so-sensoroni unable to start

[mlhein]

Version

2.4.160

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

24

RAM

254

Storage for /

293G

Storage for /nsm

1.9T

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

No, one or more services are failed (please provide detail below)

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

• Security Onion version as seen in the lower left corner of SOC and in /etc/soversion.
  Version: 2.4.160

• Is this a cloud deployment or on-prem? If on-prem, do you have Internet access or this an airgap installation?
  On-prem with internet access.

• Did you install from our Security Onion ISO image or did you perform a network installation?
  Security Onion ISO image.

• If network installation, what distro and version did you install on?
  N/A

• How many nodes do you have?
  3 nodes

• What are the hardware specs of each of those nodes?
  Exceeded minimum requirements.

• How are each of those nodes configured? (ex. manager with 2 search nodes and 3 forward nodes)
  1 manager, 1 search, 1 forward

• Are you experiencing issues monitoring network traffic? If so, are you sniffing from a tap or span port and what is the traffic volume?
  No

• Does so-status show all services running?
  No

• Do you get any failures when you run sudo salt-call state.highstate?
  No

• Does the SOC Grid page show any failures?
  N/A

• Explain your issue.

Describe the bug
so-sensoroni docker container failed to start.

[root@manager ~]# so-sensoroni-start
=========================================================================
Starting sensoroni...

This could take a while if another Salt job is running. 
Run this command with --force to stop all Salt jobs before proceeding.
=========================================================================
[INFO    ] Loading fresh modules for state activity
[INFO    ] Running state [/opt/so/conf/sensoroni] at time 04:15:00.325920
[INFO    ] Executing state file.directory for [/opt/so/conf/sensoroni]
[INFO    ] The directory /opt/so/conf/sensoroni is in the correct state
[INFO    ] Completed state [/opt/so/conf/sensoroni] at time 04:15:00.327428 (duration_in_ms=1.508)
[INFO    ] Running state [/opt/so/conf/sensoroni/sensoroni.json] at time 04:15:00.327626
[INFO    ] Executing state file.managed for [/opt/so/conf/sensoroni/sensoroni.json]
[INFO    ] File /opt/so/conf/sensoroni/sensoroni.json is in the correct state
[INFO    ] Completed state [/opt/so/conf/sensoroni/sensoroni.json] at time 04:15:00.466700 (duration_in_ms=139.072)
[INFO    ] Running state [/opt/so/conf/sensoroni/analyzers] at time 04:15:00.466990
[INFO    ] Executing state file.directory for [/opt/so/conf/sensoroni/analyzers]
[INFO    ] The directory /opt/so/conf/sensoroni/analyzers is in the correct state
[INFO    ] Completed state [/opt/so/conf/sensoroni/analyzers] at time 04:15:00.468465 (duration_in_ms=1.476)
[INFO    ] Running state [/opt/so/log/sensoroni] at time 04:15:00.468656
[INFO    ] Executing state file.directory for [/opt/so/log/sensoroni]
[INFO    ] The directory /opt/so/log/sensoroni is in the correct state
[INFO    ] Completed state [/opt/so/log/sensoroni] at time 04:15:00.469807 (duration_in_ms=1.15)
[INFO    ] Running state [/opt/so/conf/sensoroni/analyzers] at time 04:15:00.470009
[INFO    ] Executing state file.recurse for [/opt/so/conf/sensoroni/analyzers]
[INFO    ] The directory /opt/so/conf/sensoroni/analyzers is in the correct state
[INFO    ] Completed state [/opt/so/conf/sensoroni/analyzers] at time 04:15:09.415685 (duration_in_ms=8945.675)
[INFO    ] Running state [/usr/sbin] at time 04:15:09.415934
[INFO    ] Executing state file.recurse for [/usr/sbin]
[INFO    ] {'/usr/sbin': {'/usr/sbin': {'user': 939}, 'user': 939}}
[INFO    ] Loading fresh modules for state activity
[INFO    ] Completed state [/usr/sbin] at time 04:15:09.613229 (duration_in_ms=197.294)
[INFO    ] Running state [/opt/so/conf/so-status/so-status.conf] at time 04:15:09.615295
[INFO    ] Executing state file.append for [/opt/so/conf/so-status/so-status.conf]
/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/psutil_compat.py:16: DeprecationWarning: Please stop importing 'salt.utils.psutil
_compat' and instead import 'psutil' directly as there's no longer a need for a compatability layer. The 'salt.utils.psutil_compat' will go a
way on Salt 3008.0 (Argon).
  salt.utils.versions.warn_until(
[INFO    ] Executing command git in directory '/root'
[INFO    ] Executing command 'grep' in directory '/root'
[INFO    ] ['unless condition is true']
[INFO    ] Completed state [/opt/so/conf/so-status/so-status.conf] at time 04:15:10.662775 (duration_in_ms=1047.479)
[INFO    ] Running state [so-sensoroni] at time 04:15:10.663406
[INFO    ] Executing state docker_container.running for [so-sensoroni]
[INFO    ] {'container_id': {'added': '139a24410a65622445a569fbc4ea6a82b52c4152958a2b18b3b9497964cceb1d'}, 'state': {'old': None, 'new': 'run
ning'}}
[INFO    ] Completed state [so-sensoroni] at time 04:15:11.892742 (duration_in_ms=1229.336)
[INFO    ] Running state [/opt/so/conf/so-status/so-status.conf] at time 04:15:11.893227
[INFO    ] Executing state file.uncomment for [/opt/so/conf/so-status/so-status.conf]
[INFO    ] Pattern already uncommented
[INFO    ] Completed state [/opt/so/conf/so-status/so-status.conf] at time 04:15:11.896196 (duration_in_ms=2.968)
local:
----------
          ID: sensoroniconfdir
    Function: file.directory
        Name: /opt/so/conf/sensoroni
      Result: True
     Comment: The directory /opt/so/conf/sensoroni is in the correct state
     Started: 04:15:00.325920
    Duration: 1.508 ms
     Changes:   
----------
          ID: sensoroniagentconf
    Function: file.managed
        Name: /opt/so/conf/sensoroni/sensoroni.json
      Result: True
     Comment: File /opt/so/conf/sensoroni/sensoroni.json is in the correct state
     Started: 04:15:00.327628
    Duration: 139.072 ms
     Changes:   
----------
          ID: analyzersdir
    Function: file.directory
        Name: /opt/so/conf/sensoroni/analyzers
      Result: True
     Comment: The directory /opt/so/conf/sensoroni/analyzers is in the correct state
     Started: 04:15:00.466989
    Duration: 1.476 ms
     Changes:   
----------
          ID: sensoronilog
    Function: file.directory
        Name: /opt/so/log/sensoroni
      Result: True
     Comment: The directory /opt/so/log/sensoroni is in the correct state
     Started: 04:15:00.468657
    Duration: 1.15 ms
     Changes:   
----------
          ID: analyzerscripts
    Function: file.recurse
        Name: /opt/so/conf/sensoroni/analyzers
      Result: True
     Comment: The directory /opt/so/conf/sensoroni/analyzers is in the correct state
     Started: 04:15:00.470010
    Duration: 8945.675 ms
     Changes:   
----------
          ID: sensoroni_sbin
    Function: file.recurse
        Name: /usr/sbin
      Result: True
     Comment: Recursively updated /usr/sbin
     Started: 04:15:09.415935
    Duration: 197.294 ms
     Changes:   
              ----------
              /usr/sbin:
                  ----------
                  /usr/sbin:
                      ----------
                      user:
                          939
                  user:
                      939
----------
          ID: append_so-sensoroni_so-status.conf
    Function: file.append
        Name: /opt/so/conf/so-status/so-status.conf
      Result: True
     Comment: unless condition is true
     Started: 04:15:09.615296
    Duration: 1047.479 ms
     Changes:   
----------
          ID: so-sensoroni
    Function: docker_container.running
      Result: True
     Comment: Created container 'so-sensoroni'
     Started: 04:15:10.663406
    Duration: 1229.336 ms
     Changes:   
              ----------
              container_id:
                  ----------
                  added:
                      139a24410a65622445a569fbc4ea6a82b52c4152958a2b18b3b9497964cceb1d
              state:
                  ----------
                  new:
                      running
                  old:
                      None
----------
          ID: delete_so-sensoroni_so-status.disabled
    Function: file.uncomment
        Name: /opt/so/conf/so-status/so-status.conf
      Result: True
     Comment: Pattern already uncommented
     Started: 04:15:11.893228
    Duration: 2.968 ms
     Changes:   

Summary for local
------------
Succeeded: 9 (changed=2)
Failed:    0
------------
Total states run:     9
Total run time:  11.566 s
[root@manager ~]# so-sensoroni-
so-sensoroni-restart  so-sensoroni-start    so-sensoroni-stop     
[root@manager ~]# so-status

                        Security Onion Status                        
                         Container │ Status  │               Details 
───────────────────────────────────┼─────────┼───────────────────────
                 so-dockerregistry │ running │           Up 24 hours 
                     so-elastalert │ running │           Up 23 hours 
                  so-elastic-fleet │ running │           Up 23 hours 
 so-elastic-fleet-package-registry │ running │ Up 23 hours (healthy) 
                  so-elasticsearch │ running │           Up 26 hours 
                       so-idstools │ running │           Up 23 hours 
                       so-influxdb │ running │ Up 24 hours (healthy) 
                         so-kibana │ running │           Up 23 hours 
                         so-kratos │ running │           Up 23 hours 
                       so-logstash │ running │           Up 23 hours 
                          so-nginx │ running │ Up 24 hours (healthy) 
                          so-redis │ running │           Up 23 hours 
                      so-sensoroni │ missing │                       
                            so-soc │ running │           Up 23 hours 
                       so-telegraf │ running │           Up 23 hours 

 ❗ Check container logs and /opt/so/log for more details.

[root@manager ~]# cat /opt/so/log/sensoroni/sensoroni.log 
[root@manager ~]# docker logs so-sensoroni
Error: Unable to read configuration file 'sensoroni.json' [Agent.MgmtNic contains invalid characters]

To Reproduce
I believe it's because . in nm-bond.2474 in sensoroni.json

Expected behavior
so-sensoroni should be running.

Screenshots
N/A

Additional context
Version: 2.4.160

[root@manager ~]# salt \* cmd.run 'so-status'
searchnode:
    
              Security Onion Status           
            Container │ Status  │     Details 
    ──────────────────┼─────────┼─────────────
     so-elasticsearch │ running │ Up 24 hours 
          so-logstash │ running │ Up 22 hours 
         so-sensoroni │ missing │             
          so-telegraf │ running │ Up 22 hours 
    
     ❗ Check container logs and /opt/so/log for more details.
sensor:
    
                      Security Onion Status                   
                  Container │ Status  │               Details 
    ────────────────────────┼─────────┼───────────────────────
               so-sensoroni │ missing │                       
         so-strelka-backend │ running │           Up 22 hours 
     so-strelka-coordinator │ running │           Up 22 hours 
      so-strelka-filestream │ running │           Up 22 hours 
        so-strelka-frontend │ running │           Up 22 hours 
      so-strelka-gatekeeper │ running │           Up 22 hours 
         so-strelka-manager │ running │           Up 22 hours 
                so-suricata │ running │           Up 22 hours 
                so-telegraf │ running │           Up 22 hours 
                    so-zeek │ running │ Up 22 hours (healthy) 
    
     ❗ Check container logs and /opt/so/log for more details.
manager:
    
                            Security Onion Status                        
                             Container │ Status  │               Details 
    ───────────────────────────────────┼─────────┼───────────────────────
                     so-dockerregistry │ running │           Up 22 hours 
                         so-elastalert │ running │           Up 22 hours 
                      so-elastic-fleet │ running │           Up 22 hours 
     so-elastic-fleet-package-registry │ running │ Up 22 hours (healthy) 
                      so-elasticsearch │ running │           Up 24 hours 
                           so-idstools │ running │           Up 22 hours 
                           so-influxdb │ running │ Up 22 hours (healthy) 
                             so-kibana │ running │           Up 22 hours 
                             so-kratos │ running │           Up 22 hours 
                           so-logstash │ running │           Up 22 hours 
                              so-nginx │ running │ Up 22 hours (healthy) 
                              so-redis │ running │           Up 22 hours 
                          so-sensoroni │ missing │                       
                                so-soc │ running │           Up 22 hours 
                           so-telegraf │ running │           Up 22 hours 
    
     ❗ Check container logs and /opt/so/log for more details.

sensoroni.json

[root@manager ~]# cat /opt/so/conf/sensoroni/sensoroni.json 
{
  "logFilename": "/opt/sensoroni/logs/sensoroni.log",
  "logLevel":"info",
  "agent": {
    "nodeId": "manager",
    "role": "so-manager",
    "description": "manager",
    "address": "10.211.11.40",
    "mgmtNic": "nm-bond.2474",
    "model": "",
    "pollIntervalMs": 10000,
    "serverUrl": "https://10.211.11.40/sensoroniagents",
    "verifyCert": false,
    "modules": { 
      "analyze": {
        "timeoutMs": 900000,
        "parallelLimit": 5
      },
      "importer": {},
      "statickeyauth": {
        "apiKey": "111111111111111111"
      }
    }
  }
}

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Is your management NIC in a bond?

[mlhein]

Yes, bond with VLAN interface

[cm-ops]

"mgmtNic": "nm-bond.2474", You will need to change the name of the bond, SO doesn't support network interfaces with periods or slashes.