Distributed Deployment - No Data

[NeoLife-iT]

Version

2.4.10

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

96

Storage for /

500G

Storage for /nsm

400G

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

This is my 20 plus time install and setup sOs . All privious installation setup seem to work fine during my eval. This is new Distributed enviroment
-Manager, Search, Receiver, Fleet Node - All Joined and All Green - so-checkin all green -
so-status on all nodes all green

-Client installed Agent succesful - this is always works
-Installed Sysmon with filed delete option - this is always work

*witth this new setup up node - I have no data @ all in the Dashboard, Sysmon Over....etc ..no Data from the client

-Please list all the step and where i should look for troubleshooting the distributed setup

Thanks for your help

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[rh-ops]

If everything else is functioning fine but you're not getting any data in SOC, this may indicate a network issue since its not receiving any data to display. I'd recommend checking the physical connections to the devices within your grid, especially any TAPs or SPANs you may have.

[NeoLife-iT]

This is just a Eval setup with distributed model. No TAP or SPAN port involved. I had add new clients to the mix still no data. I see the Redis Queue piling up in the Manager and Search Node. Just need to know if I shutdown All other nodes with this help with troubleshooting. Can the SOC function with Just Manager and Search node? Is there a method similar to tracert to track the flow of data between node?

[InfosecGoon]

Does the Elastic Fleet console show the client computer as healthy? Is there anything useful in the logs there?

[NeoLife-iT]

Yes they all there show healthy, all node are healthy - no data

[NeoLife-iT]

Well I wiped out the entired installation and redo everything from scratch. All working now.

-Manger
-Search
-Add client - check all work.
-Add Receiver - check grid check elastic agent all works
-Add Fleet - check grid check elastic agent all works

*Best place to look is Elastic Agents - All Green and noticed the EPS number changes.

-I am looking for info on how to monitor the Fleet - The client only know the manager ip or host name so how do you know it is talking or sending info the Fleet node?

Thanks for your help

[mazda4409]

I'm running into constant issues now and am afraid redoing from scratch is the only fix on a lab image. Everything started after a power outage and the whole SO image got corrupted. Had it on an HDD due to how big these installs are.
Rebuilding it via a fresh install on the latest distro seemed okay after hitting some setup ipconfiguration errors/roadblocks. Then now there are no detections or alerts throwing Kali or nmap at the SO instance itself or a managed Elastic host with the whole Grid and statuses on green. It just feels like I'm getting punishment after punishment using this SIEM. I want to be positive about it but when you're staying up for days to troubleshoot basic functions, you start losing your mind. I'm pretty sure I've spent more time setting this up or troubleshooting than actually using it. Been using Linux since I was a kid, but this stuff makes you want to cry.
Keep in mind my setup is just a LAN setup with no extra hops all on VMs on one machine. Tcpdump/WireShark all I want on the interfaces, data is coming in but Security Onion decided it won't do any more detections now or take in network traffic through its interfaces.

[rh-ops]

Please start a new discussion for this issue.