STARTED 2709 3.7mb 10.123.15.112 manager
.kibana_security_solution_8.10.4_001 0 r STARTED 2709 3.7mb 10.123.15.116 search
.kibana_ingest_8.10.4_001 0 p STARTED 7568 76.3mb 10.123.15.112 manager
.kibana_ingest_8.10.4_001 0 r STARTED 7568 76.3mb 10.123.15.116 search
elastalert_status 0 p STARTED 0 249b 10.123.15.112 manager
.kibana_8.10.4_001 0 p STARTED 124 206.5kb 10.123.15.112 manager
.kibana_8.10.4_001 0 r STARTED 124 199.5kb 10.123.15.116 search
.ds-logs-elastic_agent-default-2024.03.29-000001 0 p STARTED 6600 2.2mb 10.123.15.112 manager
.slo-observability.summary-v2.temp 0 p STARTED 0 249b 10.123.15.112 manager
.slo-observability.summary-v2.temp 0 r STARTED 0 249b 10.123.15.116 search
.ds-logs-elastic_agent.filebeat-default-2024.03.29-000001 0 p UNASSIGNED
logs-ti_recordedfuture_latest.threat-1 0 p STARTED 0 249b 10.123.15.112 manager
logs-ti_recordedfuture_latest.threat-1 0 r STARTED 0 249b 10.123.15.116 search
.kibana_analytics_8.10.4_001 0 p STARTED 7999 5.1mb 10.123.15.112 manager
.kibana_analytics_8.10.4_001 0 r STARTED 7999 5.1mb 10.123.15.116 search
.logs-osquery_manager.actions-default 0 p STARTED 0 249b 10.123.15.112 manager
.kibana_alerting_cases_8.10.4_001 0 p STARTED 1 6.8kb 10.123.15.112 manager
.kibana_alerting_cases_8.10.4_001 0 r STARTED 1 6.8kb 10.123.15.116 search
.ds-logs-strelka-so-2024.03.30-000001 0 p STARTED 28 796.7kb 10.123.15.112 manager
logs-ti_otx_latest.dest_pulses_subscribed-1 0 p STARTED 0 249b 10.123.15.112 manager
logs-ti_otx_latest.dest_pulses_subscribed-1 0 r STARTED 0 249b 10.123.15.116 search

[witekenea]

update:
GET /_cat/health?v (on devtools in kibana) returns
epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1712579886 12:38:06 securityonion red 2 2 89 50 0 0 11 0 - 89.0%

[cm-ops]

The Elasticsearch issue is in #12762