Dashboard, Alerts, Hunt and Kibana Interfaces show no log details #14935
Replies: 2 comments 3 replies
-
|
https://docs.securityonion.net/en/2.4/architecture.html#evaluation Have you checked your Elastic agent? The Elastic agent will send the logs to Elasticsearch. You can check the status and logs at the CLI with the following commands - |
Beta Was this translation helpful? Give feedback.
-
|
The message I'm getting is there's no command for Please forgive the screenshot. My VM doesn't have mouse integration. 
The key thing here is the connection refused part after attempting to connect to localhost:9200. |
Beta Was this translation helpful? Give feedback.
-
|
Check the service, is it running? |
Beta Was this translation helpful? Give feedback.
-
|
Running the command I've also tried to uninstall the elastic-agent using I've also tried reinstalling the agent using
Could there be something I missed during the installation of my instance? |
Beta Was this translation helpful? Give feedback.
-
|
If you run this command sudo |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.170
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Eval
Location
other (please provide detail below)
Hardware Specs
Meets minimum requirements
CPU
4
RAM
12
Storage for /
200GB
Storage for /nsm
125GB
Network Traffic Collection
span port
Network Traffic Speeds
Less than 1Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
Yes, there are additional clues in /opt/so/log/ (please provide detail below)
Detail
Hi all,
I’m running Security Onion in EVAL installation mode in Oracle VirtualBox, for a Cybersecurity home lab. Initially, I used Security Onion v2.4.120 and everything worked well. The issue started after the update to 2.4.170.
I’ve noticed that although Zeek and Suricata logs are being generated under /nsm/zeek/logs/current/ and /nsm/suricata/, I don’t see any corresponding log details in any of my dashboards, apart from the time series of activities in the Dashboard screen and the total count of logs in Kibana. Further investigation has shown that there are no Zeek or Suricata indices in Elasticsearch/Kibana.
Here’s what I’ve observed so far:
All containers show as running (so-status).
ls -lh /nsm/zeek/logs/current/ and /nsm/suricata/ confirm that logs are being generated.
In Kibana, I do see ~15,000 Security Onion logs (so they’re reaching Elasticsearch), but I cannot filter for IPs, hosts, files, or network fields.
sudo so-elasticsearch-indices-list shows only elastalert_status and elastalert_error indices, no Zeek or Suricata indices.
Pipelines exist (sudo so-elasticsearch-pipelines-list), but no Filebeat container is running (docker ps | grep filebeat returns nothing). I understand Filebeat is used in Standalone installs, but I’m unclear what forwards logs in EVAL.
Checking Elastic Fleet logs shows repeated errors connecting to localhost:9200 (connection refused), while other local connections like localhost:6791 succeed.
I ran so-test and packet replay on the terminal, which completed successfully, but still nothing on the UI.
I've checked my monitoring interface, bond0, which is a master to the VM interface, and this shows logs. So, log collection and I believe storage works fine. I think the issue is the connection between the elastic-agent and Elasticsearch.
Question:
What could be the missing piece that prevents Zeek/Suricata logs from being indexed in Elasticsearch in an EVAL deployment? Is the issue with Fleet outputs configuration, or is something else required to bridge logs → pipelines → Elasticsearch in EVAL mode?
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions