Problem Sensor

[blacklistlista]

Version

2.4.120

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

16

Storage for /

1TB

Storage for /nsm

512 GB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

I'm experiencing a problem with version 2.4.120. I have a distributed installation, and when I log in to the front end, I see that alerts aren't being indexed. I log in to the sensor node and run a TCP dump on the bond0 interface, and no traffic is arriving. Traffic is arriving on the physical interface of the server where the sensor server is running.

To fix this, run the following command on the host that hosts the Sensor VM:
vboxmanage modifyvm VMSEC3 --nicpromisc2 allow-all.

This fixes the problem temporarily, but then it comes back and stops working.
Has anyone experienced something similar?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

https://docs.securityonion.net/en/latest/virtualbox.html#virtualbox Did you follow this part?

If you want an additional network interface for sniffing from a TAP or SPAN port, then click the Settings button, click Network, and then go to Adapter 2. Enable the adapter, configure the network it should attach to, and then you will most likely want to go to Advanced and set Promiscuous Mode to either Allow VMs or Allow All. Click the OK button.