New install - all up and stating everything is running - no Alerts / EPS nothing being captured/seen but high traffic inbound on sensor

[DUser26]

Version

2.4.100

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

52

RAM

512

Storage for /

448

Storage for /nsm

27T

Network Traffic Collection

tap

Network Traffic Speeds

more than 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

I setup a new setup for a bigger install. One manager, two receivers and a forwarder all on the same switch/VLAN. It was on 2.4.9 , just updated to see if it would fix the issue but no.

Everything is showing as up and connected. The sensor/forwarder is receiving a lot of traffic but nothing is being alerted/captured. No EPS showing or anything. Could use some assistance/ideas on where to look. I even reinstalled the sensor just in case.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[DUser26]

to add more, I am getting nothing, nothing appearing on the dashboards as all. On the forwarder Zeek logs are there and showing they are working.

[reyesj2]

You need to install a searchnode for the logs to be ingested. A searchnode is what runs elasticsearch, so without it it makes sense why you are not seeing any logs via SOC. https://docs.securityonion.net/en/2.4/architecture.html#distributed

If you see zeek logs on the sensor at /nsm/zeek/logs/current/ but nothing in SOC, check Elastic Fleet and ensure the agents are showing up as 'Healthy'

[DUser26]

yea that was right. I misread and didn't realize that was the case.