Critical Error When Disabling Elastic Products - SaltStack/Jinja Template Issues

[SliuzasLukas]

Version

2.4.90

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

6

RAM

16

Storage for /

1TB

Storage for /nsm

1TB

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

No, one or more services are failed (please provide detail below)

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

I am facing a critical issue while trying to disable all Elastic products (Elastic Agent, Logstash, Kibana, etc.) within Security Onion. After setting these components to false in the Security Onion console, I encounter massive errors during the so-checkin process.

The errors appear to be related to SaltStack and Jinja template rendering. Specifically, I receive multiple instances of the following error:

perl
Copy code
salt.exceptions.SaltRenderError: Jinja variable 'None' has no attribute 'items'
This error occurs in several files, including soc/defaults.map.jinja, elasticsearch/config.map.jinja, and logstash/map.jinja, among others. The traceback indicates that the error arises from the attempt to access attributes or items of a NoneType object, which seems to result from missing or improperly handled data when the Elastic products are disabled.

Steps Taken:

Disabled Elastic products by setting them to false in the Security Onion console.
Ran the so-checkin command.
Encountered the above errors, which prevent the system from functioning correctly.
Error Details:

Example Traceback:
jinja2.exceptions.UndefinedError: 'None' has no attribute 'items'
  File "/var/cache/salt/minion/files/base/soc/defaults.map.jinja", line 17, in top-level template code
    {% for node_type, minions in salt['pillar.get']('elasticsearch:nodes', {}).items() %}
  ...
salt.exceptions.SaltRenderError: Jinja variable 'None' has no attribute 'items'

These errors occur across various files and contexts within the Jinja templates, causing the configuration to fail completely.

I am seeking assistance in resolving these issues so that I can properly disable Elastic products without breaking the system. Specifically, I need guidance on how to manage the Jinja templates and SaltStack configurations to prevent these errors from occurring.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

Disabling critical services is unsupported. In 2.4.110 a warning message in SOC will be displayed to convey that