index Log being save on the manger and searchnode at the same time

[JhonShell]

Version

2.4.80

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

512

Storage for /

100

Storage for /nsm

1tb

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Hi security onion team,

I see that the log is being save on the manager and the Search node at the same time, when the manager should run it own instance of Elasticsearch which cause the disk of manager to be full. I have 3 node 1 receiver,manager,search , when I check the /nsm,elasticsearch/indices/ I have the same amount of log on the search as the manger which according to the doc should not be possible because the manager run it own instance of elasticsearch.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[JhonShell]

Temporal solution:
so-elasticsearch-query _cluster/settings -d '{"persistent": {"cluster.routing.allocation.exclude._ip": "1.1.1.1"}}' -X PUT

[cm-ops]

https://docs.securityonion.net/en/2.4/elasticsearch.html#cluster You have are runing a multi-node cluster. The above command will keep data off your manager node. You can further remove the data role from you node roles once data is off the manager. https://docs.securityonion.net/en/2.4/elasticsearch.html#elasticsearch-node-roles

[JhonShell]

Hi m-ops,

thank you, I think it should be by default on the distribute env and the manager node.

[TOoSmOotH]

Unfortunately it doesn't work like that. The manager has to have the data role as well as single node mode for the install. When you add your first search node the manager will restart elastic in cluster mode. If you try and remove the data role from the manager without migrating the data elastic fails to start. Currently this requires manual intervention to route the data off. This compounds if some of the data changes phases in ILM requiring nodes that support those roles existing somewhere else in the cluster.