Search node missing #14897

shanuravi · 2025-08-01T16:23:30Z

shanuravi
Aug 1, 2025

Version

2.4.60

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

16

RAM

200GB

Storage for /

100TB

Storage for /nsm

5 TB

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello Team,

I have a question. We have configured two nodes: a Manager and a Sensor. The Sensor is connected in TAP mode, and we are receiving traffic on the Sensor interface connected to the TAP interface. However, we are not receiving any logs on the Manager interface that is connected to the Sensor. As a result, we are unable to see any alerts in the SOC console.

We also noticed that we have not configured a Search node.

So, my question is: Are we not receiving traffic on the Manager because the Search node is not configured?
If we configure the Manager node as a Manager-Search node, will we be able to see the traffic and alerts in the SOC console?

We have verified that all services are running fine using the so-status command. The clocks on both the Manager and Sensor are synchronized with NTP, and connectivity between them is confirmed to be working.

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

reyesj2 · 2025-08-02T14:17:12Z

reyesj2
Aug 2, 2025
Maintainer

You need a searchnode to store the logs. That can be either a managersearch or a searchnode.

https://docs.securityonion.net/en/2.4/architecture.html#distributed

0 replies

shanuravi · 2025-08-04T07:23:37Z

shanuravi
Aug 4, 2025
Author

Thanks for the reply.

So, it means if we don't have manager-search or search node then we will not be able to see the logs on SOC.

I also apply tcp dump filter on the manager interface connected to forward node even we are not receiving the logs on that interface.

2 replies

reyesj2 Aug 4, 2025
Maintainer

Correct. The managersearch or searchnode is what provides storage for logs. Without it you aren't able to retain any amount of logs.

shanuravi Aug 6, 2025
Author

thanks sir.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Search node missing #14897

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Search node missing #14897

Uh oh!

shanuravi Aug 1, 2025

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 2 comments · 2 replies

Uh oh!

reyesj2 Aug 2, 2025 Maintainer

Uh oh!

shanuravi Aug 4, 2025 Author

Uh oh!

reyesj2 Aug 4, 2025 Maintainer

Uh oh!

shanuravi Aug 6, 2025 Author

shanuravi
Aug 1, 2025

Replies: 2 comments 2 replies

reyesj2
Aug 2, 2025
Maintainer

shanuravi
Aug 4, 2025
Author

reyesj2 Aug 4, 2025
Maintainer

shanuravi Aug 6, 2025
Author