Disconnected environment issues; sensors not resilient to intermittent usage #14554

branpurn · 2025-04-18T19:12:04Z

branpurn
Apr 18, 2025

Version

2.4.10

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

256

Storage for /

2 TB

Storage for /nsm

7-21 TB

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

Hello-- Hope this location is OK for cordial "lite" support.

We have tested some distributed scenarios with a manager that is always on, with a couple sensors each with a corresponding tap. Everything works just fine while the sensors are connected to the manager, or are disconnected but were able to reach manager during startup. The sensor collects from the tap and sends data to the manager as expected.

Ideally, we would like to power down the sensors, take them to alternate locations, have them collect from the taps, then return them to the manager to ingest.

Once the sensors are cold booted while the manager is unreachable, so-status says "System appears to be starting. No highstate has completed since the system was restarted." Running so-start at this stage fails with a timeout, "Attempt to authenticate with the salt master failed with timeout error." Running "salt-call state.highstate --local" fails with "No Top file or master_tops data matches found."

If plugged back into the manager, everything returns to normal.

Thank you in advance for any suggestions or ideas.

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by TOoSmOotH

Apr 21, 2025

Unfortunately that is not how the architecture works. The manager is the brains of the architecture and sensors are just worker bees. That is why when you have a sensor have a hardware failure it can be quickly replaced with a new one like nothing ever happened. I would suggest deploying a standalone.

View full answer

TOoSmOotH · 2025-04-21T13:08:52Z

TOoSmOotH
Apr 21, 2025
Maintainer

Unfortunately that is not how the architecture works. The manager is the brains of the architecture and sensors are just worker bees. That is why when you have a sensor have a hardware failure it can be quickly replaced with a new one like nothing ever happened. I would suggest deploying a standalone.

1 reply

branpurn Apr 21, 2025
Author

Thanks, I appreciate the confirmation and clarity on this!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Disconnected environment issues; sensors not resilient to intermittent usage #14554

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Disconnected environment issues; sensors not resilient to intermittent usage #14554

Uh oh!

Uh oh!

branpurn Apr 18, 2025

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment · 1 reply

Uh oh!

TOoSmOotH Apr 21, 2025 Maintainer

Uh oh!

branpurn Apr 21, 2025 Author

branpurn
Apr 18, 2025

Replies: 1 comment 1 reply

TOoSmOotH
Apr 21, 2025
Maintainer

branpurn Apr 21, 2025
Author