If a node is down Alerts does not show until node is back online #13046

stondino00 · 2024-05-21T13:08:21Z

stondino00
May 21, 2024

Version

2.4.60

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

128

Storage for /

1 TB

Storage for /nsm

16 TB

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

No, one or more services are failed (please provide detail below)

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

Hello,

Seems that on 2.4.X, if any of the nodes in the grid are down for hardware, networking or power issues, no alerts or dashboards show for the remaining nodes. Only when all nodes are able to communicate to/from the manager, will alerts show.

Would be nice if there was an option to still show alerts/dashboards from all nodes that are still up until that single node can be brought back online at a later time.

This error shows in alerts until all nodes are up and show green in the grid.

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by reyesj2

May 24, 2024

Making changes like skip_unavailable could give you a false sense of security. If errors are not brought up during your search then you might be under the impression everything is functioning as intended, but you could be missing logs from an entire heavynode.

With that important note in mind. You could make the remote clusters (heavynodes) skip_unavailable from Kibana -> stack management -> remote clusters -> edit and toggle the skip_unavailable option

I would highly recommend not leaving that enabled as a default. Perhaps if you know a site has a power outage scheduled or networking issues you can enable it temporarily so that you can view data from other heavynodes. However, strongly r…

View full answer

reyesj2 · 2024-05-22T14:07:48Z

reyesj2
May 22, 2024
Maintainer

What is your grid made up of? How many searchnodes do you have? Is this a managersearch?

What is the output of sudo so-elasticsearch-query _cat/shards?v

2 replies

stondino00 May 22, 2024
Author

I have one manager node and 8 heavy nodes.

[sohybridad@so-manager ~]$ sudo so-elasticsearch-query _cat/shards?v
[sudo] password for sohybridad:
index                                                         shard prirep state       docs   store ip            node
.metrics-endpoint.metadata_united_default                     0     p      STARTED       15 160.4kb 192.168.20.56 so-manager
.slo-observability.summary-v2.temp                            0     p      STARTED        0    249b 192.168.20.56 so-manager
.ds-logs-system.syslog-default-2024.03.20-000002              0     p      STARTED 91025084    18gb 192.168.20.56 so-manager
.ds-ilm-history-5-2024.02.13-000001                           0     p      STARTED      203 133.8kb 192.168.20.56 so-manager
.geoip_databases                                              0     p      STARTED       33  34.1mb 192.168.20.56 so-manager
.transform-notifications-000002                               0     p      STARTED     2174 411.6kb 192.168.20.56 so-manager
.ds-logs-system.syslog-default-2024.05.19-000004              0     p      STARTED  8381048   1.7gb 192.168.20.56 so-manager
.apm-agent-configuration                                      0     p      STARTED        0    249b 192.168.20.56 so-manager
.fleet-artifacts-7                                            0     p      STARTED       15  14.8kb 192.168.20.56 so-manager
.apm-custom-link                                              0     p      STARTED        0    249b 192.168.20.56 so-manager
elastalert_status                                             0     p      STARTED        0    249b 192.168.20.56 so-manager
.ds-.fleet-actions-results-2024.05.12-000002                  0     p      STARTED        0    248b 192.168.20.56 so-manager
.ds-logs-elastic_agent.filebeat-default-2024.03.20-000005     0     p      STARTED   187729 196.7mb 192.168.20.56 so-manager
.logs-osquery_manager.actions-default                         0     p      STARTED        0    249b 192.168.20.56 so-manager
metrics-endpoint.metadata_current_default                     0     p      STARTED        0    249b 192.168.20.56 so-manager
.ds-logs-elastic_agent.fleet_server-default-2024.04.25-000008 0     p      STARTED   125132 109.5mb 192.168.20.56 so-manager
.ds-logs-elastic_agent-default-2024.04.25-000008              0     p      STARTED    40059    40mb 192.168.20.56 so-manager
.security-profile-8                                           0     p      STARTED        1   9.2kb 192.168.20.56 so-manager
.ds-logs-elastic_agent-default-2024.02.24-000005              0     p      STARTED    35908  37.8mb 192.168.20.56 so-manager
.ds-logs-elastic_agent.filebeat-default-2024.02.23-000002     0     p      STARTED     3968   5.6mb 192.168.20.56 so-manager
.ds-.kibana-event-log-8.10.4-2024.05.13-000004                0     p      STARTED        4  24.4kb 192.168.20.56 so-manager
.ds-logs-elastic_agent.filebeat-default-2024.04.25-000007     0     p      STARTED   941453 625.2mb 192.168.20.56 so-manager
.ds-logs-elastic_agent.fleet_server-default-2024.02.24-000005 0     p      STARTED   103888  82.1mb 192.168.20.56 so-manager
.ds-logs-kratos-so-2024.02.23-000001                          0     p      STARTED    39776  76.1mb 192.168.20.56 so-manager
.ds-.fleet-actions-results-2024.04.12-000001                  0     p      STARTED        1   4.5kb 192.168.20.56 so-manager
elastalert_silence                                            0     p      STARTED        0    249b 192.168.20.56 so-manager
.ds-logs-kratos-so-2024.04.23-000003                          0     p      STARTED    38551  80.4mb 192.168.20.56 so-manager
.ds-logs-elastic_agent.osquerybeat-default-2024.04.25-000007  0     p      STARTED   692902   429mb 192.168.20.56 so-manager
.kibana_security_session_1                                    0     p      STARTED        1   6.7kb 192.168.20.56 so-manager
.ds-logs-elastic_agent.fleet_server-default-2024.02.23-000003 0     p      STARTED      517 804.5kb 192.168.20.56 so-manager
.internal.alerts-security.alerts-default-000001               0     p      STARTED        0    249b 192.168.20.56 so-manager
.ds-logs-system.auth-default-2024.03.24-000002                0     p      STARTED   358873  93.2mb 192.168.20.56 so-manager
.ds-logs-elasticsearch.server-default-2024.04.23-000003       0     p      STARTED    36747  19.8mb 192.168.20.56 so-manager
.kibana-observability-ai-assistant-conversations-000001       0     p      STARTED        0    249b 192.168.20.56 so-manager
.ds-logs-elastic_agent-default-2024.02.23-000003              0     p      STARTED      546 556.5kb 192.168.20.56 so-manager
.internal.alerts-stack.alerts-default-000001                  0     p      STARTED        0    249b 192.168.20.56 so-manager
elastalert                                                    0     p      STARTED        0    249b 192.168.20.56 so-manager
.ds-logs-elastic_agent.filebeat-default-2024.02.24-000003     0     p      STARTED    14832  16.4mb 192.168.20.56 so-manager
.ds-logs-system.auth-default-2024.04.23-000003                0     p      STARTED   335208 357.3mb 192.168.20.56 so-manager
.kibana_analytics_8.10.4_001                                  0     p      STARTED     8956   6.1mb 192.168.20.56 so-manager
.ds-ilm-history-5-2024.04.13-000003                           0     p      STARTED      241  87.9kb 192.168.20.56 so-manager
.ds-logs-elastic_agent-default-2024.03.26-000007              0     p      STARTED    48000  47.8mb 192.168.20.56 so-manager
.kibana_security_solution_8.10.4_001                          0     p      STARTED     2709   3.8mb 192.168.20.56 so-manager
.ds-.kibana-event-log-8.10.4-2024.04.13-000003                0     p      STARTED        5  30.5kb 192.168.20.56 so-manager
.fleet-policies-leader-7                                      0     p      STARTED        4  30.8kb 192.168.20.56 so-manager
.ds-logs-elastic_agent.osquerybeat-default-2024.02.24-000004  0     p      STARTED   579574 341.6mb 192.168.20.56 so-manager
.internal.alerts-observability.apm.alerts-default-000001      0     p      STARTED        0    249b 192.168.20.56 so-manager
logs-ti_anomali_latest.threatstream-2                         0     p      STARTED        0    249b 192.168.20.56 so-manager
.ds-logs-soc-so-2024.04.23-000003                             0     p      STARTED  2507717     1gb 192.168.20.56 so-manager
.fleet-servers-7                                              0     p      STARTED        4    70kb 192.168.20.56 so-manager
.ds-logs-soc-so-2024.02.23-000001                             0     p      STARTED  2341590     1gb 192.168.20.56 so-manager
.slo-observability.sli-v2                                     0     p      STARTED        0    249b 192.168.20.56 so-manager
.kibana_ingest_8.10.4_001                                     0     p      STARTED     5651  83.1mb 192.168.20.56 so-manager
.apm-source-map                                               0     p      STARTED        0    249b 192.168.20.56 so-manager
.transform-internal-007                                       0     p      STARTED       93 242.9kb 192.168.20.56 so-manager
.ds-logs-elastic_agent.osquerybeat-default-2024.02.23-000001  0     p      STARTED      130 319.7kb 192.168.20.56 so-manager
.ds-logs-elastic_agent.osquerybeat-default-2024.03.26-000006  0     p      STARTED   773610 473.3mb 192.168.20.56 so-manager
.logs-osquery_manager.action.responses-default                0     p      STARTED        0    249b 192.168.20.56 so-manager
.ds-logs-elastic_agent.osquerybeat-default-2024.03.20-000005  0     p      STARTED   133406 138.7mb 192.168.20.56 so-manager
.ds-logs-elastic_agent.fleet_server-default-2024.02.23-000002 0     p      STARTED       99 148.8kb 192.168.20.56 so-manager
.ds-logs-elastic_agent.metricbeat-default-2024.03.20-000005   0     p      STARTED       42  99.1kb 192.168.20.56 so-manager
.ds-logs-elastic_agent.osquerybeat-default-2024.02.24-000003  0     p      STARTED     9162  11.1mb 192.168.20.56 so-manager
.internal.alerts-observability.logs.alerts-default-000001     0     p      STARTED        0    249b 192.168.20.56 so-manager
.slo-observability.summary-v2                                 0     p      STARTED        0    249b 192.168.20.56 so-manager
.fleet-agents-7                                               0     p      STARTED       15 410.4kb 192.168.20.56 so-manager
.fleet-actions-7                                              0     p      STARTED        1   6.1kb 192.168.20.56 so-manager
elastalert_past                                               0     p      STARTED        0    249b 192.168.20.56 so-manager
.ds-.kibana-event-log-8.10.4-2024.02.13-000001                0     p      STARTED       16    97kb 192.168.20.56 so-manager
.internal.alerts-observability.uptime.alerts-default-000001   0     p      STARTED        0    249b 192.168.20.56 so-manager
.ds-logs-elastic_agent-default-2024.02.23-000002              0     p      STARTED       64 161.7kb 192.168.20.56 so-manager
.ds-logs-elastic_agent.metricbeat-default-2024.02.24-000003   0     p      STARTED       54 159.7kb 192.168.20.56 so-manager
.ds-logs-elastic_agent.osquerybeat-default-2024.02.23-000002  0     p      STARTED     1145   1.8mb 192.168.20.56 so-manager
.ds-ilm-history-5-2024.05.13-000004                           0     p      STARTED       42  37.2kb 192.168.20.56 so-manager
.ds-logs-system.auth-default-2024.02.23-000001                0     p      STARTED   393882  96.7mb 192.168.20.56 so-manager
.ds-logs-system.syslog-default-2024.04.19-000003              0     p      STARTED 91021679  18.1gb 192.168.20.56 so-manager
.ds-logs-elasticsearch.server-default-2024.02.23-000001       0     p      STARTED    39097  19.2mb 192.168.20.56 so-manager
.ds-logs-elastic_agent.metricbeat-default-2024.02.23-000002   0     p      STARTED       80 182.9kb 192.168.20.56 so-manager
.ds-logs-elastic_agent.fleet_server-default-2024.03.26-000007 0     p      STARTED   129600   122mb 192.168.20.56 so-manager
.kibana_8.10.4_001                                            0     p      STARTED      153  86.1kb 192.168.20.56 so-manager
.kibana_task_manager_8.10.4_001                               0     p      STARTED       25    90kb 192.168.20.56 so-manager
.ds-logs-elasticsearch.server-default-2024.03.24-000002       0     p      STARTED    66592  23.7mb 192.168.20.56 so-manager
.ds-logs-system.syslog-default-2024.02.23-000001              0     p      STARTED 87217311  16.1gb 192.168.20.56 so-manager
.ds-logs-elastic_agent-default-2024.03.20-000006              0     p      STARTED     7573   9.1mb 192.168.20.56 so-manager
.fleet-policies-7                                             0     p      STARTED      141     2mb 192.168.20.56 so-manager
elastalert_error                                              0     p      STARTED        0    249b 192.168.20.56 so-manager
.ds-logs-elastic_agent.metricbeat-default-2024.02.23-000001   0     p      STARTED       28  55.7kb 192.168.20.56 so-manager
logs-ti_recordedfuture_latest.threat-1                        0     p      STARTED        0    249b 192.168.20.56 so-manager
.ds-logs-elastic_agent-default-2024.02.24-000004              0     p      STARTED     1490   1.2mb 192.168.20.56 so-manager
.ds-logs-soc-so-2024.03.24-000002                             0     p      STARTED  2584351   1.1gb 192.168.20.56 so-manager
.ds-logs-elastic_agent.fleet_server-default-2024.02.24-000004 0     p      STARTED     1629   2.3mb 192.168.20.56 so-manager
.ds-logs-elastic_agent.filebeat-default-2024.03.26-000006     0     p      STARTED  1050093 728.9mb 192.168.20.56 so-manager
.ds-logs-elastic_agent.fleet_server-default-2024.03.20-000006 0     p      STARTED    15993  25.1mb 192.168.20.56 so-manager
.fleet-enrollment-api-keys-7                                  0     p      STARTED        4  26.2kb 192.168.20.56 so-manager
.ds-logs-elastic_agent.metricbeat-default-2024.04.19-000006   0     p      STARTED        0    248b 192.168.20.56 so-manager
.ds-logs-kratos-so-2024.03.24-000002                          0     p      STARTED    56027  95.6mb 192.168.20.56 so-manager
.ds-logs-elastic_agent.filebeat-default-2024.02.23-000001     0     p      STARTED      463 453.7kb 192.168.20.56 so-manager
.ds-logs-elastic_agent.filebeat-default-2024.02.24-000004     0     p      STARTED   809188 344.5mb 192.168.20.56 so-manager
.ds-ilm-history-5-2024.03.14-000002                           0     p      STARTED      299 152.2kb 192.168.20.56 so-manager
.internal.alerts-observability.metrics.alerts-default-000001  0     p      STARTED        0    249b 192.168.20.56 so-manager
.ds-logs-elastic_agent.fleet_server-default-2024.02.23-000001 0     p      STARTED      141 284.8kb 192.168.20.56 so-manager
logs-ti_otx_latest.dest_pulses_subscribed-1                   0     p      STARTED        0    249b 192.168.20.56 so-manager
.internal.alerts-observability.slo.alerts-default-000001      0     p      STARTED        0    249b 192.168.20.56 so-manager
.ds-.kibana-event-log-8.10.4-2024.03.14-000002                0     p      STARTED       12  72.8kb 192.168.20.56 so-manager
.kibana_alerting_cases_8.10.4_001                             0     p      STARTED        1   6.8kb 192.168.20.56 so-manager
.security-7                                                   0     p      STARTED      186 539.5kb 192.168.20.56 so-manager
.ds-logs-elastic_agent.metricbeat-default-2024.02.24-000004   0     p      STARTED       26    82kb 192.168.20.56 so-manager
.ds-logs-elastic_agent-default-2024.02.23-000001              0     p      STARTED      214 402.1kb 192.168.20.56 so-manager
.async-search                                                 0     p      STARTED        0    257b 192.168.20.56 so-manager

reyesj2 May 23, 2024
Maintainer

I realize now you mentioned all heavy nodes. Is there a particular reason you elected to use heavynodes instead of keeping separate search / forward nodes? Having separate searchnodes would allow you to have replication across the elasticsearch cluster and allowing you to lose a node entirely while keeping data available.

Heavynodes are treated as individual elasticsearch clusters that get searched by the manager
https://docs.securityonion.net/en/2.4/architecture.html#heavy-node

stondino00 · 2024-05-23T17:18:32Z

stondino00
May 23, 2024
Author

It just seemed easier to us for our install need. Would be nice if there was a skip a node option if it can't reach one for network outage or hardware issue so it would still show alerts, dashboard and so on for all the other nodes in the grid.

1 reply

reyesj2 May 24, 2024
Maintainer

Making changes like skip_unavailable could give you a false sense of security. If errors are not brought up during your search then you might be under the impression everything is functioning as intended, but you could be missing logs from an entire heavynode.

With that important note in mind. You could make the remote clusters (heavynodes) skip_unavailable from Kibana -> stack management -> remote clusters -> edit and toggle the skip_unavailable option

I would highly recommend not leaving that enabled as a default. Perhaps if you know a site has a power outage scheduled or networking issues you can enable it temporarily so that you can view data from other heavynodes. However, strongly recommend you go back and disable skip_unavailable. That way you are immediately aware of any issues your heavynodes maybe having.

Answer selected by TOoSmOotH

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

If a node is down Alerts does not show until node is back online #13046

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

If a node is down Alerts does not show until node is back online #13046

Uh oh!

stondino00 May 21, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 2 comments · 3 replies

Uh oh!

reyesj2 May 22, 2024 Maintainer

Uh oh!

Uh oh!

stondino00 May 22, 2024 Author

Uh oh!

reyesj2 May 23, 2024 Maintainer

Uh oh!

stondino00 May 23, 2024 Author

Uh oh!

reyesj2 May 24, 2024 Maintainer

stondino00
May 21, 2024

Replies: 2 comments 3 replies

reyesj2
May 22, 2024
Maintainer

stondino00 May 22, 2024
Author

reyesj2 May 23, 2024
Maintainer

stondino00
May 23, 2024
Author

reyesj2 May 24, 2024
Maintainer