Search node CPU at 100% in grid, SO basically non-functional

[tsmith-spscc]

Version

2.4.80

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

24

RAM

192

Storage for /

40 TB

Storage for /nsm

40 TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Due to issues with my search node server after a graceful shutdown for maintenance, I had to wipe and reload the search node in my Security Onion environment. Originally, I had the OS installed on a separate NVME drive in the server. However, the server BIOS no longer sees that device as a valid boot option, forcing me to re-install SO on the 40 TB RAID virtual drive in the server instead. Both the OS and the /nsm volume are on the same RAID virtual disk now.

Since reloading the search node it has been in a faulted state in my SO grid showing 100% CPU usage and "Process Status: Unknown". The OS Uptime metric appears to not be updating as well. However when looking at processes via the CLI, the actual CPU usage is close to 0% across all cores.

Running salt-call state.highstate does not return any errors. so-status on both the manager and sensor nodes come back with all services up and running. The securityonion.log file in /opt/so/log/elasticsearch on the manager node is almost 5 GB in size and it appears to be mostly (if not all) WARN messages like the one below:

[2024-09-10T15:10:14,753][WARN ][rest.suppressed          ] path: /.ds-logs-*/_eql/search, params: {ignore_unavailable=true, index=.ds-logs-*}
org.elasticsearch.action.search.SearchPhaseExecutionException: start
	at org.elasticsearch.action.search.CanMatchPreFilterSearchPhase.onPhaseFailure(CanMatchPreFilterSearchPhase.java:435) ~[elasticsearch-8.10.4.jar:?]
	at org.elasticsearch.action.search.CanMatchPreFilterSearchPhase$1.onFailure(CanMatchPreFilterSearchPhase.java:424) ~[elasticsearch-8.10.4.jar:?]
	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:28) ~[elasticsearch-8.10.4.jar:?]
	at org.elasticsearch.common.util.concurrent.TimedRunnable.doRun(TimedRunnable.java:33) ~[elasticsearch-8.10.4.jar:?]
	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:983) ~[elasticsearch-8.10.4.jar:?]
	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:26) ~[elasticsearch-8.10.4.jar:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) ~[?:?]
	at java.lang.Thread.run(Thread.java:1583) ~[?:?]
Caused by: org.elasticsearch.action.search.SearchPhaseExecutionException: Search rejected due to missing shards [[.ds-logs-elastic_agent-default-2024.07.15-000001][0], [.ds-logs-elastic_agent-default-2024.08.14-000002][0], [.ds-logs-elastic_agent.endpoint_security-default-2024.07.16-000001][0], [.ds-logs-elastic_agent.filebeat-default-2024.08.14-000002][0], [.ds-logs-elastic_agent.fleet_server-default-2024.08.14-000002][0], [.ds-logs-elastic_agent.metricbeat-default-2024.07.15-000001][0], [.ds-logs-elastic_agent.metricbeat-default-2024.08.14-000002][0], [.ds-logs-elastic_agent.osquerybeat-default-2024.07.15-000001][0], [.ds-logs-elastic_agent.osquerybeat-default-2024.08.14-000002][0], [.ds-logs-elasticsearch.server-default-2024.07.15-000001][0], [.ds-logs-elasticsearch.server-default-2024.08.14-000002][0], [.ds-logs-endpoint.events.api-default-2024.07.17-000001][0], [.ds-logs-endpoint.events.api-default-2024.08.16-000002][0], [.ds-logs-endpoint.events.file-default-2024.07.16-000001][0], [.ds-logs-endpoint.events.file-default-2024.08.15-000002][0], [.ds-logs-endpoint.events.network-default-2024.07.16-000001][0], [.ds-logs-endpoint.events.network-default-2024.08.05-000002][0], [.ds-logs-endpoint.events.network-default-2024.08.19-000003][0], [.ds-logs-endpoint.events.process-default-2024.07.16-000001][0], [.ds-logs-endpoint.events.process-default-2024.08.04-000002][0], [.ds-logs-endpoint.events.process-default-2024.08.15-000003][0], [.ds-logs-endpoint.events.process-default-2024.08.26-000004][0], [.ds-logs-endpoint.events.registry-default-2024.08.15-000002][0], [.ds-logs-endpoint.events.security-default-2024.07.16-000001][0], [.ds-logs-fortinet_fortigate.log-spscc-2024.07.23-000001][0], [.ds-logs-kratos-so-2024.08.14-000002][0], [.ds-logs-o365.audit-spscc-2024.07.22-000001][0], [.ds-logs-o365.audit-spscc-2024.08.21-000002][0], [.ds-logs-okta.system-default-2024.07.22-000001][0], [.ds-logs-okta.system-default-2024.08.21-000002][0], [.ds-logs-okta.system-spscc-2024.08.21-000002][0], [.ds-logs-soc-so-2024.07.15-000001][0], [.ds-logs-sophos_central.alert-spscc-2024.07.23-000001][0], [.ds-logs-sophos_central.alert-spscc-2024.08.22-000002][0], [.ds-logs-sophos_central.event-spscc-2024.08.22-000002][0], [.ds-logs-suricata.alerts-so-2024.07.15-000001][0], [.ds-logs-suricata.alerts-so-2024.07.16-000002][0], [.ds-logs-suricata.alerts-so-2024.07.17-000003][0], [.ds-logs-suricata.alerts-so-2024.07.18-000004][0], [.ds-logs-suricata.alerts-so-2024.07.19-000005][0], [.ds-logs-suricata.alerts-so-2024.07.21-000007][0], [.ds-logs-suricata.alerts-so-2024.07.24-000010][0], [.ds-logs-suricata.alerts-so-2024.07.25-000011][0], [.ds-logs-suricata.alerts-so-2024.07.27-000013][0], [.ds-logs-suricata.alerts-so-2024.07.30-000015][0], [.ds-logs-suricata.alerts-so-2024.08.02-000018][0], [.ds-logs-suricata.alerts-so-2024.08.03-000019][0], [.ds-logs-suricata.alerts-so-2024.08.05-000021][0], [.ds-logs-suricata.alerts-so-2024.08.06-000022][0], [.ds-logs-suricata.alerts-so-2024.08.07-000023][0], [.ds-logs-suricata.alerts-so-2024.08.09-000025][0], [.ds-logs-suricata.alerts-so-2024.08.12-000028][0], [.ds-logs-suricata.alerts-so-2024.08.14-000030][0], [.ds-logs-suricata.alerts-so-2024.08.15-000031][0], [.ds-logs-suricata.alerts-so-2024.08.16-000032][0], [.ds-logs-suricata.alerts-so-2024.08.17-000033][0], [.ds-logs-suricata.alerts-so-2024.08.19-000035][0], [.ds-logs-suricata.alerts-so-2024.08.20-000036][0], [.ds-logs-suricata.alerts-so-2024.08.22-000038][0], [.ds-logs-suricata.alerts-so-2024.08.24-000040][0], [.ds-logs-suricata.alerts-so-2024.08.25-000041][0], [.ds-logs-suricata.alerts-so-2024.08.26-000042][0], [.ds-logs-suricata.alerts-so-2024.08.27-000043][0], [.ds-logs-suricata.alerts-so-2024.08.28-000044][0], [.ds-logs-system.application-default-2024.08.15-000002][0], [.ds-logs-system.auth-default-2024.07.15-000001][0], [.ds-logs-system.auth-default-2024.08.14-000002][0], [.ds-logs-system.security-default-2024.07.16-000001][0], [.ds-logs-system.security-default-2024.07.21-000002][0], [.ds-logs-system.security-default-2024.07.24-000003][0], [.ds-logs-system.security-default-2024.07.25-000004][0], [.ds-logs-system.security-default-2024.07.27-000005][0], [.ds-logs-system.security-default-2024.07.29-000006][0], [.ds-logs-system.security-default-2024.07.30-000007][0], [.ds-logs-system.security-default-2024.08.01-000008][0], [.ds-logs-system.security-default-2024.08.02-000009][0], [.ds-logs-system.security-default-2024.08.04-000010][0], [.ds-logs-system.security-default-2024.08.06-000011][0], [.ds-logs-system.security-default-2024.08.07-000012][0], [.ds-logs-system.security-default-2024.08.08-000013][0], [.ds-logs-system.security-default-2024.08.10-000014][0], [.ds-logs-system.security-default-2024.08.12-000015][0], [.ds-logs-system.security-default-2024.08.13-000016][0], [.ds-logs-system.security-default-2024.08.14-000017][0], [.ds-logs-system.security-default-2024.08.16-000018][0], [.ds-logs-system.security-default-2024.08.17-000019][0], [.ds-logs-system.security-default-2024.08.19-000020][0], [.ds-logs-system.security-default-2024.08.20-000021][0], [.ds-logs-system.security-default-2024.08.21-000022][0], [.ds-logs-system.security-default-2024.08.23-000023][0], [.ds-logs-system.security-default-2024.08.24-000024][0], [.ds-logs-system.security-default-2024.08.25-000025][0], [.ds-logs-system.security-default-2024.08.27-000026][0], [.ds-logs-system.syslog-default-2024.07.15-000001][0], [.ds-logs-system.system-default-2024.08.15-000002][0], [.ds-logs-windows.powershell-default-2024.07.16-000001][0], [.ds-logs-windows.powershell_operational-default-2024.08.15-000002][0], [.ds-logs-windows.sysmon_operational-default-2024.07.16-000001][0], [.ds-logs-zeek-so-2024.07.15-000001][0], [.ds-logs-zeek-so-2024.07.18-000002][0], [.ds-logs-zeek-so-2024.07.23-000003][0], [.ds-logs-zeek-so-2024.07.26-000004][0], [.ds-logs-zeek-so-2024.07.30-000005][0], [.ds-logs-zeek-so-2024.08.05-000007][0], [.ds-logs-zeek-so-2024.08.07-000008][0], [.ds-logs-zeek-so-2024.08.10-000009][0], [.ds-logs-zeek-so-2024.08.13-000010][0], [.ds-logs-zeek-so-2024.08.16-000011][0], [.ds-logs-zeek-so-2024.08.19-000012][0], [.ds-logs-zeek-so-2024.08.22-000013][0], [.ds-logs-zeek-so-2024.08.25-000014][0], [.ds-logs-zeek-so-2024.08.28-000015][0], [.ds-logs-zeek-so-2024.07.18-000002][1], [.ds-logs-zeek-so-2024.07.26-000004][1], [.ds-logs-zeek-so-2024.08.05-000007][1], [.ds-logs-zeek-so-2024.08.07-000008][1], [.ds-logs-zeek-so-2024.08.16-000011][1], [.ds-logs-zeek-so-2024.08.19-000012][1], [.ds-logs-zeek-so-2024.08.22-000013][1], [.ds-logs-zeek-so-2024.08.25-000014][1]]. Consider using `allow_partial_search_results` setting to bypass this error.
	at org.elasticsearch.action.search.CanMatchPreFilterSearchPhase.checkNoMissingShards(CanMatchPreFilterSearchPhase.java:213) ~[elasticsearch-8.10.4.jar:?]
	at org.elasticsearch.action.search.CanMatchPreFilterSearchPhase.run(CanMatchPreFilterSearchPhase.java:132) ~[elasticsearch-8.10.4.jar:?]
	at org.elasticsearch.action.search.CanMatchPreFilterSearchPhase$1.doRun(CanMatchPreFilterSearchPhase.java:429) ~[elasticsearch-8.10.4.jar:?]
	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:26) ~[elasticsearch-8.10.4.jar:?]
	... 6 more

If there is a way to get the sensor node connected and working correctly without having to redo my entire Security Onion deployment I would be grateful. If other information would be helpful for troubleshooting I will do my best to provide it. Thanks.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[tsmith-spscc]

Screen shot of the search node grid status:

[tsmith-spscc]

I was able to re-install SO just now with the OS on the NVME drive and /nsm on the RAID virtual drive. It boots into the OS fine from the NVME drive now. However, the same issue remains. The search node still shows the problems above and is in a fault state. Also, prior to re-installing the search node I removed the previous iteration of it from the grid and rebooted the manager node to clear it from the grid completely. I also did this prior to the other re-install attempts yesterday.

[tsmith-spscc]

When running "salt * state.highstate", I encouter this error on the search node. It is the only error returned from running the highstate across all nodes:

----------
          ID: run_installer
    Function: cmd.script
        Name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64
      Result: False
     Comment: Attempt 1: Returned a result of "False", with the following comment: "Command 'salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64' run"
              Command 'salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64' run
     Started: 14:48:52.450989
    Duration: 32062.311 ms
     Changes:
              ----------
              pid:
                  96979
              retcode:
                  1
              stderr:
              stdout:

                  Installation initiated, view install log for further details.

[tsmith-spscc]

Well, I re-installed SO one more time, but this time I used a different hostname and IP address for the node. It made no difference. Once added to the grid, it still comes up with the same problem - 100% CPU and Elasticsearch isn't communicating correctly with the manager node, thus SO is essentially non-functional still.

[jgiuliano2024]

I did notice I had the nodes IP in the fleet section as well as the sensor section. looking at netstat the sensor entry showed traffic the fleet entry did not. I removed the fleet entry and rebooted the node. No change. I also ran so-idstools-restart and rebooted the node one more time. Nogo I was hoping that was the cause it was not. If I come up with something that fixes it I will post it.

[tsmith-spscc]

I updated from 2.4.80 to 2.4.100 but this did not help at all.

[tsmith-spscc]

I've done a number of tcpdumps on both the manager and search nodes. What I see is that the search node attempts to connect to the so-elastic-fleet docker container on tcp/8220 but gets a [RST, ACK] response, so the container is essentially non-responsive. If I am reading iptables correctly, it should allow traffic from any non-sobridge source to the docker containers, and specifically the so-elastic-fleet container on tcp/8220... so I am not sure why the traffic is being dropped at the docker container.

[tsmith-spscc]

This is the output of so-elastic-agent-status on the manager node. It appears that fleet is not responding.

[root@seconion-mgr user]# so-elastic-agent-status
┌─ fleet
│  └─ status: (FAILED) fail to checkin to fleet-server: all hosts failed: 2 errors occurred:
│         * requester 0/2 to host https://10.X.X.XXX:8220/ errored: Post "https://10.X.X.XXX:8220/api/fleet/agents/c4bb5913-d0b9-474e-b4d3-0dc15211d469/checkin?": dial tcp 10.X.X.XXX:8220: connect: connection refused
│         * requester 1/2 to host https://seconion-mgr:8220/ errored: Post "https://seconion-mgr:8220/api/fleet/agents/c4bb5913-d0b9-474e-b4d3-0dc15211d469/checkin?": read tcp 127.0.0.1:39610->127.0.0.1:8220: read: connection reset by peer
│
│
└─ elastic-agent
   └─ status: (HEALTHY) Running

[dougburks]

@tsmith-spscc The title of this discussion specifies Search node but then you start talking about your sensor node. Are you having an issue with your search node, your sensor node, or both?

Originally, I had the OS installed on a separate NVME drive in the server. However, the server BIOS no longer sees that device as a valid boot option

Have you run full diagnostics on your hardware?

[dougburks]

Any ideas on anything else I can try to get this search node communicating and/or get the so-elastic-fleet container working correctly?

Are you able to reach the Elastic Fleet web interface at all? If so, are there any clues there?
https://docs.securityonion.net/en/2.4/elastic-fleet.html

Have you checked the logs in /opt/so/log for additional clues? I'd start with elasticfleet, kibana, and elasticsearch.

Otherwise I'm probably going to have to blow away my whole SO instance, which is spread across multiple sites and has a ton of work put into it with integrations and alert tuning. I'd really rather repair it if possible, but I'm getting to the point where I have to have a functional system so I can't spend many more days in troubleshooting mode. Thanks.

This seems like a strange problem. It may be difficult to troubleshoot asynchronously via Github Discussions in a timely manner. If you need priority assistance, it may be worth your time to consider purchasing Professional Services so that an engineer can work with you in real time via screen share to repair your installation rather than having to start over from scratch. For more information, please see:
https://securityonion.com/support

[tsmith-spscc]

Hi Doug, thanks for the response. I have tried looking at the Elastic Fleet interface, but I receive a 404 when trying to access it. I have looked through the elasticsearch log but not kibana or elastic fleet. I'll give those a look as well. I'll contact your professional support services for a quote. Thanks again.

[tsmith-spscc]

So, as a follow up for anyone who comes across this - Since my last post, I have re-installed Security Onion 2.4.100 from scratch across my entire grid (manager, search and forward nodes) multiple times and the issue keeps coming back. Currently, my search node is still showing 100% CPU in my grid and not providing the status of services running on it. Last night, after rebuilding it, the docker containers were not coming up on the search node. However, this morning they appear to be up and running.

So far it looks like SO is back up and functioning at the moment, with the exception of the grid still showing a fault for the search node. I am receiving data from my forward node, which is generating suricata alerts. I am able to access Kibana again. I've looked through the logs on the search node and see no obvious signs of errors. Running a salt highstate across the grid returns no errors.

So I'm going to leave it alone for a day or two and see if the fault on the search node in the grid decides to shake out. I'm hesitant to start tuning and adding integrations again until I'm more comfortable that the grid is actually stable.

[dougburks]

@tsmith-spscc Based on a similar discussion at #13691, check to make sure that all of your nodes are synced to the same NTP server and have the same exact time on them.

[tsmith-spscc]

@dougburks Thanks for pointing me to that discussion. This was indeed the issue that I was running into at this final stage of troubeshooting and rebuilding the grid. I had to set the time manually across all my nodes before turning ntp back on though before the time would sync up. And I can't say for sure if fixing the time issue would have resolved the original problems I was running into before I wiped and re-installed all of the nodes in my grid. But, for the time being, everything is green again.

One last question - are there any discussions or resources that provide an explainer on the process of restoring the data backed up by the default SO backup process? Is it as simple as untarring the backup files in the relevant directories?

[dougburks]

One last question - are there any discussions or resources that provide an explainer on the process of restoring the data backed up by the default SO backup process? Is it as simple as untarring the backup files in the relevant directories?

Please take a look at this discussion and see if it helps:
#13512

[dougburks]

@jgiuliano2024 If you need help with your deployment, please start a separate discussion and provide detailed information about your deployment.