No information available from OpenCanary

[sierra4max]

Version
2.4.160

Installation Method
Security Onion ISO image

Location
On-prem with internet access

Installation Type
Distributed (3 nodes)

Hardware Specs
ManagerSearch Node (Physical)
CPU : 8
RAM : 16
Storage : 1TB

Sensor Node (Vmware with two network cards on bridge)
CPU : 4
RAM : 12
Storage : 200GB

IDH Node (Vmware with network card on bridge)
CPU : 2
RAM : 2
Storage : 100GB

Configuration
Manager with one sensor node and one IDH node

Status
All services on all nodes are running OK

Detail
Hello,
I am having a problem with the alerts that OpenCanary should generate.
I configured the IDH node following all the instructions here https://docs.securityonion.net/en/2.4/idh.html#idh. After running tests on the different ports I activated, I don't see any information in Dashboards or Hunt coming from OpenCanary. The same goes for the “opencanary” query in Dashboard and Hunt's Onion Query Language, as well as in Kibana with the queries event.module: opencanary
and event.dataset: idh.
However, I do get information from Suricata and Zeek after running so-test in the ManagerSearch node.
It's as if I hadn't configured anything for the IDH and OpenCanary nodes, even though I think I followed everything in the documentation in the idh section https://docs.securityonion.net/en/2.4/idh.html#idh

Thank you in advance for any help.

Guidelines
I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[InfosecGoon]

Is the IDH node showing up properly in the Grid screen on the Manager?

Is the Elastic Agent running on the IDH node listed as "Healthy" in the Fleet interface?

On the IDH node, are there any logs in the file at /nsm/idh/opencanary.log?

[la-cry]

I'm in the exact same boat as @sierra4max

The IDH node shows up in the Grid as running and healthy, and I do have logs generating in /nsm/idh/opencanary.log. When I attempt to connect to IDH ports I can see the connection attempts in /nsm/idh/opencanary.log, but I still don't see any data from the opencanary event module or idh event dataset. I can't for the life of me figure out why the data isn't getting from the IDH to the manager node

[kspringer-maf]

Try this.

1. Once HoneyPot node has been authorized in the Grid, only port 22 will be open. To turn on additional honeypot ports
   Manager> Administration> Configuration> idh> opencanary> config>
   select each desired protocol, enter 'true' in 'Current Grid Value' field and Save.

   Wait 15 minutes for sync, or force it with the 'Synchronize Grid' button.

2. Test by hitting the HoneyPot with nmap. This will only trip SSH alerts even though other ports show open. To trip the other ports you need to actually connect to them, not just nmap them.

3. Access the HoneyPot's web page IP via a browser to trip the web port. This is the easiest test that things are working.

4. Hunt for events
   event.module: opencanary