Steno data recovery from a broken cluster

[jscrub]

Hello all,

I am not sure if this is the right way to ask this request, but we have sort of a predicament.

We had a deployed 3-node Security Onion cluster (2.4) collecting network log data. Halfway through our collection, our customer turned off power without notifying us, causing SecOnion to fail to start up.

How do we go about recovering the Steno data stored in the nsm directory? We have a fresh standalone install waiting, but also realize that standalones are usually storing as Suricata.

We need to import this steno data and then generate PCAPs from them to analyze the traffic.

Is there a way to recover this data?

[cm-ops]

Do you have access to the that sensor and /nsm/pcap directory?

[jscrub]

We do. we've tried running some of the commands directly on the node or by copying over the data to the standalone and run the commands, but either they don't work (errors out) or the pcaps gets deleted right away by Security Onion on the standalone.

Commands tried:
sudo docker exec -it so-steno stenoread "YourStenoQueryHere" -w /tmp/new.pcap (using 'net 0.0.0.0/0' as the query to read everything collected)
sudo so-pcap-export "YourStenoQueryHere" output

[cm-ops]

What is the error you are getting running so-pcap-export?