SOv2.4.150 no Logs

[argwfm]

Version

2.4.150

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

8

RAM

32

Storage for /

256

Storage for /nsm

512

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Did a fresh install of SOv2.4.150 distributed and logs are not flowing despite the Grid showing green and no errors. Not seeing indexes for so-zeek or so-suricata either via Elastic. salt-call state.highstate similarly competes w/out error. Forward sensors are writing to /nsm/zeek but this data is not being forwarded to the manager/receiver. so-status also shows running/normal. Elastic Fleet is showing the sensors registered and communicating via the so-grid-nodes_general agent policy. Any recommendation on what logs to look at for clues here before teardown and re-build w/ an older version? Thanks all!

# so-status
                   Security Onion Status
              Container │ Status  │                 Details
────────────────────────┼─────────┼─────────────────────────
           so-sensoroni │ running │           Up 59 minutes
               so-steno │ running │           Up 59 minutes
     so-strelka-backend │ running │           Up 59 minutes
 so-strelka-coordinator │ running │           Up 59 minutes
  so-strelka-filestream │ running │           Up 59 minutes
    so-strelka-frontend │ running │           Up 59 minutes
  so-strelka-gatekeeper │ running │           Up 59 minutes
     so-strelka-manager │ running │           Up 59 minutes
            so-suricata │ running │           Up 59 minutes
            so-telegraf │ running │           Up 59 minutes
                so-zeek │ running │ Up 59 minutes (healthy)
 ✔ This onion is ready to make your adversaries cry!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[argwfm]

Solved! Redis errors per logstash.log, had a custom pipeline that was missing password => '{{ REDIS_PASS }}' which is now enforced.

[WARN ][logstash.outputs.redis ] Failed to send backlog of events to Redis {:identity=>"redis://@manager:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: NOAUTH Authentication required.>