After last OS update few days ago, alerts stopped working

[fa1sepr0phet]

Version

2.4.100

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

6

RAM

128GB

Storage for /

293GB

Storage for /nsm

5.8TB

Network Traffic Collection

tap

Network Traffic Speeds

more than 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Upgraded from 2.4.50 to 2.4.100 and now alerts are not showing up in SOC. Running the query sudo so-elasticsearch-query _cat/shards | grep suricata | sort returns nothing. All containers are returning running and healthy. Is there someone that could point me in a direction to begin troubleshooting?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

Whats the output of

so-elasticsearch-query _cluster/health

[fa1sepr0phet]

[redacted@redacted redacted]# so-elasticsearch-query _cluster/health

{"cluster_name":"securityonion","status":"green","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"active_primary_shards":176,"active_shards":176,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":100.0}

[redacted@redacted redacted]#

[reyesj2]

Are you still not getting alerts? That seems to show that you have a healthy elasticsearch. When you go to the grid page and click the drop down next to your standalone there is a button for ingesting test traffic. That should trigger multiple alerts

EDIT: saw you mentioned your grid was airgap. That button for test traffic will not work unless the manager can download an additional container from the internet. Can you verify the standalone is still receiving traffic? It should also show on the grid page under "Inbound monitor traffic"

[fa1sepr0phet]

Thank you for your reply, it really helped. I did notice there was no inbound traffic, so I dug into the networking settings on my hypervisor and saw the trunk port was changed (STIG compliance). Changed back to the original trunk port, documented, and it's working fine now. Again, thank you.

[fa1sepr0phet]

Thank you for your reply, it really helped. I did notice there was no inbound traffic, so I dug into the networking settings on my hypervisor and saw the trunk port was changed (STIG compliance). Changed back to the original trunk port, documented, and it's working fine now. Again, thank you.