Elasticsearch Status Fault and Stenographer 90%+ packet loss after 2.4.141 upgrade

[rfuller318]

Version

2.4.140

Installation Method

Security Onion ISO image

Description

upgrading

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

32

RAM

128

Storage for /

32 TB

Storage for /nsm

28 TB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Since upgrading to Security Onion 2.4.141, my standalone installation maintains an Elasticsearch Status of Fault and Stenographer consistently has over 90% packet loss.

so-status shows all containers are running OK.

There is one fault out of 711 that shows when running a high state. /opt/so/log/salt/master shows the following error:

Name: /usr/sbin/so-elasticsearch-templates-load - Function: cmd.run - Result: Failed - Started: 14:24:57.622941 - Duration: 20014.427 ms

Is anyone else experiencing this problem?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Do you see errors in the /root/soup.log?

[rfuller318]

None that I can see. This is the /root/soup.log output:

sudo cat /root/soup.log

Preparing soup at Thu Apr 3 06:03:51 PM UTC 2025

Checking if we can access the salt master and that it is ready at: Apr 03 18:03: 51
Successfully accessed and salt master ready at: Apr 03 18:03:56
Checking to see if this is a manager.

This is a manager, so we can proceed.
Enabling highstate.
local:
----------
msg:
Info: highstate state already enabled.
res:
True

Salt Master does not need unlocked.

The manager's pillars can be rendered. We can proceed with SOUP.

Checking to see if this is an airgap install.

Found that Security Onion 2.4.141 is currently installed.

Cloning Security Onion github repo into /tmp/sogh/securityonion.
Removing previous upgrade sources.
Cloning the Security Onion Repo.
Verifying we have the latest soup script.
This version of the soup script is up to date. Proceeding.
Let's see if we need to update Security Onion.
Checking to see if there are hotfixes needed
You are already running the latest version of Security Onion.

[rfuller318]

I was able to figure out the Elasticsearch Status Fault issue. I had reached the 1000/1000 shard maximum. After cleaning up my indices and shards, the Fault issue has been corrected.

However I am still having problems with over 90% Stenographer Packet Loss as well as 30%-40% I/O Wait times. I did not experience any of these prior to the 2.4.141 upgrade. How would I go about troubleshooting this particular matter?

[cm-ops]

How much traffic throughput on the monitoring interface? What type of disk for /nsm?

[rfuller318]

Typically around 300-400 mbps on average. I have 8 4TB Samsung 870 SSDs in a RAID 5 config. No red/malfunctioning drive lights.

I am sniffing a 1Gbps SPAN port with a 10GB SFP+ fiber connected network card.

Even when I switch from Stenographer to Suricata for PCAP, I still get the excessive I/O wait times, as well as high packet loss.

[cm-ops]

What about top/iotop/btop and iostat? Is it the stenographer process causing the i/o wait?

[rfuller318]

top shows fluctuations between the elasticsearch and logstash processes mostly:

iostat shows:

Here's a screenshot of my Grid while checking the above top and iostat. I had to unplug the SPAN sniff because Redis had millions in the queue that wasn't being processed:

[rfuller318]

These are current screenshots of Grid, top, and iostat after I plugged the SPAN sniff back in and rebooted the server at Grid request. I changed pcap to Transition to rule out Stenographer write problems, but Suricata is having the same packet loss problem:

[rfuller318]

I am beginning to suspect this issue may be related to #14545, which is a log ingestion problem related to a template failure load. I am experiencing the same error during a high state call.

[rfuller318]

I just checked /opt/so/log/stenographer/stenographer.log, and I keep seeing this error message repeated over and over:

2025/04/28 15:30:15 Blockfile opening: "/tmp/stenographer2713390978/PKT0/1741182252539200"
2025/04/28 15:30:15 opening index "/tmp/stenographer2713390978/IDX0/1741182252539200"
2025/04/28 15:30:15 Thread 0 error tracking "1741182252539200": could not open blockfile "/tmp/stenographer2713390978/PKT0/1741182252539200": could not open index for "/tmp/stenographer2713390978/PKT0/1741182252539200": invalid index file "/tmp/stenographer2713390978/IDX0/1741182252539200" missing versions record: leveldb/table: invalid table (file size is too small)
2025/04/28 15:30:15 Thread 0 disk space is sufficient (packet path="/tmp/stenographer2713390978/PKT0"): 50% free > 25% threshold
2025/04/28 15:30:30 Blockfile opening: "/tmp/stenographer2713390978/PKT0/1741182252539200"
2025/04/28 15:30:30 opening index "/tmp/stenographer2713390978/IDX0/1741182252539200"
2025/04/28 15:30:30 Thread 0 error tracking "1741182252539200": could not open blockfile "/tmp/stenographer2713390978/PKT0/1741182252539200": could not open index for "/tmp/stenographer2713390978/PKT0/1741182252539200": invalid index file "/tmp/stenographer2713390978/IDX0/1741182252539200" missing versions record: leveldb/table: invalid table (file size is too small)
2025/04/28 15:30:30 Thread 0 disk space is sufficient (packet path="/tmp/stenographer2713390978/PKT0"): 50% free > 25% threshold
2025/04/28 15:30:45 Blockfile opening: "/tmp/stenographer2713390978/PKT0/1741182252539200"
2025/04/28 15:30:45 opening index "/tmp/stenographer2713390978/IDX0/1741182252539200"
2025/04/28 15:30:45 Thread 0 error tracking "1741182252539200": could not open blockfile "/tmp/stenographer2713390978/PKT0/1741182252539200": could not open index for "/tmp/stenographer2713390978/PKT0/1741182252539200": invalid index file "/tmp/stenographer2713390978/IDX0/1741182252539200" missing versions record: leveldb/table: invalid table (file size is too small)
2025/04/28 15:30:45 Thread 0 disk space is sufficient (packet path="/tmp/stenographer2713390978/PKT0"): 50% free > 25% threshold
2025-04-28T15:30:57.037529Z T:817c96 [aio.cc:122] Closing /tmp/stenographer2713390978/PKT0/.1745854195770937 (5), truncating to 88MB and moving to /tmp/stenographer2713390978/PKT0/1745854195770937
2025-04-28T15:30:57.037668Z T:817c96 [aio.cc:190] Opening packet file /tmp/stenographer2713390978/PKT0/.1745854257037522: 4
2025-04-28T15:30:57.044396Z T:80fc86 [index.cc:269] Wrote all index files for /tmp/stenographer2713390978/IDX0/.1745854195770937, moving to /tmp/stenographer2713390978/IDX0/1745854195770937
2025/04/28 15:31:00 Blockfile opening: "/tmp/stenographer2713390978/PKT0/1741182252539200"
2025/04/28 15:31:00 opening index "/tmp/stenographer2713390978/IDX0/1741182252539200"
2025/04/28 15:31:00 Thread 0 error tracking "1741182252539200": could not open blockfile "/tmp/stenographer2713390978/PKT0/1741182252539200": could not open index for "/tmp/stenographer2713390978/PKT0/1741182252539200": invalid index file "/tmp/stenographer2713390978/IDX0/1741182252539200" missing versions record: leveldb/table: invalid table (file size is too small)
2025/04/28 15:31:00 Blockfile opening: "/tmp/stenographer2713390978/PKT0/1745854195770937"
2025/04/28 15:31:00 opening index "/tmp/stenographer2713390978/IDX0/1745854195770937"
2025/04/28 15:31:00 new blockfile "/tmp/stenographer2713390978/PKT0/1745854195770937"
2025/04/28 15:31:00 Thread 0 found 1 new blockfiles
2025/04/28 15:31:00 Thread 0 disk space is sufficient (packet path="/tmp/stenographer2713390978/PKT0"): 50% free > 25% threshold
2025-04-28T15:31:12.120746Z T:817c96 [stenotype.cc:537] Thread 0 stats: MB=1014600 secs=265016 MBps=3.82845 packets=1049961497 blocks=1014600 polls=969088 drops=11604914671 drop%=91.7031

Is this indicative of anything?

[cm-ops]

What is your diskfreepercentage set to for Steno? Also, are there any errors in that log?

What does this show? sudo du -hd1 /nsm

[rfuller318]

What is your diskfreepercentage set to for Steno? Also, are there any errors in that log?

What does this show? sudo du -hd1 /nsm

Diskfreepercentage is back at 21 after I had it at 25 trying to troubleshoot these problems.

The Steno logs keeps reporting this same error over and over:

2025/04/28 15:30:45 Thread 0 error tracking "1741182252539200": could not open blockfile "/tmp/stenographer2713390978/PKT0/1741182252539200": could not open index for "/tmp/stenographer2713390978/PKT0/1741182252539200": invalid index file "/tmp/stenographer2713390978/IDX0/1741182252539200" missing versions record: leveldb/table: invalid table (file size is too small)

And also reports this stats update:

2025/04/28 15:31:00 Thread 0 disk space is sufficient (packet path="/tmp/stenographer2713390978/PKT0"): 50% free > 25% threshold 2025-04-28T15:31:12.120746Z T:817c96 [stenotype.cc:537] Thread 0 stats: MB=1014600 secs=265016 MBps=3.82845 packets=1049961497 blocks=1014600 polls=969088 drops=11604914671 drop%=91.7031

This is what 'sudo du -hd1 /nsm` reports as of 4/29/2025. I am currently using Stenographer for packet capture. I tested out Suricata with the Transition pcap setting for a time:

45G /nsm/docker-registry
3.5G /nsm/repo
6.4G /nsm/elastic-fleet
253M /nsm/rules
2.9M /nsm/kratos
13G /nsm/influxdb
16G /nsm/backup
696K /nsm/soc
0 /nsm/import
0 /nsm/pcapout
1.9T /nsm/suripcap
6.2T /nsm/pcap
225M /nsm/mysql
4.0T /nsm/elasticsearch
4.0K /nsm/logstash
1.1G /nsm/redis
12K /nsm/pcaptmp
131G /nsm/pcapindex
664K /nsm/suricata
453G /nsm/zeek
13G /nsm/strelka
143M /nsm/securityonion-resources
0 /nsm/custom-mappings
13T /nsm

[cm-ops]

Wonder if /nsm/pcapindex has some corruption. Try sudo mv /nsm/pcapindex /nsm/pcapindex.old the sudo so-pcap-restart that should recreate /nsm/pcapindex if it looks good, remove /nsm/pcapindex.old.

[rfuller318]

Wonder if /nsm/pcapindex has some corruption. Try sudo mv /nsm/pcapindex /nsm/pcapindex.old the sudo so-pcap-restart that should recreate /nsm/pcapindex if it looks good, remove /nsm/pcapindex.old.

Doing this got rid of the error message in the Steno logs but I still have high Steno packet loss.

This is the weirdest thing. Zeek is collecting data just fine, no packet loss. Packet loss only happens with Stenographer or Suricata packet capture.

[rfuller318]

I think I finally figured out the Stenographer issue. I believe there was some seasonal internal traffic spikes that I was not accounting for. We'll find out on the next go round lol smh.

Thank you for all of your help!!