Sensor install keeps failing.

[erlicthemad]

Version

2.4.190

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

12

RAM

48

Storage for /

70G

Storage for /nsm

913G

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

No, one or more services are failed (please provide detail below)

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello,
I have been trying to get a Security Onion sensor installed on an HP Z400 workstation with an X5690 CPU. The install ends aborting with an undefined error, and all the logs listed to look at are empty. I started with build 2.4.160 and upgraded to 2.4.170, then I am now at 2.4.190. Each time the install fails with an unknown error. The node shows up, and Salt reports everything is fine, but the Suricata services are reporting that the containers are missing. Even when starting from bare-iron hard drives, where the boot volume is a 460 GB drive partitioned by Onion into 70 GB for the boot and the balance set to /home. The /nsm volume is a raid set at 913GB.

When I look for the logs, there is no content in the error logs, or the logs list an unknown error. Is it possible that the containers are not compatible with the X5690 Xeon processors?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[erlicthemad]

Just for a test, I also installed a frontend on a VM with two interfaces to test and see if there was something else wrong. so-strelka-backend is in a rebooting loop, so-strelka-filestream is missing, so-strelka-frontend is missing, and so-strelka-manager is missing. This is the same as on the Z400 workstation. It is running 2.4.190. Memory is at 36% used, and everything else is down in the single digits.

[cm-ops]

Would you look in the /root/sosetup.log for any issues?

[erlicthemad]

Yes, I looked in the sensor folder and the file was empty. The other error log reported an unknown error occurred. I was hoping for something in the logs to give a clue. It reports an unknown error occurred and I followed the installer dialog looking for the logs. The sensor shows up in the manager and I can add it in, but those containers are missing and one is in a restart loop reporting a lookup error. I will be back in the office tomorrow morning to try and grab the error logs from the rebooting container.

[erlicthemad]

Watching processes on the sensor while adopting "soup" is running and installing.

[erlicthemad]

This is the contents of the error.log file. With a directory of the /root.
[sudo] password for secsensor: total 204 dr-xr-x---. 6 root root 4096 Nov 12 14:26 . dr-xr-xr-x. 19 root root 246 Nov 12 14:28 .. -rw-r--r--. 1 root root 0 Nov 10 19:42 accept_changes -rw-------. 1 root root 50124 Nov 7 19:41 anaconda-ks.cfg -rw-r--r--. 1 root root 18 Mar 8 2025 .bash_logout -rw-r--r--. 1 root root 141 Mar 8 2025 .bash_profile -rw-r--r--. 1 root root 429 Mar 8 2025 .bashrc -rw-r--r--. 1 root root 100 Mar 8 2025 .cshrc -rw-r--r--. 1 root root 51 Nov 10 19:42 errors.log -rw-r--r--. 1 root root 0 Nov 10 19:42 failure -rw-r--r--. 1 root root 298 Nov 10 19:42 install_summary drwxr-xr-x. 3 root root 20 Nov 7 19:53 installtmp -rw-------. 1 root root 20 Nov 7 20:09 .lesshst -rw-r--r--. 1 root root 31 Nov 10 19:39 net_init drwxr-xr-x. 2 root root 32 Nov 10 19:42 oldrepos -rw-------. 1 root root 50000 Nov 7 19:50 original-ks.cfg drwxr-xr-x. 11 root root 4096 Nov 7 19:41 SecurityOnion -rw-r--r--. 1 root root 48521 Nov 10 19:42 sosetup.log drwx------. 2 root root 6 Nov 7 19:36 .ssh -rw-r--r--. 1 root root 129 Mar 8 2025 .tcshrc -rw-------. 1 root root 2998 Nov 10 17:40 .viminfo -rw-r--r--. 1 root root 157 Nov 7 20:14 .vimrc [secsensor@onionsensor ~]$ sudo cat /root/errors.log Error: Connection activation failed: Unknown error [secsensor@onionsensor ~]$

The sosetup.log file is about 45KB long if you want to see that.
This is the last 75 lines from that log.

`[secsensor@onionsensor ~]$ sudo tail -n75 /root/sosetup.log
----------
diff:
New file
mode:
0644
/opt/so/conf/salt/module_packages/docker/urllib3-2.2.2-py3-none-any.whl:
----------
diff:
New file
mode:
0644

      ID: docker_python_module_install
Function: cmd.run
    Name: /opt/saltstack/salt/bin/python3.10 -m pip install docker --no-index --find-links=/opt/so/conf/salt/module_packages/docker/ --upgrade
  Result: True
 Comment: Command "/opt/saltstack/salt/bin/python3.10 -m pip install docker --no-index --find-links=/opt/so/conf/salt/module_packages/docker/ --upgrade" run
 Started: 19:42:34.894920
Duration: 888.684 ms
 Changes:
          ----------
          pid:
              2652089
          retcode:
              0
          stderr:
              WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
          stdout:
              Looking in links: /opt/so/conf/salt/module_packages/docker/
              Requirement already satisfied: docker in /opt/saltstack/salt/lib/python3.10/site-packages (7.1.0)
              Requirement already satisfied: requests>=2.26.0 in /opt/saltstack/salt/lib/python3.10/site-packages (from docker) (2.32.3)
              Requirement already satisfied: urllib3>=1.26.0 in /opt/saltstack/salt/lib/python3.10/site-packages (from docker) (1.26.18)
              Requirement already satisfied: charset-normalizer<4,>=2 in /opt/saltstack/salt/lib/python3.10/site-packages (from requests>=2.26.0->docker) (3.2.0)
              Requirement already satisfied: idna<4,>=2.5 in /opt/saltstack/salt/lib/python3.10/site-packages (from requests>=2.26.0->docker) (3.7)
              Requirement already satisfied: certifi>=2017.4.17 in /opt/saltstack/salt/lib/python3.10/site-packages (from requests>=2.26.0->docker) (2024.7.4)

Summary for local

Succeeded: 2 (changed=2)
Failed: 0

Total states run: 2
Total run time: 1.021 s
2025-11-10T19:42:35Z | INFO | Executing command: salt-call state.apply salt.patch.x509_v2 --local --file-root=../salt/
local:

      ID: patch_x509_v2_state_module
Function: file.replace
    Name: /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py
  Result: True
 Comment: No changes needed to be made
 Started: 19:42:37.156878
Duration: 29.913 ms
 Changes:

Summary for local

Succeeded: 1
Failed: 0

Total states run: 1
Total run time: 29.913 ms
2025-11-10T19:42:37Z | INFO | Configuring minion type as sensor
2025-11-10T19:42:37Z | INFO | Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='{"host": {"mainint": "ens1"}, "usebr0": false}'
2025-11-10T19:42:39Z | INFO | Executing command: systemctl enable salt-minion
2025-11-10T19:42:39Z | INFO | Executing command: systemctl enable salt-minion
2025-11-10T19:42:40Z | INFO | Executing command: systemctl restart salt-minion
2025-11-10T19:42:40Z | INFO | Executing command: systemctl restart salt-minion
2025-11-10T19:42:40Z | INFO | Not an appliance
2025-11-10T19:42:40Z | INFO | Check if hypervisor or managerhype
2025-11-10T19:42:40Z | INFO | Verifying setup
WARNING: Errors detected during setup.
--------- ERRORS ---------
Error: Connection activation failed: Unknown error

[secsensor@onionsensor ~]$`

I hope that may help give some insight.
In my previous note, I said soup. I meant to say I was seeing activity from Salt after the node joins the cluster.

[erlicthemad]

This is the sensor status.
` Security Onion Status
Container │ Status │ Details
────────────────────────┼────────────┼───────────────────────────────
so-sensoroni │ running │ Up 19 minutes
so-steno │ running │ Up 19 minutes
so-strelka-backend │ restarting │ Restarting (1) 28 seconds ago
so-strelka-coordinator │ running │ Up 19 minutes
so-strelka-filestream │ missing │
so-strelka-frontend │ missing │
so-strelka-gatekeeper │ running │ Up 19 minutes
so-strelka-manager │ missing │
so-suricata │ running │ Up 19 minutes
so-telegraf │ running │ Up 19 minutes
so-zeek │ running │ Up 19 minutes (healthy)

❗ Check container logs and /opt/so/log for more details.
This is the only log from the strelka logs folder with contents. [secsensor@onionsensor ~]$ sudo cat /opt/so/log/strelka/filecheck.log
12-Nov-25 14:54:01 - Starting filecheck
12-Nov-25 14:54:01 - Checking for existing files
12-Nov-25 14:54:01 - Scheduling observer
12-Nov-25 14:59:01 - Recycling observer to pick up new subdirectories
12-Nov-25 14:59:01 - Checking for existing files
12-Nov-25 14:59:01 - Scheduling observer
12-Nov-25 15:04:02 - Recycling observer to pick up new subdirectories
12-Nov-25 15:04:02 - Checking for existing files
12-Nov-25 15:04:02 - Scheduling observer
12-Nov-25 15:09:02 - Recycling observer to pick up new subdirectories
12-Nov-25 15:09:02 - Checking for existing files
12-Nov-25 15:09:02 - Scheduling observer
12-Nov-25 15:14:02 - Recycling observer to pick up new subdirectories
12-Nov-25 15:14:02 - Checking for existing files
12-Nov-25 15:14:02 - Scheduling observer
[secsensor@onionsensor ~]$`

[erlicthemad]

I found the so-check command and ran that. It resulted in three errors.

`

      ID: iptables_config
Function: file.managed
    Name: /etc/sysconfig/iptables
  Result: False
 Comment: Unable to manage file: Jinja variable 'dict object' has no attribute '8685'; line 79

          ---
          [...]

          {%- for chn, hostgroups in FIREWALL_MERGED.role[role].chain.items() %}
          {%-   for hostgroup, portgroups in hostgroups['hostgroups'].items() %}
          {%-     for ip in FIREWALL_MERGED.hostgroups[hostgroup] %}
          {%-       for groupname in portgroups['portgroups'] %}
          {%-         for proto, ports in FIREWALL_MERGED['portgroups'][groupname].items() %}    <======================
          {%-           for port in ports %}
          -A {{chn}} -s {{ip}} -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT
          {%-           endfor %}
          {%-         endfor %}
          {%-       endfor %}
          [...]
          ---
 Started: 19:17:39.100205
Duration: 442.296 ms
 Changes:

---

      ID: disable_firewalld
Function: service.dead
    Name: firewalld
  Result: False
 Comment: One or more requisite failed: firewall.iptables_config
 Started: 19:17:39.542978
Duration: 0.003 ms
 Changes:

---

      ID: iptables_restore
Function: cmd.run
    Name: iptables-restore < /etc/sysconfig/iptables
  Result: False
 Comment: One or more requisite failed: firewall.iptables_config
 Started: 19:17:39.543110
Duration: 0.002 ms
 Changes:

---

`
I also tried running so-firewall on the node, but it failed in the same sections.

[cm-ops]

The above looks like an error with iptables_config state. I would be interested in the whole sosetup.log. I also see a connection activation error, above.

[erlicthemad]

Here is the full sosetup.log file.

The installer fails with an unknown error, but the ManagerSearch node sees it, and then I can accept the new Forward node into the cluster.

-----------------------------
 Detecting Base OS
-----------------------------

2025-11-10T19:40:29Z | INFO | Found OS: oracle 9

-----------------------------
 Detecting if this is an ISO install
-----------------------------


-----------------------------
 Checking to see if install has run before
-----------------------------

2025-11-10T19:40:30Z | INFO | Old setup detected. Preparing for reinstallation.
2025-11-10T19:40:30Z | INFO | Putting system in state to run setup again
2025-11-10T19:40:30Z | INFO | Executing command: crontab -r -u root
2025-11-10T19:40:30Z | INFO | Executing command: crontab -r -u root
no crontab for root
no crontab for root
local:
    ----------
    changes:
        ----------
    comment:
    result:
        True
local:
2025-11-10T19:41:03Z | INFO | Executing command: salt-call state.apply ca.remove -linfo --local --file-root=../salt
2025-11-10T19:41:03Z | INFO | Executing command: salt-call state.apply ca.remove -linfo --local --file-root=../salt
[INFO    ] Loading fresh modules for state activity
[INFO    ] Loading fresh modules for state activity
[INFO    ] Fetching file from saltenv 'base', ** done ** 'ca/remove.sls'
[INFO    ] Fetching file from saltenv 'base', ** done ** 'ca/remove.sls'
[INFO    ] Running state [/etc/pki/ca.key] at time 19:41:04.490436
[INFO    ] Running state [/etc/pki/ca.key] at time 19:41:04.490436
[INFO    ] Executing state file.absent for [/etc/pki/ca.key]
[INFO    ] Executing state file.absent for [/etc/pki/ca.key]
[INFO    ] File /etc/pki/ca.key is not present
[INFO    ] File /etc/pki/ca.key is not present
[INFO    ] Completed state [/etc/pki/ca.key] at time 19:41:04.491252 (duration_in_ms=0.817)
[INFO    ] Completed state [/etc/pki/ca.key] at time 19:41:04.491252 (duration_in_ms=0.817)
[INFO    ] Running state [/etc/pki/ca.crt] at time 19:41:04.491467
[INFO    ] Running state [/etc/pki/ca.crt] at time 19:41:04.491467
[INFO    ] Executing state file.absent for [/etc/pki/ca.crt]
[INFO    ] Executing state file.absent for [/etc/pki/ca.crt]
[INFO    ] File /etc/pki/ca.crt is not present
[INFO    ] File /etc/pki/ca.crt is not present
[INFO    ] Completed state [/etc/pki/ca.crt] at time 19:41:04.492183 (duration_in_ms=0.716)
[INFO    ] Completed state [/etc/pki/ca.crt] at time 19:41:04.492183 (duration_in_ms=0.716)
local:
----------
          ID: pki_private_key
    Function: file.absent
        Name: /etc/pki/ca.key
      Result: True
     Comment: File /etc/pki/ca.key is not present
     Started: 19:41:04.490435
    Duration: 0.817 ms
     Changes:   
----------
          ID: pki_public_ca_crt
    Function: file.absent
        Name: /etc/pki/ca.crt
      Result: True
     Comment: File /etc/pki/ca.crt is not present
     Started: 19:41:04.491467
    Duration: 0.716 ms
     Changes:   

Summary for local
------------
Succeeded: 2
Failed:    0
------------
Total states run:     2
Total run time:   1.533 ms
local:
----------
          ID: pki_private_key
    Function: file.absent
        Name: /etc/pki/ca.key
      Result: True
     Comment: File /etc/pki/ca.key is not present
     Started: 19:41:04.490435
    Duration: 0.817 ms
     Changes:   
----------
          ID: pki_public_ca_crt
    Function: file.absent
        Name: /etc/pki/ca.crt
      Result: True
     Comment: File /etc/pki/ca.crt is not present
     Started: 19:41:04.491467
    Duration: 0.716 ms
     Changes:   

Summary for local
------------
Succeeded: 2
Failed:    0
------------
Total states run:     2
Total run time:   1.533 ms
2025-11-10T19:41:04Z | INFO | Executing command: salt-call state.apply ssl.remove -linfo --local --file-root=../salt
2025-11-10T19:41:04Z | INFO | Executing command: salt-call state.apply ssl.remove -linfo --local --file-root=../salt
[INFO    ] Loading fresh modules for state activity
[INFO    ] Loading fresh modules for state activity
[INFO    ] Fetching file from saltenv 'base', ** done ** 'ssl/remove.sls'
[INFO    ] Fetching file from saltenv 'base', ** done ** 'ssl/remove.sls'
[INFO    ] Running state [/etc/pki/tls/certs/intca.crt] at time 19:41:05.899227
[INFO    ] Running state [/etc/pki/tls/certs/intca.crt] at time 19:41:05.899227
[INFO    ] Executing state file.absent for [/etc/pki/tls/certs/intca.crt]
[INFO    ] Executing state file.absent for [/etc/pki/tls/certs/intca.crt]
[INFO    ] File /etc/pki/tls/certs/intca.crt is not present
[INFO    ] File /etc/pki/tls/certs/intca.crt is not present
[INFO    ] Completed state [/etc/pki/tls/certs/intca.crt] at time 19:41:05.900063 (duration_in_ms=0.837)
[INFO    ] Completed state [/etc/pki/tls/certs/intca.crt] at time 19:41:05.900063 (duration_in_ms=0.837)
[INFO    ] Running state [/etc/ssl/certs/intca.crt] at time 19:41:05.900268
[INFO    ] Running state [/etc/ssl/certs/intca.crt] at time 19:41:05.900268
[INFO    ] Executing state file.absent for [/etc/ssl/certs/intca.crt]
[INFO    ] Executing state file.absent for [/etc/ssl/certs/intca.crt]
[INFO    ] File /etc/ssl/certs/intca.crt is not present
[INFO    ] File /etc/ssl/certs/intca.crt is not present
[INFO    ] Completed state [/etc/ssl/certs/intca.crt] at time 19:41:05.901061 (duration_in_ms=0.792)
[INFO    ] Completed state [/etc/ssl/certs/intca.crt] at time 19:41:05.901061 (duration_in_ms=0.792)
[INFO    ] Running state [/etc/pki/influxdb.key] at time 19:41:05.901258
[INFO    ] Running state [/etc/pki/influxdb.key] at time 19:41:05.901258
[INFO    ] Executing state file.absent for [/etc/pki/influxdb.key]
[INFO    ] Executing state file.absent for [/etc/pki/influxdb.key]
[INFO    ] File /etc/pki/influxdb.key is not present
[INFO    ] File /etc/pki/influxdb.key is not present
[INFO    ] Completed state [/etc/pki/influxdb.key] at time 19:41:05.903148 (duration_in_ms=1.89)
[INFO    ] Completed state [/etc/pki/influxdb.key] at time 19:41:05.903148 (duration_in_ms=1.89)
[INFO    ] Running state [/etc/pki/influxdb.crt] at time 19:41:05.903349
[INFO    ] Running state [/etc/pki/influxdb.crt] at time 19:41:05.903349
[INFO    ] Executing state file.absent for [/etc/pki/influxdb.crt]
[INFO    ] Executing state file.absent for [/etc/pki/influxdb.crt]
[INFO    ] File /etc/pki/influxdb.crt is not present
[INFO    ] File /etc/pki/influxdb.crt is not present
[INFO    ] Completed state [/etc/pki/influxdb.crt] at time 19:41:05.904100 (duration_in_ms=0.751)
[INFO    ] Completed state [/etc/pki/influxdb.crt] at time 19:41:05.904100 (duration_in_ms=0.751)
[INFO    ] Running state [/etc/pki/redis.key] at time 19:41:05.904311
[INFO    ] Running state [/etc/pki/redis.key] at time 19:41:05.904311
[INFO    ] Executing state file.absent for [/etc/pki/redis.key]
[INFO    ] Executing state file.absent for [/etc/pki/redis.key]
[INFO    ] File /etc/pki/redis.key is not present
[INFO    ] File /etc/pki/redis.key is not present
[INFO    ] Completed state [/etc/pki/redis.key] at time 19:41:05.905071 (duration_in_ms=0.759)
[INFO    ] Completed state [/etc/pki/redis.key] at time 19:41:05.905071 (duration_in_ms=0.759)
[INFO    ] Running state [/etc/pki/redis.crt] at time 19:41:05.905268
[INFO    ] Running state [/etc/pki/redis.crt] at time 19:41:05.905268
[INFO    ] Executing state file.absent for [/etc/pki/redis.crt]
[INFO    ] Executing state file.absent for [/etc/pki/redis.crt]
[INFO    ] File /etc/pki/redis.crt is not present
[INFO    ] File /etc/pki/redis.crt is not present
[INFO    ] Completed state [/etc/pki/redis.crt] at time 19:41:05.906018 (duration_in_ms=0.751)
[INFO    ] Completed state [/etc/pki/redis.crt] at time 19:41:05.906018 (duration_in_ms=0.751)
[INFO    ] Running state [/etc/pki/filebeat.key] at time 19:41:05.906210
[INFO    ] Running state [/etc/pki/filebeat.key] at time 19:41:05.906210
[INFO    ] Executing state file.absent for [/etc/pki/filebeat.key]
[INFO    ] Executing state file.absent for [/etc/pki/filebeat.key]
[INFO    ] File /etc/pki/filebeat.key is not present
[INFO    ] File /etc/pki/filebeat.key is not present
[INFO    ] Completed state [/etc/pki/filebeat.key] at time 19:41:05.906947 (duration_in_ms=0.737)
[INFO    ] Completed state [/etc/pki/filebeat.key] at time 19:41:05.906947 (duration_in_ms=0.737)
[INFO    ] Running state [/etc/pki/filebeat.crt] at time 19:41:05.907138
[INFO    ] Running state [/etc/pki/filebeat.crt] at time 19:41:05.907138
[INFO    ] Executing state file.absent for [/etc/pki/filebeat.crt]
[INFO    ] Executing state file.absent for [/etc/pki/filebeat.crt]
[INFO    ] File /etc/pki/filebeat.crt is not present
[INFO    ] File /etc/pki/filebeat.crt is not present
[INFO    ] Completed state [/etc/pki/filebeat.crt] at time 19:41:05.907880 (duration_in_ms=0.741)
[INFO    ] Completed state [/etc/pki/filebeat.crt] at time 19:41:05.907880 (duration_in_ms=0.741)
[INFO    ] Running state [/opt/so/saltstack/local/salt/filebeat/files] at time 19:41:05.908071
[INFO    ] Running state [/opt/so/saltstack/local/salt/filebeat/files] at time 19:41:05.908071
[INFO    ] Executing state file.absent for [/opt/so/saltstack/local/salt/filebeat/files]
[INFO    ] Executing state file.absent for [/opt/so/saltstack/local/salt/filebeat/files]
[INFO    ] File /opt/so/saltstack/local/salt/filebeat/files is not present
[INFO    ] File /opt/so/saltstack/local/salt/filebeat/files is not present
[INFO    ] Completed state [/opt/so/saltstack/local/salt/filebeat/files] at time 19:41:05.908815 (duration_in_ms=0.743)
[INFO    ] Completed state [/opt/so/saltstack/local/salt/filebeat/files] at time 19:41:05.908815 (duration_in_ms=0.743)
[INFO    ] Running state [/etc/pki/registry.key] at time 19:41:05.909006
[INFO    ] Running state [/etc/pki/registry.key] at time 19:41:05.909006
[INFO    ] Executing state file.absent for [/etc/pki/registry.key]
[INFO    ] Executing state file.absent for [/etc/pki/registry.key]
[INFO    ] File /etc/pki/registry.key is not present
[INFO    ] File /etc/pki/registry.key is not present
[INFO    ] Completed state [/etc/pki/registry.key] at time 19:41:05.909751 (duration_in_ms=0.745)
[INFO    ] Completed state [/etc/pki/registry.key] at time 19:41:05.909751 (duration_in_ms=0.745)
[INFO    ] Running state [/etc/pki/registry.crt] at time 19:41:05.909943
[INFO    ] Running state [/etc/pki/registry.crt] at time 19:41:05.909943
[INFO    ] Executing state file.absent for [/etc/pki/registry.crt]
[INFO    ] Executing state file.absent for [/etc/pki/registry.crt]
[INFO    ] File /etc/pki/registry.crt is not present
[INFO    ] File /etc/pki/registry.crt is not present
[INFO    ] Completed state [/etc/pki/registry.crt] at time 19:41:05.910690 (duration_in_ms=0.748)
[INFO    ] Completed state [/etc/pki/registry.crt] at time 19:41:05.910690 (duration_in_ms=0.748)
[INFO    ] Running state [/etc/pki/elasticsearch.key] at time 19:41:05.910882
[INFO    ] Running state [/etc/pki/elasticsearch.key] at time 19:41:05.910882
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.key]
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.key]
[INFO    ] File /etc/pki/elasticsearch.key is not present
[INFO    ] File /etc/pki/elasticsearch.key is not present
[INFO    ] Completed state [/etc/pki/elasticsearch.key] at time 19:41:05.911642 (duration_in_ms=0.757)
[INFO    ] Completed state [/etc/pki/elasticsearch.key] at time 19:41:05.911642 (duration_in_ms=0.757)
[INFO    ] Running state [/etc/pki/elasticsearch.crt] at time 19:41:05.911836
[INFO    ] Running state [/etc/pki/elasticsearch.crt] at time 19:41:05.911836
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.crt]
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.crt]
[INFO    ] File /etc/pki/elasticsearch.crt is not present
[INFO    ] File /etc/pki/elasticsearch.crt is not present
[INFO    ] Completed state [/etc/pki/elasticsearch.crt] at time 19:41:05.912583 (duration_in_ms=0.747)
[INFO    ] Completed state [/etc/pki/elasticsearch.crt] at time 19:41:05.912583 (duration_in_ms=0.747)
[INFO    ] Running state [/etc/pki/elasticsearch.p12] at time 19:41:05.912780
[INFO    ] Running state [/etc/pki/elasticsearch.p12] at time 19:41:05.912780
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.p12]
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.p12]
[INFO    ] File /etc/pki/elasticsearch.p12 is not present
[INFO    ] File /etc/pki/elasticsearch.p12 is not present
[INFO    ] Completed state [/etc/pki/elasticsearch.p12] at time 19:41:05.913654 (duration_in_ms=0.873)
[INFO    ] Completed state [/etc/pki/elasticsearch.p12] at time 19:41:05.913654 (duration_in_ms=0.873)
[INFO    ] Running state [/etc/pki/managerssl.key] at time 19:41:05.913847
[INFO    ] Running state [/etc/pki/managerssl.key] at time 19:41:05.913847
[INFO    ] Executing state file.absent for [/etc/pki/managerssl.key]
[INFO    ] Executing state file.absent for [/etc/pki/managerssl.key]
[INFO    ] File /etc/pki/managerssl.key is not present
[INFO    ] File /etc/pki/managerssl.key is not present
[INFO    ] Completed state [/etc/pki/managerssl.key] at time 19:41:05.914581 (duration_in_ms=0.734)
[INFO    ] Completed state [/etc/pki/managerssl.key] at time 19:41:05.914581 (duration_in_ms=0.734)
[INFO    ] Running state [/etc/pki/managerssl.crt] at time 19:41:05.914773
[INFO    ] Running state [/etc/pki/managerssl.crt] at time 19:41:05.914773
[INFO    ] Executing state file.absent for [/etc/pki/managerssl.crt]
[INFO    ] Executing state file.absent for [/etc/pki/managerssl.crt]
[INFO    ] File /etc/pki/managerssl.crt is not present
[INFO    ] File /etc/pki/managerssl.crt is not present
[INFO    ] Completed state [/etc/pki/managerssl.crt] at time 19:41:05.915516 (duration_in_ms=0.744)
[INFO    ] Completed state [/etc/pki/managerssl.crt] at time 19:41:05.915516 (duration_in_ms=0.744)
[INFO    ] Running state [/etc/pki/fleet.key] at time 19:41:05.915708
[INFO    ] Running state [/etc/pki/fleet.key] at time 19:41:05.915708
[INFO    ] Executing state file.absent for [/etc/pki/fleet.key]
[INFO    ] Executing state file.absent for [/etc/pki/fleet.key]
[INFO    ] File /etc/pki/fleet.key is not present
[INFO    ] File /etc/pki/fleet.key is not present
[INFO    ] Completed state [/etc/pki/fleet.key] at time 19:41:05.916466 (duration_in_ms=0.757)
[INFO    ] Completed state [/etc/pki/fleet.key] at time 19:41:05.916466 (duration_in_ms=0.757)
[INFO    ] Running state [/etc/pki/fleet.crt] at time 19:41:05.916663
[INFO    ] Running state [/etc/pki/fleet.crt] at time 19:41:05.916663
[INFO    ] Executing state file.absent for [/etc/pki/fleet.crt]
[INFO    ] Executing state file.absent for [/etc/pki/fleet.crt]
[INFO    ] File /etc/pki/fleet.crt is not present
[INFO    ] File /etc/pki/fleet.crt is not present
[INFO    ] Completed state [/etc/pki/fleet.crt] at time 19:41:05.917451 (duration_in_ms=0.788)
[INFO    ] Completed state [/etc/pki/fleet.crt] at time 19:41:05.917451 (duration_in_ms=0.788)
[INFO    ] Running state [/opt/so/conf/filebeat/etc/pki] at time 19:41:05.917644
[INFO    ] Running state [/opt/so/conf/filebeat/etc/pki] at time 19:41:05.917644
[INFO    ] Executing state file.absent for [/opt/so/conf/filebeat/etc/pki]
[INFO    ] Executing state file.absent for [/opt/so/conf/filebeat/etc/pki]
[INFO    ] File /opt/so/conf/filebeat/etc/pki is not present
[INFO    ] File /opt/so/conf/filebeat/etc/pki is not present
[INFO    ] Completed state [/opt/so/conf/filebeat/etc/pki] at time 19:41:05.918394 (duration_in_ms=0.75)
[INFO    ] Completed state [/opt/so/conf/filebeat/etc/pki] at time 19:41:05.918394 (duration_in_ms=0.75)
[INFO    ] Running state [/etc/pki/kafka.crt] at time 19:41:05.918587
[INFO    ] Running state [/etc/pki/kafka.crt] at time 19:41:05.918587
[INFO    ] Executing state file.absent for [/etc/pki/kafka.crt]
[INFO    ] Executing state file.absent for [/etc/pki/kafka.crt]
[INFO    ] File /etc/pki/kafka.crt is not present
[INFO    ] File /etc/pki/kafka.crt is not present
[INFO    ] Completed state [/etc/pki/kafka.crt] at time 19:41:05.919315 (duration_in_ms=0.727)
[INFO    ] Completed state [/etc/pki/kafka.crt] at time 19:41:05.919315 (duration_in_ms=0.727)
[INFO    ] Running state [/etc/pki/kafka.key] at time 19:41:05.919522
[INFO    ] Running state [/etc/pki/kafka.key] at time 19:41:05.919522
[INFO    ] Executing state file.absent for [/etc/pki/kafka.key]
[INFO    ] Executing state file.absent for [/etc/pki/kafka.key]
[INFO    ] File /etc/pki/kafka.key is not present
[INFO    ] File /etc/pki/kafka.key is not present
[INFO    ] Completed state [/etc/pki/kafka.key] at time 19:41:05.920260 (duration_in_ms=0.738)
[INFO    ] Completed state [/etc/pki/kafka.key] at time 19:41:05.920260 (duration_in_ms=0.738)
[INFO    ] Running state [/etc/pki/kafka-logstash.crt] at time 19:41:05.920469
[INFO    ] Running state [/etc/pki/kafka-logstash.crt] at time 19:41:05.920469
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.crt]
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.crt]
[INFO    ] File /etc/pki/kafka-logstash.crt is not present
[INFO    ] File /etc/pki/kafka-logstash.crt is not present
[INFO    ] Completed state [/etc/pki/kafka-logstash.crt] at time 19:41:05.921209 (duration_in_ms=0.739)
[INFO    ] Completed state [/etc/pki/kafka-logstash.crt] at time 19:41:05.921209 (duration_in_ms=0.739)
[INFO    ] Running state [/etc/pki/kafka-logstash.key] at time 19:41:05.921432
[INFO    ] Running state [/etc/pki/kafka-logstash.key] at time 19:41:05.921432
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.key]
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.key]
[INFO    ] File /etc/pki/kafka-logstash.key is not present
[INFO    ] File /etc/pki/kafka-logstash.key is not present
[INFO    ] Completed state [/etc/pki/kafka-logstash.key] at time 19:41:05.922218 (duration_in_ms=0.786)
[INFO    ] Completed state [/etc/pki/kafka-logstash.key] at time 19:41:05.922218 (duration_in_ms=0.786)
[INFO    ] Running state [/etc/pki/kafka-logstash.p12] at time 19:41:05.922433
[INFO    ] Running state [/etc/pki/kafka-logstash.p12] at time 19:41:05.922433
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.p12]
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.p12]
[INFO    ] File /etc/pki/kafka-logstash.p12 is not present
[INFO    ] File /etc/pki/kafka-logstash.p12 is not present
[INFO    ] Completed state [/etc/pki/kafka-logstash.p12] at time 19:41:05.923163 (duration_in_ms=0.73)
[INFO    ] Completed state [/etc/pki/kafka-logstash.p12] at time 19:41:05.923163 (duration_in_ms=0.73)
local:
----------
          ID: trusttheca
    Function: file.absent
        Name: /etc/pki/tls/certs/intca.crt
      Result: True
     Comment: File /etc/pki/tls/certs/intca.crt is not present
     Started: 19:41:05.899226
    Duration: 0.837 ms
     Changes:   
----------
          ID: symlinkca
    Function: file.absent
        Name: /etc/ssl/certs/intca.crt
      Result: True
     Comment: File /etc/ssl/certs/intca.crt is not present
     Started: 19:41:05.900269
    Duration: 0.792 ms
     Changes:   
----------
          ID: influxdb_key
    Function: file.absent
        Name: /etc/pki/influxdb.key
      Result: True
     Comment: File /etc/pki/influxdb.key is not present
     Started: 19:41:05.901258
    Duration: 1.89 ms
     Changes:   
----------
          ID: influxdb_crt
    Function: file.absent
        Name: /etc/pki/influxdb.crt
      Result: True
     Comment: File /etc/pki/influxdb.crt is not present
     Started: 19:41:05.903349
    Duration: 0.751 ms
     Changes:   
----------
          ID: redis_key
    Function: file.absent
        Name: /etc/pki/redis.key
      Result: True
     Comment: File /etc/pki/redis.key is not present
     Started: 19:41:05.904312
    Duration: 0.759 ms
     Changes:   
----------
          ID: redis_crt
    Function: file.absent
        Name: /etc/pki/redis.crt
      Result: True
     Comment: File /etc/pki/redis.crt is not present
     Started: 19:41:05.905267
    Duration: 0.751 ms
     Changes:   
----------
          ID: etc_filebeat_key
    Function: file.absent
        Name: /etc/pki/filebeat.key
      Result: True
     Comment: File /etc/pki/filebeat.key is not present
     Started: 19:41:05.906210
    Duration: 0.737 ms
     Changes:   
----------
          ID: etc_filebeat_crt
    Function: file.absent
        Name: /etc/pki/filebeat.crt
      Result: True
     Comment: File /etc/pki/filebeat.crt is not present
     Started: 19:41:05.907139
    Duration: 0.741 ms
     Changes:   
----------
          ID: filebeatdir
    Function: file.absent
        Name: /opt/so/saltstack/local/salt/filebeat/files
      Result: True
     Comment: File /opt/so/saltstack/local/salt/filebeat/files is not present
     Started: 19:41:05.908072
    Duration: 0.743 ms
     Changes:   
----------
          ID: registry_key
    Function: file.absent
        Name: /etc/pki/registry.key
      Result: True
     Comment: File /etc/pki/registry.key is not present
     Started: 19:41:05.909006
    Duration: 0.745 ms
     Changes:   
----------
          ID: registry_crt
    Function: file.absent
        Name: /etc/pki/registry.crt
      Result: True
     Comment: File /etc/pki/registry.crt is not present
     Started: 19:41:05.909942
    Duration: 0.748 ms
     Changes:   
----------
          ID: /etc/pki/elasticsearch.key
    Function: file.absent
      Result: True
     Comment: File /etc/pki/elasticsearch.key is not present
     Started: 19:41:05.910885
    Duration: 0.757 ms
     Changes:   
----------
          ID: /etc/pki/elasticsearch.crt
    Function: file.absent
      Result: True
     Comment: File /etc/pki/elasticsearch.crt is not present
     Started: 19:41:05.911836
    Duration: 0.747 ms
     Changes:   
----------
          ID: remove_elasticsearch.p12
    Function: file.absent
        Name: /etc/pki/elasticsearch.p12
      Result: True
     Comment: File /etc/pki/elasticsearch.p12 is not present
     Started: 19:41:05.912781
    Duration: 0.873 ms
     Changes:   
----------
          ID: managerssl_key
    Function: file.absent
        Name: /etc/pki/managerssl.key
      Result: True
     Comment: File /etc/pki/managerssl.key is not present
     Started: 19:41:05.913847
    Duration: 0.734 ms
     Changes:   
----------
          ID: managerssl_crt
    Function: file.absent
        Name: /etc/pki/managerssl.crt
      Result: True
     Comment: File /etc/pki/managerssl.crt is not present
     Started: 19:41:05.914772
    Duration: 0.744 ms
     Changes:   
----------
          ID: fleet_key
    Function: file.absent
        Name: /etc/pki/fleet.key
      Result: True
     Comment: File /etc/pki/fleet.key is not present
     Started: 19:41:05.915709
    Duration: 0.757 ms
     Changes:   
----------
          ID: fleet_crt
    Function: file.absent
        Name: /etc/pki/fleet.crt
      Result: True
     Comment: File /etc/pki/fleet.crt is not present
     Started: 19:41:05.916663
    Duration: 0.788 ms
     Changes:   
----------
          ID: fbcertdir
    Function: file.absent
        Name: /opt/so/conf/filebeat/etc/pki
      Result: True
     Comment: File /opt/so/conf/filebeat/etc/pki is not present
     Started: 19:41:05.917644
    Duration: 0.75 ms
     Changes:   
----------
          ID: kafka_crt
    Function: file.absent
        Name: /etc/pki/kafka.crt
      Result: True
     Comment: File /etc/pki/kafka.crt is not present
     Started: 19:41:05.918588
    Duration: 0.727 ms
     Changes:   
----------
          ID: kafka_key
    Function: file.absent
        Name: /etc/pki/kafka.key
      Result: True
     Comment: File /etc/pki/kafka.key is not present
     Started: 19:41:05.919522
    Duration: 0.738 ms
     Changes:   
----------
          ID: kafka_logstash_crt
    Function: file.absent
        Name: /etc/pki/kafka-logstash.crt
      Result: True
     Comment: File /etc/pki/kafka-logstash.crt is not present
     Started: 19:41:05.920470
    Duration: 0.739 ms
     Changes:   
----------
          ID: kafka_logstash_key
    Function: file.absent
        Name: /etc/pki/kafka-logstash.key
      Result: True
     Comment: File /etc/pki/kafka-logstash.key is not present
     Started: 19:41:05.921432
    Duration: 0.786 ms
     Changes:   
----------
          ID: kafka_logstash_keystore
    Function: file.absent
        Name: /etc/pki/kafka-logstash.p12
      Result: True
     Comment: File /etc/pki/kafka-logstash.p12 is not present
     Started: 19:41:05.922433
    Duration: 0.73 ms
     Changes:   

Summary for local
-------------
Succeeded: 24
Failed:     0
-------------
Total states run:     24
Total run time:   19.364 ms
local:
----------
          ID: trusttheca
    Function: file.absent
        Name: /etc/pki/tls/certs/intca.crt
      Result: True
     Comment: File /etc/pki/tls/certs/intca.crt is not present
     Started: 19:41:05.899226
    Duration: 0.837 ms
     Changes:   
----------
          ID: symlinkca
    Function: file.absent
        Name: /etc/ssl/certs/intca.crt
      Result: True
     Comment: File /etc/ssl/certs/intca.crt is not present
     Started: 19:41:05.900269
    Duration: 0.792 ms
     Changes:   
----------
          ID: influxdb_key
    Function: file.absent
        Name: /etc/pki/influxdb.key
      Result: True
     Comment: File /etc/pki/influxdb.key is not present
     Started: 19:41:05.901258
    Duration: 1.89 ms
     Changes:   
----------
          ID: influxdb_crt
    Function: file.absent
        Name: /etc/pki/influxdb.crt
      Result: True
     Comment: File /etc/pki/influxdb.crt is not present
     Started: 19:41:05.903349
    Duration: 0.751 ms
     Changes:   
----------
          ID: redis_key
    Function: file.absent
        Name: /etc/pki/redis.key
      Result: True
     Comment: File /etc/pki/redis.key is not present
     Started: 19:41:05.904312
    Duration: 0.759 ms
     Changes:   
----------
          ID: redis_crt
    Function: file.absent
        Name: /etc/pki/redis.crt
      Result: True
     Comment: File /etc/pki/redis.crt is not present
     Started: 19:41:05.905267
    Duration: 0.751 ms
     Changes:   
----------
          ID: etc_filebeat_key
    Function: file.absent
        Name: /etc/pki/filebeat.key
      Result: True
     Comment: File /etc/pki/filebeat.key is not present
     Started: 19:41:05.906210
    Duration: 0.737 ms
     Changes:   
----------
          ID: etc_filebeat_crt
    Function: file.absent
        Name: /etc/pki/filebeat.crt
      Result: True
     Comment: File /etc/pki/filebeat.crt is not present
     Started: 19:41:05.907139
    Duration: 0.741 ms
     Changes:   
----------
          ID: filebeatdir
    Function: file.absent
        Name: /opt/so/saltstack/local/salt/filebeat/files
      Result: True
     Comment: File /opt/so/saltstack/local/salt/filebeat/files is not present
     Started: 19:41:05.908072
    Duration: 0.743 ms
     Changes:   
----------
          ID: registry_key
    Function: file.absent
        Name: /etc/pki/registry.key
      Result: True
     Comment: File /etc/pki/registry.key is not present
     Started: 19:41:05.909006
    Duration: 0.745 ms
     Changes:   
----------
          ID: registry_crt
    Function: file.absent
        Name: /etc/pki/registry.crt
      Result: True
     Comment: File /etc/pki/registry.crt is not present
     Started: 19:41:05.909942
    Duration: 0.748 ms
     Changes:   
----------
          ID: /etc/pki/elasticsearch.key
    Function: file.absent
      Result: True
     Comment: File /etc/pki/elasticsearch.key is not present
     Started: 19:41:05.910885
    Duration: 0.757 ms
     Changes:   
----------
          ID: /etc/pki/elasticsearch.crt
    Function: file.absent
      Result: True
     Comment: File /etc/pki/elasticsearch.crt is not present
     Started: 19:41:05.911836
    Duration: 0.747 ms
     Changes:   
----------
          ID: remove_elasticsearch.p12
    Function: file.absent
        Name: /etc/pki/elasticsearch.p12
      Result: True
     Comment: File /etc/pki/elasticsearch.p12 is not present
     Started: 19:41:05.912781
    Duration: 0.873 ms
     Changes:   
----------
          ID: managerssl_key
    Function: file.absent
        Name: /etc/pki/managerssl.key
      Result: True
     Comment: File /etc/pki/managerssl.key is not present
     Started: 19:41:05.913847
    Duration: 0.734 ms
     Changes:   
----------
          ID: managerssl_crt
    Function: file.absent
        Name: /etc/pki/managerssl.crt
      Result: True
     Comment: File /etc/pki/managerssl.crt is not present
     Started: 19:41:05.914772
    Duration: 0.744 ms
     Changes:   
----------
          ID: fleet_key
    Function: file.absent
        Name: /etc/pki/fleet.key
      Result: True
     Comment: File /etc/pki/fleet.key is not present
     Started: 19:41:05.915709
    Duration: 0.757 ms
     Changes:   
----------
          ID: fleet_crt
    Function: file.absent
        Name: /etc/pki/fleet.crt
      Result: True
     Comment: File /etc/pki/fleet.crt is not present
     Started: 19:41:05.916663
    Duration: 0.788 ms
     Changes:   
----------
          ID: fbcertdir
    Function: file.absent
        Name: /opt/so/conf/filebeat/etc/pki
      Result: True
     Comment: File /opt/so/conf/filebeat/etc/pki is not present
     Started: 19:41:05.917644
    Duration: 0.75 ms
     Changes:   
----------
          ID: kafka_crt
    Function: file.absent
        Name: /etc/pki/kafka.crt
      Result: True
     Comment: File /etc/pki/kafka.crt is not present
     Started: 19:41:05.918588
    Duration: 0.727 ms
     Changes:   
----------
          ID: kafka_key
    Function: file.absent
        Name: /etc/pki/kafka.key
      Result: True
     Comment: File /etc/pki/kafka.key is not present
     Started: 19:41:05.919522
    Duration: 0.738 ms
     Changes:   
----------
          ID: kafka_logstash_crt
    Function: file.absent
        Name: /etc/pki/kafka-logstash.crt
      Result: True
     Comment: File /etc/pki/kafka-logstash.crt is not present
     Started: 19:41:05.920470
    Duration: 0.739 ms
     Changes:   
----------
          ID: kafka_logstash_key
    Function: file.absent
        Name: /etc/pki/kafka-logstash.key
      Result: True
     Comment: File /etc/pki/kafka-logstash.key is not present
     Started: 19:41:05.921432
    Duration: 0.786 ms
     Changes:   
----------
          ID: kafka_logstash_keystore
    Function: file.absent
        Name: /etc/pki/kafka-logstash.p12
      Result: True
     Comment: File /etc/pki/kafka-logstash.p12 is not present
     Started: 19:41:05.922433
    Duration: 0.73 ms
     Changes:   

Summary for local
-------------
Succeeded: 24
Failed:     0
-------------
Total states run:     24
Total run time:   19.364 ms
2025-11-10T19:41:06Z | INFO | Checking service salt-minion status
2025-11-10T19:41:06Z | INFO | Checking service salt-minion status
2025-11-10T19:41:06Z | INFO |   salt-minion is running
2025-11-10T19:41:06Z | INFO |   salt-minion is running
2025-11-10T19:41:06Z | INFO | Checking service salt-minion status
2025-11-10T19:41:06Z | INFO | Checking service salt-minion status
2025-11-10T19:41:06Z | INFO |   salt-minion is not running
2025-11-10T19:41:06Z | INFO |   salt-minion is not running
2025-11-10T19:41:06Z | INFO | Executing command: elastic-agent uninstall -f
2025-11-10T19:41:06Z | INFO | Executing command: elastic-agent uninstall -f
./so-functions: line 40: elastic-agent: command not found
./so-functions: line 40: elastic-agent: command not found
2025-11-10T19:41:06Z | INFO | System reinstall init has been completed.
2025-11-10T19:41:06Z | INFO | Restarting Docker...
2025-11-10T19:41:06Z | INFO | Executing command: systemctl restart docker

-----------------------------
 Parsing Username for Install
-----------------------------


-----------------------------
 Initializing Setup
-----------------------------

2025-11-10T19:41:06Z | INFO | Installing as the secsensor user

-----------------------------
 System Characteristics
-----------------------------

2025-11-10T19:41:06Z | INFO | Executing command: uptime
 19:41:06 up 2 days, 22:29,  1 user,  load average: 0.18, 0.12, 0.10
2025-11-10T19:41:06Z | INFO | Executing command: uname -a
Linux onionsensor 5.15.0-313.189.5.3.el9uek.x86_64 #2 SMP Mon Nov 3 01:50:17 PST 2025 x86_64 x86_64 x86_64 GNU/Linux
2025-11-10T19:41:06Z | INFO | Executing command: free -h
               total        used        free      shared  buff/cache   available
Mem:            46Gi       1.8Gi       9.0Gi       433Mi        36Gi        44Gi
Swap:           23Gi          0B        23Gi
2025-11-10T19:41:06Z | INFO | Executing command: lscpu
Architecture:                            x86_64
CPU op-mode(s):                          32-bit, 64-bit
Address sizes:                           40 bits physical, 48 bits virtual
Byte Order:                              Little Endian
CPU(s):                                  12
On-line CPU(s) list:                     0-11
Vendor ID:                               GenuineIntel
BIOS Vendor ID:                          Intel
Model name:                              Intel(R) Xeon(R) CPU           X5690  @ 3.47GHz
BIOS Model name:                         Intel(R) Xeon(R) CPU X5690 @ 3.47GHz
CPU family:                              6
Model:                                   44
Thread(s) per core:                      2
Core(s) per socket:                      6
Socket(s):                               1
Stepping:                                2
Frequency boost:                         enabled
CPU(s) scaling MHz:                      97%
CPU max MHz:                             3459.0000
CPU min MHz:                             1596.0000
BogoMIPS:                                6933.34
Flags:                                   fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 popcnt aes lahf_lm epb pti ssbd ibrs ibpb stibp tpr_shadow flexpriority ept vpid dtherm ida arat vnmi flush_l1d
Virtualization:                          VT-x
L1d cache:                               192 KiB (6 instances)
L1i cache:                               192 KiB (6 instances)
L2 cache:                                1.5 MiB (6 instances)
L3 cache:                                12 MiB (1 instance)
NUMA node(s):                            1
NUMA node0 CPU(s):                       0-11
Vulnerability Gather data sampling:      Not affected
Vulnerability Indirect target selection: Not affected
Vulnerability Itlb multihit:             KVM: Mitigation: VMX disabled
Vulnerability L1tf:                      Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
Vulnerability Mds:                       Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
Vulnerability Meltdown:                  Mitigation; PTI
Vulnerability Mmio stale data:           Unknown: No mitigations
Vulnerability Reg file data sampling:    Not affected
Vulnerability Retbleed:                  Not affected
Vulnerability Spec rstack overflow:      Not affected
Vulnerability Spec store bypass:         Mitigation; Speculative Store Bypass disabled via prctl
Vulnerability Spectre v1:                Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:                Mitigation; Retpolines; IBPB conditional; IBRS_FW; STIBP conditional; RSB filling; PBRSB-eIBRS Not affected; BHI Not affected
Vulnerability Srbds:                     Not affected
Vulnerability Tsa:                       Not affected
Vulnerability Tsx async abort:           Not affected
Vulnerability Vmscape:                   Not affected
2025-11-10T19:41:06Z | INFO | Executing command: df -h
Filesystem           Size  Used Avail Use% Mounted on
devtmpfs             4.0M     0  4.0M   0% /dev
tmpfs                 24G  4.0K   24G   1% /dev/shm
tmpfs                9.4G  434M  8.9G   5% /run
/dev/mapper/ol-root   70G   17G   54G  24% /
/dev/sda1            960M  445M  516M  47% /boot
/dev/mapper/ol-home  353G   18G  335G   6% /home
tmpfs                4.7G     0  4.7G   0% /run/user/1000
/dev/md126           932G   19G  913G   3% /nsm
tmpfs                4.7G     0  4.7G   0% /run/user/939
/dev/loop0            15G   15G     0 100% /mnt
2025-11-10T19:41:06Z | INFO | Executing command: ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:10:18:d9:37:43 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 172.25.70.56/24 brd 172.25.70.255 scope global noprefixroute ens1
       valid_lft forever preferred_lft forever
    inet6 fe80::210:18ff:fed9:3743/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: enp1s0: <BROADCAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:b3:cc:f7:eb:b7 brd ff:ff:ff:ff:ff:ff
4: bond0: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,MASTER,UP> mtu 9000 qdisc noqueue state DOWN group default qlen 1000
    link/ether e6:d8:a2:df:af:76 brd ff:ff:ff:ff:ff:ff
5: sobridge: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:61:24:8a:e1 brd ff:ff:ff:ff:ff:ff
    inet 172.17.1.1/24 brd 172.17.1.255 scope global sobridge
       valid_lft forever preferred_lft forever
3489: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:ea:7d:2d:6b brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/24 brd 172.17.0.255 scope global docker0
       valid_lft forever preferred_lft forever
2025-11-10T19:41:06Z | INFO | Beginning Security Onion iso install
2025-11-10T19:41:06Z | INFO | Setup is running on TTY /dev/pts/0
2025-11-10T19:41:20Z | INFO | Setting up as node type sensor

-----------------------------
 Initializing Network
-----------------------------

2025-11-10T19:42:21Z | INFO | Disabling ipv6
2025-11-10T19:42:21Z | INFO | Disabling ipv6
2025-11-10T19:42:21Z | INFO | Executing command: sysctl -w net.ipv6.conf.all.disable_ipv6=1
2025-11-10T19:42:21Z | INFO | Executing command: sysctl -w net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.all.disable_ipv6 = 1
2025-11-10T19:42:21Z | INFO | Executing command: sysctl -w net.ipv6.conf.default.disable_ipv6=1
2025-11-10T19:42:21Z | INFO | Executing command: sysctl -w net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
2025-11-10T19:42:21Z | INFO | Executing command: hostnamectl set-hostname --static onionsensor
2025-11-10T19:42:21Z | INFO | Executing command: hostname -F /etc/hostname

-----------------------------
 Setting up the main interface
-----------------------------

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/28)
2025-11-10T19:42:21Z | INFO | Gathering the management IP. 
2025-11-10T19:42:25Z | INFO | Removing onion from /etc/hosts if present.
2025-11-10T19:42:26Z | INFO | Adding onion to /etc/hosts with IP: 172.25.70.55
2025-11-10T19:42:26Z | INFO | Checking manager connectivity
2025-11-10T19:42:26Z | INFO | Testing if setup is running on a cloud instance...
2025-11-10T19:42:26Z | INFO | This does not appear to be a cloud installation.
2025-11-10T19:42:28Z | INFO | MINION_ID = onionsensor_sensor
Install summary:
Security Onion Version: 2.4.190
Node Type: SENSOR
Hostname: onionsensor
Description: Secuirty Onion Firewall Sensor
Network: STATIC
Management NIC: ens1
Management IP: 172.25.70.56
Gateway: 172.25.70.1
DNS: 10.152.51.6 10.152.51.9
DNS Domain: lcco.co.lucas.oh.us
Proxy: N/A
Bond NIC(s):
  - enp1s0

-----------------------------
 Determine ES Heap Size
-----------------------------


-----------------------------
 Setting Logstash heap size
-----------------------------


-----------------------------
 Setting the MTU to 9000 on all monitor NICS
-----------------------------

2025-11-10T19:42:29Z | INFO | Interface set to bond0
2025-11-10T19:42:29Z | INFO | Setting up sensor interface
2025-11-10T19:42:29Z | INFO | Configuring bond interface settings, since this is a not a cloud installation...
Warning: There are 6 other connections with the name 'bond0'. Reference the connection by its uuid 'ef53f152-cac0-46cb-a7d4-ecb6f071f83d'
Connection 'bond0' (ef53f152-cac0-46cb-a7d4-ecb6f071f83d) successfully added.
Could not change any device features
Error: Connection activation failed: Unknown error
Hint: use 'journalctl -xe NM_CONNECTION=9233d9b0-ff7a-4204-a6e4-34c32fa6d30c + NM_DEVICE=enp1s0' to get more details.
2025-11-10T19:42:30Z | INFO | Ephemeral ports already reserved

-----------------------------
 Marking the current version
-----------------------------

2025-11-10T19:42:30Z | INFO | Clearing the old manager
2025-11-10T19:42:30Z | INFO | Executing command: dnf -v clean all
Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, playground, repoclosure, repodiff, repograph, repomanage, reposync, system-upgrade, versionlock
DNF version: 4.14.0
cachedir: /var/cache/yum/x86_64/9
Cleaning data: packages metadata dbcache
5 files removed
2025-11-10T19:42:30Z | INFO | Executing command: mkdir -vp /root/oldrepos
2025-11-10T19:42:30Z | INFO | Executing command: mv -v /etc/yum.repos.d/* /root/oldrepos/
renamed '/etc/yum.repos.d/securityonion.repo' -> '/root/oldrepos/securityonion.repo'
2025-11-10T19:42:30Z | INFO | Executing command: dnf repolist all
repo id                          repo name                               status
securityonion                    Security Onion Repo                     enabled
2025-11-10T19:42:31Z | INFO | Executing command: dnf repolist
repo id                              repo name
securityonion                        Security Onion Repo
2025-11-10T19:42:31Z | INFO | Executing command: dnf -y update --allowerasing --exclude=salt*,docker*,containerd*
Security Onion Repo                              24 MB/s | 3.8 MB     00:00    
Last metadata expiration check: 0:00:01 ago on Mon 10 Nov 2025 07:42:31 PM UTC.
Dependencies resolved.
Nothing to do.
Complete!
2025-11-10T19:42:32Z | INFO | Removing repo files added by oracle-repos package update
2025-11-10T19:42:32Z | INFO | Executing command: rm -f /etc/yum.repos.d/oracle-linux-ol9.repo
2025-11-10T19:42:32Z | INFO | Executing command: rm -f /etc/yum.repos.d/uek-ol9.repo
2025-11-10T19:42:32Z | INFO | Executing command: rm -f /etc/yum.repos.d/virt-ol9.repo
2025-11-10T19:42:32Z | INFO | Installing Salt
2025-11-10T19:42:32Z | INFO | Executing command: dnf -y install salt-3006.9 salt-minion-3006.9
Last metadata expiration check: 0:00:02 ago on Mon 10 Nov 2025 07:42:31 PM UTC.
Package salt-3006.9-0.x86_64 is already installed.
Package salt-minion-3006.9-0.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
2025-11-10T19:42:33Z | INFO | Executing command: mkdir -p /etc/salt/minion.d
2025-11-10T19:42:33Z | INFO | Executing command: salt-call state.apply salt.python_modules --local --file-root=../salt/
local:
----------
          ID: docker_module_package
    Function: file.recurse
        Name: /opt/so/conf/salt/module_packages/docker
      Result: True
     Comment: Recursively updated /opt/so/conf/salt/module_packages/docker
     Started: 19:42:34.761062
    Duration: 132.666 ms
     Changes:   
              ----------
              /opt/so/conf/salt/module_packages/docker/certifi-2024.7.4-py3-none-any.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
              /opt/so/conf/salt/module_packages/docker/charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
              /opt/so/conf/salt/module_packages/docker/docker-7.1.0-py3-none-any.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
              /opt/so/conf/salt/module_packages/docker/idna-3.8-py3-none-any.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
              /opt/so/conf/salt/module_packages/docker/requests-2.32.3-py3-none-any.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
              /opt/so/conf/salt/module_packages/docker/urllib3-2.2.2-py3-none-any.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
----------
          ID: docker_python_module_install
    Function: cmd.run
        Name: /opt/saltstack/salt/bin/python3.10 -m pip install docker --no-index --find-links=/opt/so/conf/salt/module_packages/docker/ --upgrade
      Result: True
     Comment: Command "/opt/saltstack/salt/bin/python3.10 -m pip install docker --no-index --find-links=/opt/so/conf/salt/module_packages/docker/ --upgrade" run
     Started: 19:42:34.894920
    Duration: 888.684 ms
     Changes:   
              ----------
              pid:
                  2652089
              retcode:
                  0
              stderr:
                  WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
              stdout:
                  Looking in links: /opt/so/conf/salt/module_packages/docker/
                  Requirement already satisfied: docker in /opt/saltstack/salt/lib/python3.10/site-packages (7.1.0)
                  Requirement already satisfied: requests>=2.26.0 in /opt/saltstack/salt/lib/python3.10/site-packages (from docker) (2.32.3)
                  Requirement already satisfied: urllib3>=1.26.0 in /opt/saltstack/salt/lib/python3.10/site-packages (from docker) (1.26.18)
                  Requirement already satisfied: charset-normalizer<4,>=2 in /opt/saltstack/salt/lib/python3.10/site-packages (from requests>=2.26.0->docker) (3.2.0)
                  Requirement already satisfied: idna<4,>=2.5 in /opt/saltstack/salt/lib/python3.10/site-packages (from requests>=2.26.0->docker) (3.7)
                  Requirement already satisfied: certifi>=2017.4.17 in /opt/saltstack/salt/lib/python3.10/site-packages (from requests>=2.26.0->docker) (2024.7.4)

Summary for local
------------
Succeeded: 2 (changed=2)
Failed:    0
------------
Total states run:     2
Total run time:   1.021 s
2025-11-10T19:42:35Z | INFO | Executing command: salt-call state.apply salt.patch.x509_v2 --local --file-root=../salt/
local:
----------
          ID: patch_x509_v2_state_module
    Function: file.replace
        Name: /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py
      Result: True
     Comment: No changes needed to be made
     Started: 19:42:37.156878
    Duration: 29.913 ms
     Changes:   

Summary for local
------------
Succeeded: 1
Failed:    0
------------
Total states run:     1
Total run time:  29.913 ms
2025-11-10T19:42:37Z | INFO | Configuring minion type as sensor
2025-11-10T19:42:37Z | INFO | Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='{"host": {"mainint": "ens1"}, "usebr0": false}'
2025-11-10T19:42:39Z | INFO | Executing command: systemctl enable salt-minion
2025-11-10T19:42:39Z | INFO | Executing command: systemctl enable salt-minion
2025-11-10T19:42:40Z | INFO | Executing command: systemctl restart salt-minion
2025-11-10T19:42:40Z | INFO | Executing command: systemctl restart salt-minion
2025-11-10T19:42:40Z | INFO | Not an appliance
2025-11-10T19:42:40Z | INFO | Check if hypervisor or managerhype
2025-11-10T19:42:40Z | INFO | Verifying setup
WARNING: Errors detected during setup.
--------- ERRORS ---------
Error: Connection activation failed: Unknown error
--------------------------

[erlicthemad]

I figured the connection activation was the result of the Forward node trying to talk to the ManagerSearch node and being unable to wait as a pending member. Once I see it show up, I approve it, then I see Salt work on the Forward node.

[cm-ops]

If salt is working, what happens if you sudo so-checkin? Does it complete without error?

Is this an ISO install or network install on OL9? These partitions do not look like an ISO install:

Filesystem Size Used Avail Use% Mounted on
devtmpfs 4.0M 0 4.0M 0% /dev
tmpfs 24G 4.0K 24G 1% /dev/shm
tmpfs 9.4G 434M 8.9G 5% /run
/dev/mapper/ol-root 70G 17G 54G 24% /
/dev/sda1 960M 445M 516M 47% /boot
/dev/mapper/ol-home 353G 18G 335G 6% /home
tmpfs 4.7G 0 4.7G 0% /run/user/1000
/dev/md126 932G 19G 913G 3% /nsm
tmpfs 4.7G 0 4.7G 0% /run/user/939
/dev/loop0 15G 15G 0 100% /mnt

[reyesj2]

Noticed an error in your log

2025-11-10T19:42:29Z | INFO | Configuring bond interface settings, since this is a not a cloud installation...
Warning: There are 6 other connections with the name 'bond0'. Reference the connection by its uuid 'ef53f152-cac0-46cb-a7d4-ecb6f071f83d'
Connection 'bond0' (ef53f152-cac0-46cb-a7d4-ecb6f071f83d) successfully added.
Could not change any device features
Error: Connection activation failed: Unknown error
Hint: use 'journalctl -xe NM_CONNECTION=9233d9b0-ff7a-4204-a6e4-34c32fa6d30c + NM_DEVICE=enp1s0' to get more details.

Opened an issue for this #15233

if you want to test this and see if it resolves the so-setup failure you are seeing you can try this

on the sensor run

nmcli -t -f NAME con show | grep "^bond0" | xargs -r -I{} nmcli con delete "{}"

Then you can rerun so-setup and install it as a sensor and let us know if anything new comes up

[erlicthemad]

This install was done via the ISO. I burned the ISO to a USB stick. The only difference in the system from the default was that I used a hardware stripe drive set to hold the NSM partition. Otherwise, I used the default partitions as defined in the ISO setup. I did not define a separate drive for the NSM since the stripe set does not show up as an option in the setup tool. The two Ethernet interfaces were not customized outside of the static IP address assigned to the management. Using the SO network setup system.
I was able to run the command successfully. Then, reran the so-setup. This returned the sensor to a similar state but with fewer containers running.
The setup failed, showing a failure to register with the onion ManagerSearch node. I allowed the Forward to link to the Manager Search, and that is where I still am.

But I am still seeing the same condition. I did allow SOUP to run on the main node and allowed. I do see that the bridge interface is gone.

[root@onionsensor secsensor]# so-status
`
Security Onion Status
Container │ Status │ Details
────────────────────────┼────────────┼─────────────────────────────────
so-sensoroni │ running │ Up 20 minutes
so-steno │ missing │
so-strelka-backend │ restarting │ Restarting (1) 59 seconds ago
so-strelka-coordinator │ running │ Up 19 minutes
so-strelka-filestream │ missing │
so-strelka-frontend │ missing │
so-strelka-gatekeeper │ running │ Up 19 minutes
so-strelka-manager │ missing │
so-suricata │ missing │
so-telegraf │ running │ Up 20 minutes
so-zeek │ running │ Up 4 minutes (health: starting)

❗ Check container logs and /opt/so/log for more details.

[root@onionsensor secsensor]#
This is the state of the network ip addresses. [root@onionsensor ~]# ip ad 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:10:18:d9:37:43 brd ff:ff:ff:ff:ff:ff altname enp3s0 inet 172.25.70.56/24 brd 172.25.70.255 scope global noprefixroute ens1 valid_lft forever preferred_lft forever inet6 fe80::210:18ff:fed9:3743/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether a0:b3:cc:f7:eb:b7 brd ff:ff:ff:ff:ff:ff 4: sobridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:6e:da:1d:d8 brd ff:ff:ff:ff:ff:ff inet 172.17.1.1/24 brd 172.17.1.255 scope global sobridge valid_lft forever preferred_lft forever 6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:04:9c:92:74 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/24 brd 172.17.0.255 scope global docker0 valid_lft forever preferred_lft forever 24: vethd3c1a3c@if23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master sobridge state UP group default link/ether da:61:ba:22:4b:b9 brd ff:ff:ff:ff:ff:ff link-netnsid 0 28: vethf799218@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master sobridge state UP group default link/ether 96:94:f4:76:7d:b6 brd ff:ff:ff:ff:ff:ff link-netnsid 2
[root@onionsensor ~]#

This is my routing table.

[root@onionsensor ~]# ip route default via 172.25.70.1 dev ens1 proto static metric 100 172.17.0.0/24 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 172.17.1.0/24 dev sobridge proto kernel scope link src 172.17.1.1 172.25.70.0/24 dev ens1 proto kernel scope link src 172.25.70.56 metric 100 [root@onionsensor ~]#
This is my drive usage.
[root@onionsensor ~]# df -h Filesystem Size Used Avail Use% Mounted on devtmpfs 4.0M 0 4.0M 0% /dev tmpfs 24G 8.0K 24G 1% /dev/shm tmpfs 9.4G 9.5M 9.4G 1% /run /dev/mapper/ol-root 70G 19G 52G 27% / /dev/sda1 960M 443M 518M 47% /boot /dev/mapper/ol-home 353G 3.2G 350G 1% /home /dev/md126 932G 19G 913G 3% /nsm tmpfs 4.7G 0 4.7G 0% /run/user/1000 tmpfs 4.7G 0 4.7G 0% /run/user/939 overlay 70G 19G 52G 27% /var/lib/docker/overlay2/2c9a03463b7197453801edc1dad082e60ac5b2afcbe3fb62d4912be2f3395b7d/merged overlay 70G 19G 52G 27% /var/lib/docker/overlay2/354d314ffed7cdb59a3fee25c3a307b8a159abf9680a4c3b04d8be020af020c3/merged overlay 70G 19G 52G 27% /var/lib/docker/overlay2/e78c1cda87c644df9accd2e193c7a5fb9ce02524a62df1868624598ab1bab0d0/merged overlay 70G 19G 52G 27% /var/lib/docker/overlay2/c6da4d799fac7f1c0fb0085cffa98cdf20be7effc0bbb77de1cfa8cfe5582892/merged [root@onionsensor ~]#

[erlicthemad]

It has been a few days, so I figured I would check in to see if there are any other suggestions to try or information I can provide to help resolve the issue.

[reyesj2]

Can you share the new /root/sosetup.log? What does so-checkin return? Is there a bond0 interface? nmcli con show

[Mr-Dilkington]

I ran into the same problem. Tried to get around the issue by:

• running "nmcli -t -f NAME con show | grep "^bond0" | xargs -r -I{} nmcli con delete "{}"" as recommended but ended up with a sensor that looked ok but no network data was being collected by the manager
• Trying the install multiple times (deleting the node from manager prior to this)
• Wiping sensor disk (mine is virtualized in Promxox) and tried with previous ISO version securityonion-2.4.180-20250916 - Same result
• Tried standalone install with securityonion-2.4.190-20251024 - same issue

All other components (search, receiver, manager etc) all seem to install correctly (as VMs) but I have been unable to have a sensor (or any node that includes a sensor) to install/attach to the Manager

[Mr-Dilkington]

Also tried to install latest on a completely different hypervisor and same result. Going to go back to 2.4.160-20250625 as that's the last ISO that definitely worked for me. I actually had a failure I couldn't solve after a few months of running that last version and now I'm beginning to wonder if it was an upgrade to these later version that caused that failure.

[Mr-Dilkington]

2.4.160-20250625 got stuck on trying to resolve sigs.securityonion.net and then failed with an "unrecoverable error". Throwing in the towel for now.

Tried install one more time and still timing out on resolving that host despite the fact resolution for that host is working fine.

[erlicthemad]

Yes I can,

These are the interfaces

[root@onionsensor ~]# nmcli con show
NAME UUID TYPE DEVICE
ens1 a61f590b-ffc6-4e05-9ce7-af0688da7b58 ethernet ens1
docker0 a75f7596-5e2c-44a4-a983-7bb3e36f2bd4 bridge docker0
lo d8375906-e28e-4d13-b7f6-7f1a0bee99e6 loopback lo
sobridge edbde5f2-2324-4b33-afb9-cf9aecfb02cc bridge sobridge
enp1s0 ba0c5371-226d-4b51-aa00-77afb4475752 ethernet --
[root@onionsensor ~]#

This is the returned result from running so-setup iso

Install had a problem. Please see /root/sosetup.log for details. │
│ │
│ A summary of errors can be found in /root/errors.log. │
│ │
│ Select Ok to exit.

errors.log file

[root@onionsensor ~]# cat errors.log
Error: Connection activation failed: Unknown error
[root@onionsensor ~]#

This is the sosetup.log file.

-----------------------------
 Detecting Base OS
-----------------------------

2025-11-21T16:37:40Z | INFO | Found OS: oracle 9

-----------------------------
 Detecting if this is an ISO install
-----------------------------


-----------------------------
 Checking to see if install has run before
-----------------------------

2025-11-21T16:37:42Z | INFO | Old setup detected. Preparing for reinstallation.
2025-11-21T16:37:42Z | INFO | Putting system in state to run setup again
2025-11-21T16:37:42Z | INFO | Executing command: crontab -r -u root
2025-11-21T16:37:42Z | INFO | Executing command: crontab -r -u root
no crontab for root
no crontab for root
2025-11-21T16:37:42Z | INFO | Executing command: salt-call state.apply ca.remove -linfo --local --file-root=../salt
2025-11-21T16:37:42Z | INFO | Executing command: salt-call state.apply ca.remove -linfo --local --file-root=../salt
[INFO    ] Loading fresh modules for state activity
[INFO    ] Loading fresh modules for state activity
[INFO    ] Fetching file from saltenv 'base', ** done ** 'ca/remove.sls'
[INFO    ] Fetching file from saltenv 'base', ** done ** 'ca/remove.sls'
[INFO    ] Running state [/etc/pki/ca.key] at time 16:37:43.352034
[INFO    ] Running state [/etc/pki/ca.key] at time 16:37:43.352034
[INFO    ] Executing state file.absent for [/etc/pki/ca.key]
[INFO    ] Executing state file.absent for [/etc/pki/ca.key]
[INFO    ] File /etc/pki/ca.key is not present
[INFO    ] File /etc/pki/ca.key is not present
[INFO    ] Completed state [/etc/pki/ca.key] at time 16:37:43.352721 (duration_in_ms=0.687)
[INFO    ] Completed state [/etc/pki/ca.key] at time 16:37:43.352721 (duration_in_ms=0.687)
[INFO    ] Running state [/etc/pki/ca.crt] at time 16:37:43.352874
[INFO    ] Running state [/etc/pki/ca.crt] at time 16:37:43.352874
[INFO    ] Executing state file.absent for [/etc/pki/ca.crt]
[INFO    ] Executing state file.absent for [/etc/pki/ca.crt]
[INFO    ] File /etc/pki/ca.crt is not present
[INFO    ] File /etc/pki/ca.crt is not present
[INFO    ] Completed state [/etc/pki/ca.crt] at time 16:37:43.353483 (duration_in_ms=0.609)
[INFO    ] Completed state [/etc/pki/ca.crt] at time 16:37:43.353483 (duration_in_ms=0.609)
local:
----------
          ID: pki_private_key
    Function: file.absent
        Name: /etc/pki/ca.key
      Result: True
     Comment: File /etc/pki/ca.key is not present
     Started: 16:37:43.352034
    Duration: 0.687 ms
     Changes:   
----------
          ID: pki_public_ca_crt
    Function: file.absent
        Name: /etc/pki/ca.crt
      Result: True
     Comment: File /etc/pki/ca.crt is not present
     Started: 16:37:43.352874
    Duration: 0.609 ms
     Changes:   

Summary for local
------------
Succeeded: 2
Failed:    0
------------
Total states run:     2
Total run time:   1.296 ms
local:
----------
          ID: pki_private_key
    Function: file.absent
        Name: /etc/pki/ca.key
      Result: True
     Comment: File /etc/pki/ca.key is not present
     Started: 16:37:43.352034
    Duration: 0.687 ms
     Changes:   
----------
          ID: pki_public_ca_crt
    Function: file.absent
        Name: /etc/pki/ca.crt
      Result: True
     Comment: File /etc/pki/ca.crt is not present
     Started: 16:37:43.352874
    Duration: 0.609 ms
     Changes:   

Summary for local
------------
Succeeded: 2
Failed:    0
------------
Total states run:     2
Total run time:   1.296 ms
2025-11-21T16:37:43Z | INFO | Executing command: salt-call state.apply ssl.remove -linfo --local --file-root=../salt
2025-11-21T16:37:43Z | INFO | Executing command: salt-call state.apply ssl.remove -linfo --local --file-root=../salt
[INFO    ] Loading fresh modules for state activity
[INFO    ] Loading fresh modules for state activity
[INFO    ] Fetching file from saltenv 'base', ** done ** 'ssl/remove.sls'
[INFO    ] Fetching file from saltenv 'base', ** done ** 'ssl/remove.sls'
[INFO    ] Running state [/etc/pki/tls/certs/intca.crt] at time 16:37:44.703455
[INFO    ] Running state [/etc/pki/tls/certs/intca.crt] at time 16:37:44.703455
[INFO    ] Executing state file.absent for [/etc/pki/tls/certs/intca.crt]
[INFO    ] Executing state file.absent for [/etc/pki/tls/certs/intca.crt]
[INFO    ] File /etc/pki/tls/certs/intca.crt is not present
[INFO    ] File /etc/pki/tls/certs/intca.crt is not present
[INFO    ] Completed state [/etc/pki/tls/certs/intca.crt] at time 16:37:44.704165 (duration_in_ms=0.71)
[INFO    ] Completed state [/etc/pki/tls/certs/intca.crt] at time 16:37:44.704165 (duration_in_ms=0.71)
[INFO    ] Running state [/etc/ssl/certs/intca.crt] at time 16:37:44.704321
[INFO    ] Running state [/etc/ssl/certs/intca.crt] at time 16:37:44.704321
[INFO    ] Executing state file.absent for [/etc/ssl/certs/intca.crt]
[INFO    ] Executing state file.absent for [/etc/ssl/certs/intca.crt]
[INFO    ] File /etc/ssl/certs/intca.crt is not present
[INFO    ] File /etc/ssl/certs/intca.crt is not present
[INFO    ] Completed state [/etc/ssl/certs/intca.crt] at time 16:37:44.704949 (duration_in_ms=0.628)
[INFO    ] Completed state [/etc/ssl/certs/intca.crt] at time 16:37:44.704949 (duration_in_ms=0.628)
[INFO    ] Running state [/etc/pki/influxdb.key] at time 16:37:44.705099
[INFO    ] Running state [/etc/pki/influxdb.key] at time 16:37:44.705099
[INFO    ] Executing state file.absent for [/etc/pki/influxdb.key]
[INFO    ] Executing state file.absent for [/etc/pki/influxdb.key]
[INFO    ] File /etc/pki/influxdb.key is not present
[INFO    ] File /etc/pki/influxdb.key is not present
[INFO    ] Completed state [/etc/pki/influxdb.key] at time 16:37:44.705852 (duration_in_ms=0.752)
[INFO    ] Completed state [/etc/pki/influxdb.key] at time 16:37:44.705852 (duration_in_ms=0.752)
[INFO    ] Running state [/etc/pki/influxdb.crt] at time 16:37:44.706009
[INFO    ] Running state [/etc/pki/influxdb.crt] at time 16:37:44.706009
[INFO    ] Executing state file.absent for [/etc/pki/influxdb.crt]
[INFO    ] Executing state file.absent for [/etc/pki/influxdb.crt]
[INFO    ] File /etc/pki/influxdb.crt is not present
[INFO    ] File /etc/pki/influxdb.crt is not present
[INFO    ] Completed state [/etc/pki/influxdb.crt] at time 16:37:44.706633 (duration_in_ms=0.624)
[INFO    ] Completed state [/etc/pki/influxdb.crt] at time 16:37:44.706633 (duration_in_ms=0.624)
[INFO    ] Running state [/etc/pki/redis.key] at time 16:37:44.706783
[INFO    ] Running state [/etc/pki/redis.key] at time 16:37:44.706783
[INFO    ] Executing state file.absent for [/etc/pki/redis.key]
[INFO    ] Executing state file.absent for [/etc/pki/redis.key]
[INFO    ] File /etc/pki/redis.key is not present
[INFO    ] File /etc/pki/redis.key is not present
[INFO    ] Completed state [/etc/pki/redis.key] at time 16:37:44.707402 (duration_in_ms=0.619)
[INFO    ] Completed state [/etc/pki/redis.key] at time 16:37:44.707402 (duration_in_ms=0.619)
[INFO    ] Running state [/etc/pki/redis.crt] at time 16:37:44.707552
[INFO    ] Running state [/etc/pki/redis.crt] at time 16:37:44.707552
[INFO    ] Executing state file.absent for [/etc/pki/redis.crt]
[INFO    ] Executing state file.absent for [/etc/pki/redis.crt]
[INFO    ] File /etc/pki/redis.crt is not present
[INFO    ] File /etc/pki/redis.crt is not present
[INFO    ] Completed state [/etc/pki/redis.crt] at time 16:37:44.708169 (duration_in_ms=0.616)
[INFO    ] Completed state [/etc/pki/redis.crt] at time 16:37:44.708169 (duration_in_ms=0.616)
[INFO    ] Running state [/etc/pki/filebeat.key] at time 16:37:44.708319
[INFO    ] Running state [/etc/pki/filebeat.key] at time 16:37:44.708319
[INFO    ] Executing state file.absent for [/etc/pki/filebeat.key]
[INFO    ] Executing state file.absent for [/etc/pki/filebeat.key]
[INFO    ] File /etc/pki/filebeat.key is not present
[INFO    ] File /etc/pki/filebeat.key is not present
[INFO    ] Completed state [/etc/pki/filebeat.key] at time 16:37:44.708935 (duration_in_ms=0.617)
[INFO    ] Completed state [/etc/pki/filebeat.key] at time 16:37:44.708935 (duration_in_ms=0.617)
[INFO    ] Running state [/etc/pki/filebeat.crt] at time 16:37:44.709085
[INFO    ] Running state [/etc/pki/filebeat.crt] at time 16:37:44.709085
[INFO    ] Executing state file.absent for [/etc/pki/filebeat.crt]
[INFO    ] Executing state file.absent for [/etc/pki/filebeat.crt]
[INFO    ] File /etc/pki/filebeat.crt is not present
[INFO    ] File /etc/pki/filebeat.crt is not present
[INFO    ] Completed state [/etc/pki/filebeat.crt] at time 16:37:44.709700 (duration_in_ms=0.615)
[INFO    ] Completed state [/etc/pki/filebeat.crt] at time 16:37:44.709700 (duration_in_ms=0.615)
[INFO    ] Running state [/opt/so/saltstack/local/salt/filebeat/files] at time 16:37:44.709850
[INFO    ] Running state [/opt/so/saltstack/local/salt/filebeat/files] at time 16:37:44.709850
[INFO    ] Executing state file.absent for [/opt/so/saltstack/local/salt/filebeat/files]
[INFO    ] Executing state file.absent for [/opt/so/saltstack/local/salt/filebeat/files]
[INFO    ] File /opt/so/saltstack/local/salt/filebeat/files is not present
[INFO    ] File /opt/so/saltstack/local/salt/filebeat/files is not present
[INFO    ] Completed state [/opt/so/saltstack/local/salt/filebeat/files] at time 16:37:44.710502 (duration_in_ms=0.651)
[INFO    ] Completed state [/opt/so/saltstack/local/salt/filebeat/files] at time 16:37:44.710502 (duration_in_ms=0.651)
[INFO    ] Running state [/etc/pki/registry.key] at time 16:37:44.710652
[INFO    ] Running state [/etc/pki/registry.key] at time 16:37:44.710652
[INFO    ] Executing state file.absent for [/etc/pki/registry.key]
[INFO    ] Executing state file.absent for [/etc/pki/registry.key]
[INFO    ] File /etc/pki/registry.key is not present
[INFO    ] File /etc/pki/registry.key is not present
[INFO    ] Completed state [/etc/pki/registry.key] at time 16:37:44.711262 (duration_in_ms=0.611)
[INFO    ] Completed state [/etc/pki/registry.key] at time 16:37:44.711262 (duration_in_ms=0.611)
[INFO    ] Running state [/etc/pki/registry.crt] at time 16:37:44.711411
[INFO    ] Running state [/etc/pki/registry.crt] at time 16:37:44.711411
[INFO    ] Executing state file.absent for [/etc/pki/registry.crt]
[INFO    ] Executing state file.absent for [/etc/pki/registry.crt]
[INFO    ] File /etc/pki/registry.crt is not present
[INFO    ] File /etc/pki/registry.crt is not present
[INFO    ] Completed state [/etc/pki/registry.crt] at time 16:37:44.712029 (duration_in_ms=0.618)
[INFO    ] Completed state [/etc/pki/registry.crt] at time 16:37:44.712029 (duration_in_ms=0.618)
[INFO    ] Running state [/etc/pki/elasticsearch.key] at time 16:37:44.712179
[INFO    ] Running state [/etc/pki/elasticsearch.key] at time 16:37:44.712179
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.key]
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.key]
[INFO    ] File /etc/pki/elasticsearch.key is not present
[INFO    ] File /etc/pki/elasticsearch.key is not present
[INFO    ] Completed state [/etc/pki/elasticsearch.key] at time 16:37:44.712785 (duration_in_ms=0.607)
[INFO    ] Completed state [/etc/pki/elasticsearch.key] at time 16:37:44.712785 (duration_in_ms=0.607)
[INFO    ] Running state [/etc/pki/elasticsearch.crt] at time 16:37:44.712950
[INFO    ] Running state [/etc/pki/elasticsearch.crt] at time 16:37:44.712950
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.crt]
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.crt]
[INFO    ] File /etc/pki/elasticsearch.crt is not present
[INFO    ] File /etc/pki/elasticsearch.crt is not present
[INFO    ] Completed state [/etc/pki/elasticsearch.crt] at time 16:37:44.714630 (duration_in_ms=1.68)
[INFO    ] Completed state [/etc/pki/elasticsearch.crt] at time 16:37:44.714630 (duration_in_ms=1.68)
[INFO    ] Running state [/etc/pki/elasticsearch.p12] at time 16:37:44.714781
[INFO    ] Running state [/etc/pki/elasticsearch.p12] at time 16:37:44.714781
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.p12]
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.p12]
[INFO    ] File /etc/pki/elasticsearch.p12 is not present
[INFO    ] File /etc/pki/elasticsearch.p12 is not present
[INFO    ] Completed state [/etc/pki/elasticsearch.p12] at time 16:37:44.715394 (duration_in_ms=0.612)
[INFO    ] Completed state [/etc/pki/elasticsearch.p12] at time 16:37:44.715394 (duration_in_ms=0.612)
[INFO    ] Running state [/etc/pki/managerssl.key] at time 16:37:44.715543
[INFO    ] Running state [/etc/pki/managerssl.key] at time 16:37:44.715543
[INFO    ] Executing state file.absent for [/etc/pki/managerssl.key]
[INFO    ] Executing state file.absent for [/etc/pki/managerssl.key]
[INFO    ] File /etc/pki/managerssl.key is not present
[INFO    ] File /etc/pki/managerssl.key is not present
[INFO    ] Completed state [/etc/pki/managerssl.key] at time 16:37:44.716155 (duration_in_ms=0.611)
[INFO    ] Completed state [/etc/pki/managerssl.key] at time 16:37:44.716155 (duration_in_ms=0.611)
[INFO    ] Running state [/etc/pki/managerssl.crt] at time 16:37:44.716305
[INFO    ] Running state [/etc/pki/managerssl.crt] at time 16:37:44.716305
[INFO    ] Executing state file.absent for [/etc/pki/managerssl.crt]
[INFO    ] Executing state file.absent for [/etc/pki/managerssl.crt]
[INFO    ] File /etc/pki/managerssl.crt is not present
[INFO    ] File /etc/pki/managerssl.crt is not present
[INFO    ] Completed state [/etc/pki/managerssl.crt] at time 16:37:44.716920 (duration_in_ms=0.615)
[INFO    ] Completed state [/etc/pki/managerssl.crt] at time 16:37:44.716920 (duration_in_ms=0.615)
[INFO    ] Running state [/etc/pki/fleet.key] at time 16:37:44.717072
[INFO    ] Running state [/etc/pki/fleet.key] at time 16:37:44.717072
[INFO    ] Executing state file.absent for [/etc/pki/fleet.key]
[INFO    ] Executing state file.absent for [/etc/pki/fleet.key]
[INFO    ] File /etc/pki/fleet.key is not present
[INFO    ] File /etc/pki/fleet.key is not present
[INFO    ] Completed state [/etc/pki/fleet.key] at time 16:37:44.717675 (duration_in_ms=0.603)
[INFO    ] Completed state [/etc/pki/fleet.key] at time 16:37:44.717675 (duration_in_ms=0.603)
[INFO    ] Running state [/etc/pki/fleet.crt] at time 16:37:44.717825
[INFO    ] Running state [/etc/pki/fleet.crt] at time 16:37:44.717825
[INFO    ] Executing state file.absent for [/etc/pki/fleet.crt]
[INFO    ] Executing state file.absent for [/etc/pki/fleet.crt]
[INFO    ] File /etc/pki/fleet.crt is not present
[INFO    ] File /etc/pki/fleet.crt is not present
[INFO    ] Completed state [/etc/pki/fleet.crt] at time 16:37:44.718435 (duration_in_ms=0.609)
[INFO    ] Completed state [/etc/pki/fleet.crt] at time 16:37:44.718435 (duration_in_ms=0.609)
[INFO    ] Running state [/opt/so/conf/filebeat/etc/pki] at time 16:37:44.718585
[INFO    ] Running state [/opt/so/conf/filebeat/etc/pki] at time 16:37:44.718585
[INFO    ] Executing state file.absent for [/opt/so/conf/filebeat/etc/pki]
[INFO    ] Executing state file.absent for [/opt/so/conf/filebeat/etc/pki]
[INFO    ] File /opt/so/conf/filebeat/etc/pki is not present
[INFO    ] File /opt/so/conf/filebeat/etc/pki is not present
[INFO    ] Completed state [/opt/so/conf/filebeat/etc/pki] at time 16:37:44.719194 (duration_in_ms=0.609)
[INFO    ] Completed state [/opt/so/conf/filebeat/etc/pki] at time 16:37:44.719194 (duration_in_ms=0.609)
[INFO    ] Running state [/etc/pki/kafka.crt] at time 16:37:44.719344
[INFO    ] Running state [/etc/pki/kafka.crt] at time 16:37:44.719344
[INFO    ] Executing state file.absent for [/etc/pki/kafka.crt]
[INFO    ] Executing state file.absent for [/etc/pki/kafka.crt]
[INFO    ] File /etc/pki/kafka.crt is not present
[INFO    ] File /etc/pki/kafka.crt is not present
[INFO    ] Completed state [/etc/pki/kafka.crt] at time 16:37:44.719961 (duration_in_ms=0.616)
[INFO    ] Completed state [/etc/pki/kafka.crt] at time 16:37:44.719961 (duration_in_ms=0.616)
[INFO    ] Running state [/etc/pki/kafka.key] at time 16:37:44.720111
[INFO    ] Running state [/etc/pki/kafka.key] at time 16:37:44.720111
[INFO    ] Executing state file.absent for [/etc/pki/kafka.key]
[INFO    ] Executing state file.absent for [/etc/pki/kafka.key]
[INFO    ] File /etc/pki/kafka.key is not present
[INFO    ] File /etc/pki/kafka.key is not present
[INFO    ] Completed state [/etc/pki/kafka.key] at time 16:37:44.720715 (duration_in_ms=0.605)
[INFO    ] Completed state [/etc/pki/kafka.key] at time 16:37:44.720715 (duration_in_ms=0.605)
[INFO    ] Running state [/etc/pki/kafka-logstash.crt] at time 16:37:44.720864
[INFO    ] Running state [/etc/pki/kafka-logstash.crt] at time 16:37:44.720864
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.crt]
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.crt]
[INFO    ] File /etc/pki/kafka-logstash.crt is not present
[INFO    ] File /etc/pki/kafka-logstash.crt is not present
[INFO    ] Completed state [/etc/pki/kafka-logstash.crt] at time 16:37:44.721484 (duration_in_ms=0.62)
[INFO    ] Completed state [/etc/pki/kafka-logstash.crt] at time 16:37:44.721484 (duration_in_ms=0.62)
[INFO    ] Running state [/etc/pki/kafka-logstash.key] at time 16:37:44.721635
[INFO    ] Running state [/etc/pki/kafka-logstash.key] at time 16:37:44.721635
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.key]
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.key]
[INFO    ] File /etc/pki/kafka-logstash.key is not present
[INFO    ] File /etc/pki/kafka-logstash.key is not present
[INFO    ] Completed state [/etc/pki/kafka-logstash.key] at time 16:37:44.722247 (duration_in_ms=0.611)
[INFO    ] Completed state [/etc/pki/kafka-logstash.key] at time 16:37:44.722247 (duration_in_ms=0.611)
[INFO    ] Running state [/etc/pki/kafka-logstash.p12] at time 16:37:44.722397
[INFO    ] Running state [/etc/pki/kafka-logstash.p12] at time 16:37:44.722397
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.p12]
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.p12]
[INFO    ] File /etc/pki/kafka-logstash.p12 is not present
[INFO    ] File /etc/pki/kafka-logstash.p12 is not present
[INFO    ] Completed state [/etc/pki/kafka-logstash.p12] at time 16:37:44.723007 (duration_in_ms=0.61)
[INFO    ] Completed state [/etc/pki/kafka-logstash.p12] at time 16:37:44.723007 (duration_in_ms=0.61)
local:
----------
          ID: trusttheca
    Function: file.absent
        Name: /etc/pki/tls/certs/intca.crt
      Result: True
     Comment: File /etc/pki/tls/certs/intca.crt is not present
     Started: 16:37:44.703455
    Duration: 0.71 ms
     Changes:   
----------
          ID: symlinkca
    Function: file.absent
        Name: /etc/ssl/certs/intca.crt
      Result: True
     Comment: File /etc/ssl/certs/intca.crt is not present
     Started: 16:37:44.704321
    Duration: 0.628 ms
     Changes:   
----------
          ID: influxdb_key
    Function: file.absent
        Name: /etc/pki/influxdb.key
      Result: True
     Comment: File /etc/pki/influxdb.key is not present
     Started: 16:37:44.705100
    Duration: 0.752 ms
     Changes:   
----------
          ID: influxdb_crt
    Function: file.absent
        Name: /etc/pki/influxdb.crt
      Result: True
     Comment: File /etc/pki/influxdb.crt is not present
     Started: 16:37:44.706009
    Duration: 0.624 ms
     Changes:   
----------
          ID: redis_key
    Function: file.absent
        Name: /etc/pki/redis.key
      Result: True
     Comment: File /etc/pki/redis.key is not present
     Started: 16:37:44.706783
    Duration: 0.619 ms
     Changes:   
----------
          ID: redis_crt
    Function: file.absent
        Name: /etc/pki/redis.crt
      Result: True
     Comment: File /etc/pki/redis.crt is not present
     Started: 16:37:44.707553
    Duration: 0.616 ms
     Changes:   
----------
          ID: etc_filebeat_key
    Function: file.absent
        Name: /etc/pki/filebeat.key
      Result: True
     Comment: File /etc/pki/filebeat.key is not present
     Started: 16:37:44.708318
    Duration: 0.617 ms
     Changes:   
----------
          ID: etc_filebeat_crt
    Function: file.absent
        Name: /etc/pki/filebeat.crt
      Result: True
     Comment: File /etc/pki/filebeat.crt is not present
     Started: 16:37:44.709085
    Duration: 0.615 ms
     Changes:   
----------
          ID: filebeatdir
    Function: file.absent
        Name: /opt/so/saltstack/local/salt/filebeat/files
      Result: True
     Comment: File /opt/so/saltstack/local/salt/filebeat/files is not present
     Started: 16:37:44.709851
    Duration: 0.651 ms
     Changes:   
----------
          ID: registry_key
    Function: file.absent
        Name: /etc/pki/registry.key
      Result: True
     Comment: File /etc/pki/registry.key is not present
     Started: 16:37:44.710651
    Duration: 0.611 ms
     Changes:   
----------
          ID: registry_crt
    Function: file.absent
        Name: /etc/pki/registry.crt
      Result: True
     Comment: File /etc/pki/registry.crt is not present
     Started: 16:37:44.711411
    Duration: 0.618 ms
     Changes:   
----------
          ID: /etc/pki/elasticsearch.key
    Function: file.absent
      Result: True
     Comment: File /etc/pki/elasticsearch.key is not present
     Started: 16:37:44.712178
    Duration: 0.607 ms
     Changes:   
----------
          ID: /etc/pki/elasticsearch.crt
    Function: file.absent
      Result: True
     Comment: File /etc/pki/elasticsearch.crt is not present
     Started: 16:37:44.712950
    Duration: 1.68 ms
     Changes:   
----------
          ID: remove_elasticsearch.p12
    Function: file.absent
        Name: /etc/pki/elasticsearch.p12
      Result: True
     Comment: File /etc/pki/elasticsearch.p12 is not present
     Started: 16:37:44.714782
    Duration: 0.612 ms
     Changes:   
----------
          ID: managerssl_key
    Function: file.absent
        Name: /etc/pki/managerssl.key
      Result: True
     Comment: File /etc/pki/managerssl.key is not present
     Started: 16:37:44.715544
    Duration: 0.611 ms
     Changes:   
----------
          ID: managerssl_crt
    Function: file.absent
        Name: /etc/pki/managerssl.crt
      Result: True
     Comment: File /etc/pki/managerssl.crt is not present
     Started: 16:37:44.716305
    Duration: 0.615 ms
     Changes:   
----------
          ID: fleet_key
    Function: file.absent
        Name: /etc/pki/fleet.key
      Result: True
     Comment: File /etc/pki/fleet.key is not present
     Started: 16:37:44.717072
    Duration: 0.603 ms
     Changes:   
----------
          ID: fleet_crt
    Function: file.absent
        Name: /etc/pki/fleet.crt
      Result: True
     Comment: File /etc/pki/fleet.crt is not present
     Started: 16:37:44.717826
    Duration: 0.609 ms
     Changes:   
----------
          ID: fbcertdir
    Function: file.absent
        Name: /opt/so/conf/filebeat/etc/pki
      Result: True
     Comment: File /opt/so/conf/filebeat/etc/pki is not present
     Started: 16:37:44.718585
    Duration: 0.609 ms
     Changes:   
----------
          ID: kafka_crt
    Function: file.absent
        Name: /etc/pki/kafka.crt
      Result: True
     Comment: File /etc/pki/kafka.crt is not present
     Started: 16:37:44.719345
    Duration: 0.616 ms
     Changes:   
----------
          ID: kafka_key
    Function: file.absent
        Name: /etc/pki/kafka.key
      Result: True
     Comment: File /etc/pki/kafka.key is not present
     Started: 16:37:44.720110
    Duration: 0.605 ms
     Changes:   
----------
          ID: kafka_logstash_crt
    Function: file.absent
        Name: /etc/pki/kafka-logstash.crt
      Result: True
     Comment: File /etc/pki/kafka-logstash.crt is not present
     Started: 16:37:44.720864
    Duration: 0.62 ms
     Changes:   
----------
          ID: kafka_logstash_key
    Function: file.absent
        Name: /etc/pki/kafka-logstash.key
      Result: True
     Comment: File /etc/pki/kafka-logstash.key is not present
     Started: 16:37:44.721636
    Duration: 0.611 ms
     Changes:   
----------
          ID: kafka_logstash_keystore
    Function: file.absent
        Name: /etc/pki/kafka-logstash.p12
      Result: True
     Comment: File /etc/pki/kafka-logstash.p12 is not present
     Started: 16:37:44.722397
    Duration: 0.61 ms
     Changes:   

Summary for local
-------------
Succeeded: 24
Failed:     0
-------------
Total states run:     24
Total run time:   16.069 ms
local:
----------
          ID: trusttheca
    Function: file.absent
        Name: /etc/pki/tls/certs/intca.crt
      Result: True
     Comment: File /etc/pki/tls/certs/intca.crt is not present
     Started: 16:37:44.703455
    Duration: 0.71 ms
     Changes:   
----------
          ID: symlinkca
    Function: file.absent
        Name: /etc/ssl/certs/intca.crt
      Result: True
     Comment: File /etc/ssl/certs/intca.crt is not present
     Started: 16:37:44.704321
    Duration: 0.628 ms
     Changes:   
----------
          ID: influxdb_key
    Function: file.absent
        Name: /etc/pki/influxdb.key
      Result: True
     Comment: File /etc/pki/influxdb.key is not present
     Started: 16:37:44.705100
    Duration: 0.752 ms
     Changes:   
----------
          ID: influxdb_crt
    Function: file.absent
        Name: /etc/pki/influxdb.crt
      Result: True
     Comment: File /etc/pki/influxdb.crt is not present
     Started: 16:37:44.706009
    Duration: 0.624 ms
     Changes:   
----------
          ID: redis_key
    Function: file.absent
        Name: /etc/pki/redis.key
      Result: True
     Comment: File /etc/pki/redis.key is not present
     Started: 16:37:44.706783
    Duration: 0.619 ms
     Changes:   
----------
          ID: redis_crt
    Function: file.absent
        Name: /etc/pki/redis.crt
      Result: True
     Comment: File /etc/pki/redis.crt is not present
     Started: 16:37:44.707553
    Duration: 0.616 ms
     Changes:   
----------
          ID: etc_filebeat_key
    Function: file.absent
        Name: /etc/pki/filebeat.key
      Result: True
     Comment: File /etc/pki/filebeat.key is not present
     Started: 16:37:44.708318
    Duration: 0.617 ms
     Changes:   
----------
          ID: etc_filebeat_crt
    Function: file.absent
        Name: /etc/pki/filebeat.crt
      Result: True
     Comment: File /etc/pki/filebeat.crt is not present
     Started: 16:37:44.709085
    Duration: 0.615 ms
     Changes:   
----------
          ID: filebeatdir
    Function: file.absent
        Name: /opt/so/saltstack/local/salt/filebeat/files
      Result: True
     Comment: File /opt/so/saltstack/local/salt/filebeat/files is not present
     Started: 16:37:44.709851
    Duration: 0.651 ms
     Changes:   
----------
          ID: registry_key
    Function: file.absent
        Name: /etc/pki/registry.key
      Result: True
     Comment: File /etc/pki/registry.key is not present
     Started: 16:37:44.710651
    Duration: 0.611 ms
     Changes:   
----------
          ID: registry_crt
    Function: file.absent
        Name: /etc/pki/registry.crt
      Result: True
     Comment: File /etc/pki/registry.crt is not present
     Started: 16:37:44.711411
    Duration: 0.618 ms
     Changes:   
----------
          ID: /etc/pki/elasticsearch.key
    Function: file.absent
      Result: True
     Comment: File /etc/pki/elasticsearch.key is not present
     Started: 16:37:44.712178
    Duration: 0.607 ms
     Changes:   
----------
          ID: /etc/pki/elasticsearch.crt
    Function: file.absent
      Result: True
     Comment: File /etc/pki/elasticsearch.crt is not present
     Started: 16:37:44.712950
    Duration: 1.68 ms
     Changes:   
----------
          ID: remove_elasticsearch.p12
    Function: file.absent
        Name: /etc/pki/elasticsearch.p12
      Result: True
     Comment: File /etc/pki/elasticsearch.p12 is not present
     Started: 16:37:44.714782
    Duration: 0.612 ms
     Changes:   
----------
          ID: managerssl_key
    Function: file.absent
        Name: /etc/pki/managerssl.key
      Result: True
     Comment: File /etc/pki/managerssl.key is not present
     Started: 16:37:44.715544
    Duration: 0.611 ms
     Changes:   
----------
          ID: managerssl_crt
    Function: file.absent
        Name: /etc/pki/managerssl.crt
      Result: True
     Comment: File /etc/pki/managerssl.crt is not present
     Started: 16:37:44.716305
    Duration: 0.615 ms
     Changes:   
----------
          ID: fleet_key
    Function: file.absent
        Name: /etc/pki/fleet.key
      Result: True
     Comment: File /etc/pki/fleet.key is not present
     Started: 16:37:44.717072
    Duration: 0.603 ms
     Changes:   
----------
          ID: fleet_crt
    Function: file.absent
        Name: /etc/pki/fleet.crt
      Result: True
     Comment: File /etc/pki/fleet.crt is not present
     Started: 16:37:44.717826
    Duration: 0.609 ms
     Changes:   
----------
          ID: fbcertdir
    Function: file.absent
        Name: /opt/so/conf/filebeat/etc/pki
      Result: True
     Comment: File /opt/so/conf/filebeat/etc/pki is not present
     Started: 16:37:44.718585
    Duration: 0.609 ms
     Changes:   
----------
          ID: kafka_crt
    Function: file.absent
        Name: /etc/pki/kafka.crt
      Result: True
     Comment: File /etc/pki/kafka.crt is not present
     Started: 16:37:44.719345
    Duration: 0.616 ms
     Changes:   
----------
          ID: kafka_key
    Function: file.absent
        Name: /etc/pki/kafka.key
      Result: True
     Comment: File /etc/pki/kafka.key is not present
     Started: 16:37:44.720110
    Duration: 0.605 ms
     Changes:   
----------
          ID: kafka_logstash_crt
    Function: file.absent
        Name: /etc/pki/kafka-logstash.crt
      Result: True
     Comment: File /etc/pki/kafka-logstash.crt is not present
     Started: 16:37:44.720864
    Duration: 0.62 ms
     Changes:   
----------
          ID: kafka_logstash_key
    Function: file.absent
        Name: /etc/pki/kafka-logstash.key
      Result: True
     Comment: File /etc/pki/kafka-logstash.key is not present
     Started: 16:37:44.721636
    Duration: 0.611 ms
     Changes:   
----------
          ID: kafka_logstash_keystore
    Function: file.absent
        Name: /etc/pki/kafka-logstash.p12
      Result: True
     Comment: File /etc/pki/kafka-logstash.p12 is not present
     Started: 16:37:44.722397
    Duration: 0.61 ms
     Changes:   

Summary for local
-------------
Succeeded: 24
Failed:     0
-------------
Total states run:     24
Total run time:   16.069 ms
2025-11-21T16:37:44Z | INFO | Checking service salt-minion status
2025-11-21T16:37:44Z | INFO | Checking service salt-minion status
2025-11-21T16:37:44Z | INFO |   salt-minion is not running
2025-11-21T16:37:44Z | INFO |   salt-minion is not running
2025-11-21T16:37:44Z | INFO | Checking service salt-minion status
2025-11-21T16:37:44Z | INFO | Checking service salt-minion status
2025-11-21T16:37:44Z | INFO |   salt-minion is not running
2025-11-21T16:37:44Z | INFO |   salt-minion is not running
2025-11-21T16:37:44Z | INFO | Executing command: elastic-agent uninstall -f
2025-11-21T16:37:44Z | INFO | Executing command: elastic-agent uninstall -f
./so-functions: line 40: elastic-agent: command not found
./so-functions: line 40: elastic-agent: command not found
2025-11-21T16:37:44Z | INFO | System reinstall init has been completed.
2025-11-21T16:37:45Z | INFO | Restarting Docker...
2025-11-21T16:37:45Z | INFO | Executing command: systemctl restart docker

-----------------------------
 Parsing Username for Install
-----------------------------


-----------------------------
 Initializing Setup
-----------------------------

2025-11-21T16:37:45Z | INFO | Installing as the secsensor user

-----------------------------
 System Characteristics
-----------------------------

2025-11-21T16:37:45Z | INFO | Executing command: uptime
 16:37:45 up  1:14,  1 user,  load average: 0.15, 0.25, 0.26
2025-11-21T16:37:45Z | INFO | Executing command: uname -a
Linux onionsensor 5.15.0-314.193.5.4.el9uek.x86_64 #2 SMP Tue Nov 11 13:08:11 PST 2025 x86_64 x86_64 x86_64 GNU/Linux
2025-11-21T16:37:45Z | INFO | Executing command: free -h
               total        used        free      shared  buff/cache   available
Mem:            46Gi       1.1Gi        44Gi        17Mi       1.7Gi        45Gi
Swap:           23Gi          0B        23Gi
2025-11-21T16:37:45Z | INFO | Executing command: lscpu
Architecture:                            x86_64
CPU op-mode(s):                          32-bit, 64-bit
Address sizes:                           40 bits physical, 48 bits virtual
Byte Order:                              Little Endian
CPU(s):                                  12
On-line CPU(s) list:                     0-11
Vendor ID:                               GenuineIntel
BIOS Vendor ID:                          Intel
Model name:                              Intel(R) Xeon(R) CPU           X5690  @ 3.47GHz
BIOS Model name:                         Intel(R) Xeon(R) CPU X5690 @ 3.47GHz
CPU family:                              6
Model:                                   44
Thread(s) per core:                      2
Core(s) per socket:                      6
Socket(s):                               1
Stepping:                                2
Frequency boost:                         enabled
CPU(s) scaling MHz:                      97%
CPU max MHz:                             3459.0000
CPU min MHz:                             1596.0000
BogoMIPS:                                6933.71
Flags:                                   fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 popcnt aes lahf_lm epb pti ssbd ibrs ibpb stibp tpr_shadow flexpriority ept vpid dtherm ida arat vnmi flush_l1d
Virtualization:                          VT-x
L1d cache:                               192 KiB (6 instances)
L1i cache:                               192 KiB (6 instances)
L2 cache:                                1.5 MiB (6 instances)
L3 cache:                                12 MiB (1 instance)
NUMA node(s):                            1
NUMA node0 CPU(s):                       0-11
Vulnerability Gather data sampling:      Not affected
Vulnerability Indirect target selection: Not affected
Vulnerability Itlb multihit:             KVM: Mitigation: VMX disabled
Vulnerability L1tf:                      Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
Vulnerability Mds:                       Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
Vulnerability Meltdown:                  Mitigation; PTI
Vulnerability Mmio stale data:           Unknown: No mitigations
Vulnerability Reg file data sampling:    Not affected
Vulnerability Retbleed:                  Not affected
Vulnerability Spec rstack overflow:      Not affected
Vulnerability Spec store bypass:         Mitigation; Speculative Store Bypass disabled via prctl
Vulnerability Spectre v1:                Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:                Mitigation; Retpolines; IBPB conditional; IBRS_FW; STIBP conditional; RSB filling; PBRSB-eIBRS Not affected; BHI Not affected
Vulnerability Srbds:                     Not affected
Vulnerability Tsa:                       Not affected
Vulnerability Tsx async abort:           Not affected
Vulnerability Vmscape:                   Not affected
2025-11-21T16:37:45Z | INFO | Executing command: df -h
Filesystem           Size  Used Avail Use% Mounted on
devtmpfs             4.0M     0  4.0M   0% /dev
tmpfs                 24G     0   24G   0% /dev/shm
tmpfs                9.4G   18M  9.4G   1% /run
/dev/mapper/ol-root   70G   18G   53G  26% /
/dev/sdb1            960M  443M  518M  47% /boot
/dev/mapper/ol-home  353G  3.2G  350G   1% /home
/dev/md126           932G   19G  913G   3% /nsm
tmpfs                4.7G     0  4.7G   0% /run/user/939
tmpfs                4.7G     0  4.7G   0% /run/user/1000
2025-11-21T16:37:45Z | INFO | Executing command: ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:10:18:d9:37:43 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 172.25.70.56/24 brd 172.25.70.255 scope global noprefixroute ens1
       valid_lft forever preferred_lft forever
    inet6 fe80::210:18ff:fed9:3743/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:b3:cc:f7:eb:b7 brd ff:ff:ff:ff:ff:ff
5: sobridge: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:41:e0:13:c4 brd ff:ff:ff:ff:ff:ff
    inet 172.17.1.1/24 brd 172.17.1.255 scope global sobridge
       valid_lft forever preferred_lft forever
210: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:df:71:c4:70 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/24 brd 172.17.0.255 scope global docker0
       valid_lft forever preferred_lft forever
2025-11-21T16:37:45Z | INFO | Beginning Security Onion iso install
2025-11-21T16:37:45Z | INFO | Setup is running on TTY /dev/pts/0
2025-11-21T16:37:55Z | INFO | Setting up as node type sensor
2025-11-21T16:38:07Z | INFO | Gathering the management IP. 
2025-11-21T16:38:12Z | INFO | Removing onion from /etc/hosts if present.
2025-11-21T16:38:13Z | INFO | Adding onion to /etc/hosts with IP: 172.25.70.55
2025-11-21T16:38:13Z | INFO | Checking manager connectivity
2025-11-21T16:38:13Z | INFO | Testing if setup is running on a cloud instance...
2025-11-21T16:38:13Z | INFO | This does not appear to be a cloud installation.
2025-11-21T16:38:16Z | INFO | MINION_ID = onionsensor_sensor
Install summary:
Security Onion Version: 2.4.170
Node Type: SENSOR
Hostname: onionsensor
Description: Security Onion Sensor
Network:
Management NIC: ens1
Management IP: 172.25.70.56
Proxy: N/A
Bond NIC(s):
  - enp1s0

-----------------------------
 Determine ES Heap Size
-----------------------------


-----------------------------
 Setting Logstash heap size
-----------------------------


-----------------------------
 Setting the MTU to 9000 on all monitor NICS
-----------------------------

2025-11-21T16:38:18Z | INFO | Interface set to bond0
2025-11-21T16:38:18Z | INFO | Setting up sensor interface
2025-11-21T16:38:18Z | INFO | Configuring bond interface settings, since this is a not a cloud installation...
Connection 'bond0' (773a7ddd-728d-4335-ba79-490fd2599389) successfully added.
Actual changes:
tx-checksum-ipv4: off
tx-checksum-ipv6: off
tx-tcp-segmentation: off [not requested]
tx-tcp-ecn-segmentation: off [not requested]
tx-tcp6-segmentation: off [not requested]
Actual changes:
tx-scatter-gather: off
tx-generic-segmentation: off [not requested]
Could not change any device features
Connection 'bond0-slave-enp1s0' (1588696d-8b6f-4f8e-8719-ab03ddc78175) successfully added.
Error: Connection activation failed: Unknown error
Hint: use 'journalctl -xe NM_CONNECTION=1588696d-8b6f-4f8e-8719-ab03ddc78175 + NM_DEVICE=enp1s0' to get more details.
2025-11-21T16:38:18Z | INFO | Ephemeral ports already reserved

-----------------------------
 Marking the current version
-----------------------------

2025-11-21T16:38:18Z | INFO | Clearing the old manager
2025-11-21T16:38:18Z | INFO | Executing command: dnf -v clean all
Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, playground, repoclosure, repodiff, repograph, repomanage, reposync, system-upgrade, versionlock
DNF version: 4.14.0
cachedir: /var/cache/yum/x86_64/9
Cleaning data: dbcache packages metadata
5 files removed
2025-11-21T16:38:19Z | INFO | Executing command: mkdir -vp /root/oldrepos
2025-11-21T16:38:19Z | INFO | Executing command: mv -v /etc/yum.repos.d/* /root/oldrepos/
renamed '/etc/yum.repos.d/securityonion.repo' -> '/root/oldrepos/securityonion.repo'
2025-11-21T16:38:19Z | INFO | Executing command: dnf repolist all
repo id                          repo name                               status
securityonion                    Security Onion Repo                     enabled
2025-11-21T16:38:19Z | INFO | Executing command: dnf repolist
repo id                              repo name
securityonion                        Security Onion Repo
2025-11-21T16:38:19Z | INFO | Executing command: dnf -y update --allowerasing --exclude=salt*,docker*,containerd*
Security Onion Repo                              21 MB/s | 3.8 MB     00:00    
Last metadata expiration check: 0:00:01 ago on Fri 21 Nov 2025 04:38:20 PM UTC.
Dependencies resolved.
Nothing to do.
Complete!
2025-11-21T16:38:21Z | INFO | Removing repo files added by oracle-repos package update
2025-11-21T16:38:21Z | INFO | Executing command: rm -f /etc/yum.repos.d/oracle-linux-ol9.repo
2025-11-21T16:38:21Z | INFO | Executing command: rm -f /etc/yum.repos.d/uek-ol9.repo
2025-11-21T16:38:21Z | INFO | Executing command: rm -f /etc/yum.repos.d/virt-ol9.repo
2025-11-21T16:38:21Z | INFO | Installing Salt
2025-11-21T16:38:21Z | INFO | Executing command: dnf -y install salt-3006.9 salt-minion-3006.9
Last metadata expiration check: 0:00:01 ago on Fri 21 Nov 2025 04:38:20 PM UTC.
Package salt-3006.9-0.x86_64 is already installed.
Package salt-minion-3006.9-0.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
2025-11-21T16:38:21Z | INFO | Executing command: mkdir -p /etc/salt/minion.d
2025-11-21T16:38:21Z | INFO | Executing command: salt-call state.apply salt.python_modules --local --file-root=../salt/
local:
----------
          ID: docker_module_package
    Function: file.recurse
        Name: /opt/so/conf/salt/module_packages/docker
      Result: True
     Comment: Recursively updated /opt/so/conf/salt/module_packages/docker
     Started: 16:38:23.220113
    Duration: 139.738 ms
     Changes:   
              ----------
              /opt/so/conf/salt/module_packages/docker/certifi-2024.7.4-py3-none-any.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
              /opt/so/conf/salt/module_packages/docker/charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
              /opt/so/conf/salt/module_packages/docker/docker-7.1.0-py3-none-any.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
              /opt/so/conf/salt/module_packages/docker/idna-3.8-py3-none-any.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
              /opt/so/conf/salt/module_packages/docker/requests-2.32.3-py3-none-any.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
              /opt/so/conf/salt/module_packages/docker/urllib3-2.2.2-py3-none-any.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
----------
          ID: docker_python_module_install
    Function: cmd.run
        Name: /opt/saltstack/salt/bin/python3.10 -m pip install docker --no-index --find-links=/opt/so/conf/salt/module_packages/docker/ --upgrade
      Result: True
     Comment: Command "/opt/saltstack/salt/bin/python3.10 -m pip install docker --no-index --find-links=/opt/so/conf/salt/module_packages/docker/ --upgrade" run
     Started: 16:38:23.361047
    Duration: 1006.983 ms
     Changes:   
              ----------
              pid:
                  56812
              retcode:
                  0
              stderr:
                  WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
              stdout:
                  Looking in links: /opt/so/conf/salt/module_packages/docker/
                  Requirement already satisfied: docker in /opt/saltstack/salt/lib/python3.10/site-packages (7.1.0)
                  Requirement already satisfied: requests>=2.26.0 in /opt/saltstack/salt/lib/python3.10/site-packages (from docker) (2.32.3)
                  Requirement already satisfied: urllib3>=1.26.0 in /opt/saltstack/salt/lib/python3.10/site-packages (from docker) (1.26.18)
                  Requirement already satisfied: charset-normalizer<4,>=2 in /opt/saltstack/salt/lib/python3.10/site-packages (from requests>=2.26.0->docker) (3.2.0)
                  Requirement already satisfied: idna<4,>=2.5 in /opt/saltstack/salt/lib/python3.10/site-packages (from requests>=2.26.0->docker) (3.7)
                  Requirement already satisfied: certifi>=2017.4.17 in /opt/saltstack/salt/lib/python3.10/site-packages (from requests>=2.26.0->docker) (2024.7.4)

Summary for local
------------
Succeeded: 2 (changed=2)
Failed:    0
------------
Total states run:     2
Total run time:   1.147 s
2025-11-21T16:38:24Z | INFO | Executing command: salt-call state.apply salt.patch.x509_v2 --local --file-root=../salt/
local:
----------
          ID: patch_x509_v2_state_module
    Function: file.replace
        Name: /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py
      Result: True
     Comment: No changes needed to be made
     Started: 16:38:25.689019
    Duration: 29.609 ms
     Changes:   

Summary for local
------------
Succeeded: 1
Failed:    0
------------
Total states run:     1
Total run time:  29.609 ms
2025-11-21T16:38:25Z | INFO | Configuring minion type as sensor
2025-11-21T16:38:25Z | INFO | Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='{host: {mainint: ens1}}'
2025-11-21T16:38:28Z | INFO | Executing command: systemctl enable salt-minion
2025-11-21T16:38:28Z | INFO | Executing command: systemctl enable salt-minion
2025-11-21T16:38:28Z | INFO | Executing command: systemctl restart salt-minion
2025-11-21T16:38:28Z | INFO | Executing command: systemctl restart salt-minion
2025-11-21T16:38:28Z | INFO | Not an appliance
2025-11-21T16:38:28Z | INFO | Check if hypervisor or managerhype
2025-11-21T16:38:28Z | INFO | Verifying setup
WARNING: Errors detected during setup.
--------- ERRORS ---------
Error: Connection activation failed: Unknown error
--------------------------

-----------------------------
 Detecting Base OS
-----------------------------

2025-11-21T17:12:11Z | INFO | Found OS: oracle 9

-----------------------------
 Detecting if this is an ISO install
-----------------------------


-----------------------------
 Checking to see if install has run before
-----------------------------

2025-11-21T17:12:13Z | INFO | Old setup detected. Preparing for reinstallation.
2025-11-21T17:12:13Z | INFO | Putting system in state to run setup again
2025-11-21T17:12:13Z | INFO | Executing command: crontab -r -u root
2025-11-21T17:12:13Z | INFO | Executing command: crontab -r -u root
no crontab for root
no crontab for root
[ERROR   ] Encountered StreamClosedException
local:
    ----------
    changes:
        ----------
    comment:
    result:
        True
local:
2025-11-21T17:12:16Z | INFO | Executing command: salt-call state.apply ca.remove -linfo --local --file-root=../salt
2025-11-21T17:12:16Z | INFO | Executing command: salt-call state.apply ca.remove -linfo --local --file-root=../salt
[INFO    ] Loading fresh modules for state activity
[INFO    ] Loading fresh modules for state activity
[INFO    ] Fetching file from saltenv 'base', ** done ** 'ca/remove.sls'
[INFO    ] Fetching file from saltenv 'base', ** done ** 'ca/remove.sls'
[INFO    ] Running state [/etc/pki/ca.key] at time 17:12:18.250440
[INFO    ] Running state [/etc/pki/ca.key] at time 17:12:18.250440
[INFO    ] Executing state file.absent for [/etc/pki/ca.key]
[INFO    ] Executing state file.absent for [/etc/pki/ca.key]
[INFO    ] File /etc/pki/ca.key is not present
[INFO    ] File /etc/pki/ca.key is not present
[INFO    ] Completed state [/etc/pki/ca.key] at time 17:12:18.251269 (duration_in_ms=0.829)
[INFO    ] Completed state [/etc/pki/ca.key] at time 17:12:18.251269 (duration_in_ms=0.829)
[INFO    ] Running state [/etc/pki/ca.crt] at time 17:12:18.251473
[INFO    ] Running state [/etc/pki/ca.crt] at time 17:12:18.251473
[INFO    ] Executing state file.absent for [/etc/pki/ca.crt]
[INFO    ] Executing state file.absent for [/etc/pki/ca.crt]
[INFO    ] File /etc/pki/ca.crt is not present
[INFO    ] File /etc/pki/ca.crt is not present
[INFO    ] Completed state [/etc/pki/ca.crt] at time 17:12:18.252226 (duration_in_ms=0.754)
[INFO    ] Completed state [/etc/pki/ca.crt] at time 17:12:18.252226 (duration_in_ms=0.754)
local:
----------
          ID: pki_private_key
    Function: file.absent
        Name: /etc/pki/ca.key
      Result: True
     Comment: File /etc/pki/ca.key is not present
     Started: 17:12:18.250440
    Duration: 0.829 ms
     Changes:   
----------
          ID: pki_public_ca_crt
    Function: file.absent
        Name: /etc/pki/ca.crt
      Result: True
     Comment: File /etc/pki/ca.crt is not present
     Started: 17:12:18.251472
    Duration: 0.754 ms
     Changes:   

Summary for local
------------
Succeeded: 2
Failed:    0
------------
Total states run:     2
Total run time:   1.583 ms
local:
----------
          ID: pki_private_key
    Function: file.absent
        Name: /etc/pki/ca.key
      Result: True
     Comment: File /etc/pki/ca.key is not present
     Started: 17:12:18.250440
    Duration: 0.829 ms
     Changes:   
----------
          ID: pki_public_ca_crt
    Function: file.absent
        Name: /etc/pki/ca.crt
      Result: True
     Comment: File /etc/pki/ca.crt is not present
     Started: 17:12:18.251472
    Duration: 0.754 ms
     Changes:   

Summary for local
------------
Succeeded: 2
Failed:    0
------------
Total states run:     2
Total run time:   1.583 ms
2025-11-21T17:12:18Z | INFO | Executing command: salt-call state.apply ssl.remove -linfo --local --file-root=../salt
2025-11-21T17:12:18Z | INFO | Executing command: salt-call state.apply ssl.remove -linfo --local --file-root=../salt
[INFO    ] Loading fresh modules for state activity
[INFO    ] Loading fresh modules for state activity
[INFO    ] Fetching file from saltenv 'base', ** done ** 'ssl/remove.sls'
[INFO    ] Fetching file from saltenv 'base', ** done ** 'ssl/remove.sls'
[INFO    ] Running state [/etc/pki/tls/certs/intca.crt] at time 17:12:19.571501
[INFO    ] Running state [/etc/pki/tls/certs/intca.crt] at time 17:12:19.571501
[INFO    ] Executing state file.absent for [/etc/pki/tls/certs/intca.crt]
[INFO    ] Executing state file.absent for [/etc/pki/tls/certs/intca.crt]
[INFO    ] File /etc/pki/tls/certs/intca.crt is not present
[INFO    ] File /etc/pki/tls/certs/intca.crt is not present
[INFO    ] Completed state [/etc/pki/tls/certs/intca.crt] at time 17:12:19.572343 (duration_in_ms=0.842)
[INFO    ] Completed state [/etc/pki/tls/certs/intca.crt] at time 17:12:19.572343 (duration_in_ms=0.842)
[INFO    ] Running state [/etc/ssl/certs/intca.crt] at time 17:12:19.572543
[INFO    ] Running state [/etc/ssl/certs/intca.crt] at time 17:12:19.572543
[INFO    ] Executing state file.absent for [/etc/ssl/certs/intca.crt]
[INFO    ] Executing state file.absent for [/etc/ssl/certs/intca.crt]
[INFO    ] File /etc/ssl/certs/intca.crt is not present
[INFO    ] File /etc/ssl/certs/intca.crt is not present
[INFO    ] Completed state [/etc/ssl/certs/intca.crt] at time 17:12:19.573291 (duration_in_ms=0.749)
[INFO    ] Completed state [/etc/ssl/certs/intca.crt] at time 17:12:19.573291 (duration_in_ms=0.749)
[INFO    ] Running state [/etc/pki/influxdb.key] at time 17:12:19.573485
[INFO    ] Running state [/etc/pki/influxdb.key] at time 17:12:19.573485
[INFO    ] Executing state file.absent for [/etc/pki/influxdb.key]
[INFO    ] Executing state file.absent for [/etc/pki/influxdb.key]
[INFO    ] File /etc/pki/influxdb.key is not present
[INFO    ] File /etc/pki/influxdb.key is not present
[INFO    ] Completed state [/etc/pki/influxdb.key] at time 17:12:19.575325 (duration_in_ms=1.84)
[INFO    ] Completed state [/etc/pki/influxdb.key] at time 17:12:19.575325 (duration_in_ms=1.84)
[INFO    ] Running state [/etc/pki/influxdb.crt] at time 17:12:19.575521
[INFO    ] Running state [/etc/pki/influxdb.crt] at time 17:12:19.575521
[INFO    ] Executing state file.absent for [/etc/pki/influxdb.crt]
[INFO    ] Executing state file.absent for [/etc/pki/influxdb.crt]
[INFO    ] File /etc/pki/influxdb.crt is not present
[INFO    ] File /etc/pki/influxdb.crt is not present
[INFO    ] Completed state [/etc/pki/influxdb.crt] at time 17:12:19.576276 (duration_in_ms=0.756)
[INFO    ] Completed state [/etc/pki/influxdb.crt] at time 17:12:19.576276 (duration_in_ms=0.756)
[INFO    ] Running state [/etc/pki/redis.key] at time 17:12:19.576471
[INFO    ] Running state [/etc/pki/redis.key] at time 17:12:19.576471
[INFO    ] Executing state file.absent for [/etc/pki/redis.key]
[INFO    ] Executing state file.absent for [/etc/pki/redis.key]
[INFO    ] File /etc/pki/redis.key is not present
[INFO    ] File /etc/pki/redis.key is not present
[INFO    ] Completed state [/etc/pki/redis.key] at time 17:12:19.577210 (duration_in_ms=0.74)
[INFO    ] Completed state [/etc/pki/redis.key] at time 17:12:19.577210 (duration_in_ms=0.74)
[INFO    ] Running state [/etc/pki/redis.crt] at time 17:12:19.577405
[INFO    ] Running state [/etc/pki/redis.crt] at time 17:12:19.577405
[INFO    ] Executing state file.absent for [/etc/pki/redis.crt]
[INFO    ] Executing state file.absent for [/etc/pki/redis.crt]
[INFO    ] File /etc/pki/redis.crt is not present
[INFO    ] File /etc/pki/redis.crt is not present
[INFO    ] Completed state [/etc/pki/redis.crt] at time 17:12:19.578154 (duration_in_ms=0.75)
[INFO    ] Completed state [/etc/pki/redis.crt] at time 17:12:19.578154 (duration_in_ms=0.75)
[INFO    ] Running state [/etc/pki/filebeat.key] at time 17:12:19.578350
[INFO    ] Running state [/etc/pki/filebeat.key] at time 17:12:19.578350
[INFO    ] Executing state file.absent for [/etc/pki/filebeat.key]
[INFO    ] Executing state file.absent for [/etc/pki/filebeat.key]
[INFO    ] File /etc/pki/filebeat.key is not present
[INFO    ] File /etc/pki/filebeat.key is not present
[INFO    ] Completed state [/etc/pki/filebeat.key] at time 17:12:19.579090 (duration_in_ms=0.74)
[INFO    ] Completed state [/etc/pki/filebeat.key] at time 17:12:19.579090 (duration_in_ms=0.74)
[INFO    ] Running state [/etc/pki/filebeat.crt] at time 17:12:19.579285
[INFO    ] Running state [/etc/pki/filebeat.crt] at time 17:12:19.579285
[INFO    ] Executing state file.absent for [/etc/pki/filebeat.crt]
[INFO    ] Executing state file.absent for [/etc/pki/filebeat.crt]
[INFO    ] File /etc/pki/filebeat.crt is not present
[INFO    ] File /etc/pki/filebeat.crt is not present
[INFO    ] Completed state [/etc/pki/filebeat.crt] at time 17:12:19.580031 (duration_in_ms=0.747)
[INFO    ] Completed state [/etc/pki/filebeat.crt] at time 17:12:19.580031 (duration_in_ms=0.747)
[INFO    ] Running state [/opt/so/saltstack/local/salt/filebeat/files] at time 17:12:19.580237
[INFO    ] Running state [/opt/so/saltstack/local/salt/filebeat/files] at time 17:12:19.580237
[INFO    ] Executing state file.absent for [/opt/so/saltstack/local/salt/filebeat/files]
[INFO    ] Executing state file.absent for [/opt/so/saltstack/local/salt/filebeat/files]
[INFO    ] File /opt/so/saltstack/local/salt/filebeat/files is not present
[INFO    ] File /opt/so/saltstack/local/salt/filebeat/files is not present
[INFO    ] Completed state [/opt/so/saltstack/local/salt/filebeat/files] at time 17:12:19.580989 (duration_in_ms=0.752)
[INFO    ] Completed state [/opt/so/saltstack/local/salt/filebeat/files] at time 17:12:19.580989 (duration_in_ms=0.752)
[INFO    ] Running state [/etc/pki/registry.key] at time 17:12:19.581188
[INFO    ] Running state [/etc/pki/registry.key] at time 17:12:19.581188
[INFO    ] Executing state file.absent for [/etc/pki/registry.key]
[INFO    ] Executing state file.absent for [/etc/pki/registry.key]
[INFO    ] File /etc/pki/registry.key is not present
[INFO    ] File /etc/pki/registry.key is not present
[INFO    ] Completed state [/etc/pki/registry.key] at time 17:12:19.581934 (duration_in_ms=0.746)
[INFO    ] Completed state [/etc/pki/registry.key] at time 17:12:19.581934 (duration_in_ms=0.746)
[INFO    ] Running state [/etc/pki/registry.crt] at time 17:12:19.582137
[INFO    ] Running state [/etc/pki/registry.crt] at time 17:12:19.582137
[INFO    ] Executing state file.absent for [/etc/pki/registry.crt]
[INFO    ] Executing state file.absent for [/etc/pki/registry.crt]
[INFO    ] File /etc/pki/registry.crt is not present
[INFO    ] File /etc/pki/registry.crt is not present
[INFO    ] Completed state [/etc/pki/registry.crt] at time 17:12:19.582868 (duration_in_ms=0.731)
[INFO    ] Completed state [/etc/pki/registry.crt] at time 17:12:19.582868 (duration_in_ms=0.731)
[INFO    ] Running state [/etc/pki/elasticsearch.key] at time 17:12:19.583074
[INFO    ] Running state [/etc/pki/elasticsearch.key] at time 17:12:19.583074
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.key]
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.key]
[INFO    ] File /etc/pki/elasticsearch.key is not present
[INFO    ] File /etc/pki/elasticsearch.key is not present
[INFO    ] Completed state [/etc/pki/elasticsearch.key] at time 17:12:19.583802 (duration_in_ms=0.729)
[INFO    ] Completed state [/etc/pki/elasticsearch.key] at time 17:12:19.583802 (duration_in_ms=0.729)
[INFO    ] Running state [/etc/pki/elasticsearch.crt] at time 17:12:19.584013
[INFO    ] Running state [/etc/pki/elasticsearch.crt] at time 17:12:19.584013
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.crt]
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.crt]
[INFO    ] File /etc/pki/elasticsearch.crt is not present
[INFO    ] File /etc/pki/elasticsearch.crt is not present
[INFO    ] Completed state [/etc/pki/elasticsearch.crt] at time 17:12:19.584751 (duration_in_ms=0.738)
[INFO    ] Completed state [/etc/pki/elasticsearch.crt] at time 17:12:19.584751 (duration_in_ms=0.738)
[INFO    ] Running state [/etc/pki/elasticsearch.p12] at time 17:12:19.584951
[INFO    ] Running state [/etc/pki/elasticsearch.p12] at time 17:12:19.584951
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.p12]
[INFO    ] Executing state file.absent for [/etc/pki/elasticsearch.p12]
[INFO    ] File /etc/pki/elasticsearch.p12 is not present
[INFO    ] File /etc/pki/elasticsearch.p12 is not present
[INFO    ] Completed state [/etc/pki/elasticsearch.p12] at time 17:12:19.585795 (duration_in_ms=0.845)
[INFO    ] Completed state [/etc/pki/elasticsearch.p12] at time 17:12:19.585795 (duration_in_ms=0.845)
[INFO    ] Running state [/etc/pki/managerssl.key] at time 17:12:19.586015
[INFO    ] Running state [/etc/pki/managerssl.key] at time 17:12:19.586015
[INFO    ] Executing state file.absent for [/etc/pki/managerssl.key]
[INFO    ] Executing state file.absent for [/etc/pki/managerssl.key]
[INFO    ] File /etc/pki/managerssl.key is not present
[INFO    ] File /etc/pki/managerssl.key is not present
[INFO    ] Completed state [/etc/pki/managerssl.key] at time 17:12:19.586743 (duration_in_ms=0.728)
[INFO    ] Completed state [/etc/pki/managerssl.key] at time 17:12:19.586743 (duration_in_ms=0.728)
[INFO    ] Running state [/etc/pki/managerssl.crt] at time 17:12:19.586942
[INFO    ] Running state [/etc/pki/managerssl.crt] at time 17:12:19.586942
[INFO    ] Executing state file.absent for [/etc/pki/managerssl.crt]
[INFO    ] Executing state file.absent for [/etc/pki/managerssl.crt]
[INFO    ] File /etc/pki/managerssl.crt is not present
[INFO    ] File /etc/pki/managerssl.crt is not present
[INFO    ] Completed state [/etc/pki/managerssl.crt] at time 17:12:19.587678 (duration_in_ms=0.737)
[INFO    ] Completed state [/etc/pki/managerssl.crt] at time 17:12:19.587678 (duration_in_ms=0.737)
[INFO    ] Running state [/etc/pki/fleet.key] at time 17:12:19.587888
[INFO    ] Running state [/etc/pki/fleet.key] at time 17:12:19.587888
[INFO    ] Executing state file.absent for [/etc/pki/fleet.key]
[INFO    ] Executing state file.absent for [/etc/pki/fleet.key]
[INFO    ] File /etc/pki/fleet.key is not present
[INFO    ] File /etc/pki/fleet.key is not present
[INFO    ] Completed state [/etc/pki/fleet.key] at time 17:12:19.588641 (duration_in_ms=0.752)
[INFO    ] Completed state [/etc/pki/fleet.key] at time 17:12:19.588641 (duration_in_ms=0.752)
[INFO    ] Running state [/etc/pki/fleet.crt] at time 17:12:19.588834
[INFO    ] Running state [/etc/pki/fleet.crt] at time 17:12:19.588834
[INFO    ] Executing state file.absent for [/etc/pki/fleet.crt]
[INFO    ] Executing state file.absent for [/etc/pki/fleet.crt]
[INFO    ] File /etc/pki/fleet.crt is not present
[INFO    ] File /etc/pki/fleet.crt is not present
[INFO    ] Completed state [/etc/pki/fleet.crt] at time 17:12:19.589571 (duration_in_ms=0.737)
[INFO    ] Completed state [/etc/pki/fleet.crt] at time 17:12:19.589571 (duration_in_ms=0.737)
[INFO    ] Running state [/opt/so/conf/filebeat/etc/pki] at time 17:12:19.589764
[INFO    ] Running state [/opt/so/conf/filebeat/etc/pki] at time 17:12:19.589764
[INFO    ] Executing state file.absent for [/opt/so/conf/filebeat/etc/pki]
[INFO    ] Executing state file.absent for [/opt/so/conf/filebeat/etc/pki]
[INFO    ] File /opt/so/conf/filebeat/etc/pki is not present
[INFO    ] File /opt/so/conf/filebeat/etc/pki is not present
[INFO    ] Completed state [/opt/so/conf/filebeat/etc/pki] at time 17:12:19.590507 (duration_in_ms=0.742)
[INFO    ] Completed state [/opt/so/conf/filebeat/etc/pki] at time 17:12:19.590507 (duration_in_ms=0.742)
[INFO    ] Running state [/etc/pki/kafka.crt] at time 17:12:19.590701
[INFO    ] Running state [/etc/pki/kafka.crt] at time 17:12:19.590701
[INFO    ] Executing state file.absent for [/etc/pki/kafka.crt]
[INFO    ] Executing state file.absent for [/etc/pki/kafka.crt]
[INFO    ] File /etc/pki/kafka.crt is not present
[INFO    ] File /etc/pki/kafka.crt is not present
[INFO    ] Completed state [/etc/pki/kafka.crt] at time 17:12:19.591441 (duration_in_ms=0.741)
[INFO    ] Completed state [/etc/pki/kafka.crt] at time 17:12:19.591441 (duration_in_ms=0.741)
[INFO    ] Running state [/etc/pki/kafka.key] at time 17:12:19.591634
[INFO    ] Running state [/etc/pki/kafka.key] at time 17:12:19.591634
[INFO    ] Executing state file.absent for [/etc/pki/kafka.key]
[INFO    ] Executing state file.absent for [/etc/pki/kafka.key]
[INFO    ] File /etc/pki/kafka.key is not present
[INFO    ] File /etc/pki/kafka.key is not present
[INFO    ] Completed state [/etc/pki/kafka.key] at time 17:12:19.592393 (duration_in_ms=0.759)
[INFO    ] Completed state [/etc/pki/kafka.key] at time 17:12:19.592393 (duration_in_ms=0.759)
[INFO    ] Running state [/etc/pki/kafka-logstash.crt] at time 17:12:19.592587
[INFO    ] Running state [/etc/pki/kafka-logstash.crt] at time 17:12:19.592587
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.crt]
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.crt]
[INFO    ] File /etc/pki/kafka-logstash.crt is not present
[INFO    ] File /etc/pki/kafka-logstash.crt is not present
[INFO    ] Completed state [/etc/pki/kafka-logstash.crt] at time 17:12:19.593335 (duration_in_ms=0.748)
[INFO    ] Completed state [/etc/pki/kafka-logstash.crt] at time 17:12:19.593335 (duration_in_ms=0.748)
[INFO    ] Running state [/etc/pki/kafka-logstash.key] at time 17:12:19.593531
[INFO    ] Running state [/etc/pki/kafka-logstash.key] at time 17:12:19.593531
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.key]
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.key]
[INFO    ] File /etc/pki/kafka-logstash.key is not present
[INFO    ] File /etc/pki/kafka-logstash.key is not present
[INFO    ] Completed state [/etc/pki/kafka-logstash.key] at time 17:12:19.594271 (duration_in_ms=0.74)
[INFO    ] Completed state [/etc/pki/kafka-logstash.key] at time 17:12:19.594271 (duration_in_ms=0.74)
[INFO    ] Running state [/etc/pki/kafka-logstash.p12] at time 17:12:19.594465
[INFO    ] Running state [/etc/pki/kafka-logstash.p12] at time 17:12:19.594465
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.p12]
[INFO    ] Executing state file.absent for [/etc/pki/kafka-logstash.p12]
[INFO    ] File /etc/pki/kafka-logstash.p12 is not present
[INFO    ] File /etc/pki/kafka-logstash.p12 is not present
[INFO    ] Completed state [/etc/pki/kafka-logstash.p12] at time 17:12:19.595212 (duration_in_ms=0.747)
[INFO    ] Completed state [/etc/pki/kafka-logstash.p12] at time 17:12:19.595212 (duration_in_ms=0.747)
local:
----------
          ID: trusttheca
    Function: file.absent
        Name: /etc/pki/tls/certs/intca.crt
      Result: True
     Comment: File /etc/pki/tls/certs/intca.crt is not present
     Started: 17:12:19.571501
    Duration: 0.842 ms
     Changes:   
----------
          ID: symlinkca
    Function: file.absent
        Name: /etc/ssl/certs/intca.crt
      Result: True
     Comment: File /etc/ssl/certs/intca.crt is not present
     Started: 17:12:19.572542
    Duration: 0.749 ms
     Changes:   
----------
          ID: influxdb_key
    Function: file.absent
        Name: /etc/pki/influxdb.key
      Result: True
     Comment: File /etc/pki/influxdb.key is not present
     Started: 17:12:19.573485
    Duration: 1.84 ms
     Changes:   
----------
          ID: influxdb_crt
    Function: file.absent
        Name: /etc/pki/influxdb.crt
      Result: True
     Comment: File /etc/pki/influxdb.crt is not present
     Started: 17:12:19.575520
    Duration: 0.756 ms
     Changes:   
----------
          ID: redis_key
    Function: file.absent
        Name: /etc/pki/redis.key
      Result: True
     Comment: File /etc/pki/redis.key is not present
     Started: 17:12:19.576470
    Duration: 0.74 ms
     Changes:   
----------
          ID: redis_crt
    Function: file.absent
        Name: /etc/pki/redis.crt
      Result: True
     Comment: File /etc/pki/redis.crt is not present
     Started: 17:12:19.577404
    Duration: 0.75 ms
     Changes:   
----------
          ID: etc_filebeat_key
    Function: file.absent
        Name: /etc/pki/filebeat.key
      Result: True
     Comment: File /etc/pki/filebeat.key is not present
     Started: 17:12:19.578350
    Duration: 0.74 ms
     Changes:   
----------
          ID: etc_filebeat_crt
    Function: file.absent
        Name: /etc/pki/filebeat.crt
      Result: True
     Comment: File /etc/pki/filebeat.crt is not present
     Started: 17:12:19.579284
    Duration: 0.747 ms
     Changes:   
----------
          ID: filebeatdir
    Function: file.absent
        Name: /opt/so/saltstack/local/salt/filebeat/files
      Result: True
     Comment: File /opt/so/saltstack/local/salt/filebeat/files is not present
     Started: 17:12:19.580237
    Duration: 0.752 ms
     Changes:   
----------
          ID: registry_key
    Function: file.absent
        Name: /etc/pki/registry.key
      Result: True
     Comment: File /etc/pki/registry.key is not present
     Started: 17:12:19.581188
    Duration: 0.746 ms
     Changes:   
----------
          ID: registry_crt
    Function: file.absent
        Name: /etc/pki/registry.crt
      Result: True
     Comment: File /etc/pki/registry.crt is not present
     Started: 17:12:19.582137
    Duration: 0.731 ms
     Changes:   
----------
          ID: /etc/pki/elasticsearch.key
    Function: file.absent
      Result: True
     Comment: File /etc/pki/elasticsearch.key is not present
     Started: 17:12:19.583073
    Duration: 0.729 ms
     Changes:   
----------
          ID: /etc/pki/elasticsearch.crt
    Function: file.absent
      Result: True
     Comment: File /etc/pki/elasticsearch.crt is not present
     Started: 17:12:19.584013
    Duration: 0.738 ms
     Changes:   
----------
          ID: remove_elasticsearch.p12
    Function: file.absent
        Name: /etc/pki/elasticsearch.p12
      Result: True
     Comment: File /etc/pki/elasticsearch.p12 is not present
     Started: 17:12:19.584950
    Duration: 0.845 ms
     Changes:   
----------
          ID: managerssl_key
    Function: file.absent
        Name: /etc/pki/managerssl.key
      Result: True
     Comment: File /etc/pki/managerssl.key is not present
     Started: 17:12:19.586015
    Duration: 0.728 ms
     Changes:   
----------
          ID: managerssl_crt
    Function: file.absent
        Name: /etc/pki/managerssl.crt
      Result: True
     Comment: File /etc/pki/managerssl.crt is not present
     Started: 17:12:19.586941
    Duration: 0.737 ms
     Changes:   
----------
          ID: fleet_key
    Function: file.absent
        Name: /etc/pki/fleet.key
      Result: True
     Comment: File /etc/pki/fleet.key is not present
     Started: 17:12:19.587889
    Duration: 0.752 ms
     Changes:   
----------
          ID: fleet_crt
    Function: file.absent
        Name: /etc/pki/fleet.crt
      Result: True
     Comment: File /etc/pki/fleet.crt is not present
     Started: 17:12:19.588834
    Duration: 0.737 ms
     Changes:   
----------
          ID: fbcertdir
    Function: file.absent
        Name: /opt/so/conf/filebeat/etc/pki
      Result: True
     Comment: File /opt/so/conf/filebeat/etc/pki is not present
     Started: 17:12:19.589765
    Duration: 0.742 ms
     Changes:   
----------
          ID: kafka_crt
    Function: file.absent
        Name: /etc/pki/kafka.crt
      Result: True
     Comment: File /etc/pki/kafka.crt is not present
     Started: 17:12:19.590700
    Duration: 0.741 ms
     Changes:   
----------
          ID: kafka_key
    Function: file.absent
        Name: /etc/pki/kafka.key
      Result: True
     Comment: File /etc/pki/kafka.key is not present
     Started: 17:12:19.591634
    Duration: 0.759 ms
     Changes:   
----------
          ID: kafka_logstash_crt
    Function: file.absent
        Name: /etc/pki/kafka-logstash.crt
      Result: True
     Comment: File /etc/pki/kafka-logstash.crt is not present
     Started: 17:12:19.592587
    Duration: 0.748 ms
     Changes:   
----------
          ID: kafka_logstash_key
    Function: file.absent
        Name: /etc/pki/kafka-logstash.key
      Result: True
     Comment: File /etc/pki/kafka-logstash.key is not present
     Started: 17:12:19.593531
    Duration: 0.74 ms
     Changes:   
----------
          ID: kafka_logstash_keystore
    Function: file.absent
        Name: /etc/pki/kafka-logstash.p12
      Result: True
     Comment: File /etc/pki/kafka-logstash.p12 is not present
     Started: 17:12:19.594465
    Duration: 0.747 ms
     Changes:   

Summary for local
-------------
Succeeded: 24
Failed:     0
-------------
Total states run:     24
Total run time:   19.136 ms
local:
----------
          ID: trusttheca
    Function: file.absent
        Name: /etc/pki/tls/certs/intca.crt
      Result: True
     Comment: File /etc/pki/tls/certs/intca.crt is not present
     Started: 17:12:19.571501
    Duration: 0.842 ms
     Changes:   
----------
          ID: symlinkca
    Function: file.absent
        Name: /etc/ssl/certs/intca.crt
      Result: True
     Comment: File /etc/ssl/certs/intca.crt is not present
     Started: 17:12:19.572542
    Duration: 0.749 ms
     Changes:   
----------
          ID: influxdb_key
    Function: file.absent
        Name: /etc/pki/influxdb.key
      Result: True
     Comment: File /etc/pki/influxdb.key is not present
     Started: 17:12:19.573485
    Duration: 1.84 ms
     Changes:   
----------
          ID: influxdb_crt
    Function: file.absent
        Name: /etc/pki/influxdb.crt
      Result: True
     Comment: File /etc/pki/influxdb.crt is not present
     Started: 17:12:19.575520
    Duration: 0.756 ms
     Changes:   
----------
          ID: redis_key
    Function: file.absent
        Name: /etc/pki/redis.key
      Result: True
     Comment: File /etc/pki/redis.key is not present
     Started: 17:12:19.576470
    Duration: 0.74 ms
     Changes:   
----------
          ID: redis_crt
    Function: file.absent
        Name: /etc/pki/redis.crt
      Result: True
     Comment: File /etc/pki/redis.crt is not present
     Started: 17:12:19.577404
    Duration: 0.75 ms
     Changes:   
----------
          ID: etc_filebeat_key
    Function: file.absent
        Name: /etc/pki/filebeat.key
      Result: True
     Comment: File /etc/pki/filebeat.key is not present
     Started: 17:12:19.578350
    Duration: 0.74 ms
     Changes:   
----------
          ID: etc_filebeat_crt
    Function: file.absent
        Name: /etc/pki/filebeat.crt
      Result: True
     Comment: File /etc/pki/filebeat.crt is not present
     Started: 17:12:19.579284
    Duration: 0.747 ms
     Changes:   
----------
          ID: filebeatdir
    Function: file.absent
        Name: /opt/so/saltstack/local/salt/filebeat/files
      Result: True
     Comment: File /opt/so/saltstack/local/salt/filebeat/files is not present
     Started: 17:12:19.580237
    Duration: 0.752 ms
     Changes:   
----------
          ID: registry_key
    Function: file.absent
        Name: /etc/pki/registry.key
      Result: True
     Comment: File /etc/pki/registry.key is not present
     Started: 17:12:19.581188
    Duration: 0.746 ms
     Changes:   
----------
          ID: registry_crt
    Function: file.absent
        Name: /etc/pki/registry.crt
      Result: True
     Comment: File /etc/pki/registry.crt is not present
     Started: 17:12:19.582137
    Duration: 0.731 ms
     Changes:   
----------
          ID: /etc/pki/elasticsearch.key
    Function: file.absent
      Result: True
     Comment: File /etc/pki/elasticsearch.key is not present
     Started: 17:12:19.583073
    Duration: 0.729 ms
     Changes:   
----------
          ID: /etc/pki/elasticsearch.crt
    Function: file.absent
      Result: True
     Comment: File /etc/pki/elasticsearch.crt is not present
     Started: 17:12:19.584013
    Duration: 0.738 ms
     Changes:   
----------
          ID: remove_elasticsearch.p12
    Function: file.absent
        Name: /etc/pki/elasticsearch.p12
      Result: True
     Comment: File /etc/pki/elasticsearch.p12 is not present
     Started: 17:12:19.584950
    Duration: 0.845 ms
     Changes:   
----------
          ID: managerssl_key
    Function: file.absent
        Name: /etc/pki/managerssl.key
      Result: True
     Comment: File /etc/pki/managerssl.key is not present
     Started: 17:12:19.586015
    Duration: 0.728 ms
     Changes:   
----------
          ID: managerssl_crt
    Function: file.absent
        Name: /etc/pki/managerssl.crt
      Result: True
     Comment: File /etc/pki/managerssl.crt is not present
     Started: 17:12:19.586941
    Duration: 0.737 ms
     Changes:   
----------
          ID: fleet_key
    Function: file.absent
        Name: /etc/pki/fleet.key
      Result: True
     Comment: File /etc/pki/fleet.key is not present
     Started: 17:12:19.587889
    Duration: 0.752 ms
     Changes:   
----------
          ID: fleet_crt
    Function: file.absent
        Name: /etc/pki/fleet.crt
      Result: True
     Comment: File /etc/pki/fleet.crt is not present
     Started: 17:12:19.588834
    Duration: 0.737 ms
     Changes:   
----------
          ID: fbcertdir
    Function: file.absent
        Name: /opt/so/conf/filebeat/etc/pki
      Result: True
     Comment: File /opt/so/conf/filebeat/etc/pki is not present
     Started: 17:12:19.589765
    Duration: 0.742 ms
     Changes:   
----------
          ID: kafka_crt
    Function: file.absent
        Name: /etc/pki/kafka.crt
      Result: True
     Comment: File /etc/pki/kafka.crt is not present
     Started: 17:12:19.590700
    Duration: 0.741 ms
     Changes:   
----------
          ID: kafka_key
    Function: file.absent
        Name: /etc/pki/kafka.key
      Result: True
     Comment: File /etc/pki/kafka.key is not present
     Started: 17:12:19.591634
    Duration: 0.759 ms
     Changes:   
----------
          ID: kafka_logstash_crt
    Function: file.absent
        Name: /etc/pki/kafka-logstash.crt
      Result: True
     Comment: File /etc/pki/kafka-logstash.crt is not present
     Started: 17:12:19.592587
    Duration: 0.748 ms
     Changes:   
----------
          ID: kafka_logstash_key
    Function: file.absent
        Name: /etc/pki/kafka-logstash.key
      Result: True
     Comment: File /etc/pki/kafka-logstash.key is not present
     Started: 17:12:19.593531
    Duration: 0.74 ms
     Changes:   
----------
          ID: kafka_logstash_keystore
    Function: file.absent
        Name: /etc/pki/kafka-logstash.p12
      Result: True
     Comment: File /etc/pki/kafka-logstash.p12 is not present
     Started: 17:12:19.594465
    Duration: 0.747 ms
     Changes:   

Summary for local
-------------
Succeeded: 24
Failed:     0
-------------
Total states run:     24
Total run time:   19.136 ms
2025-11-21T17:12:19Z | INFO | Checking service salt-minion status
2025-11-21T17:12:19Z | INFO | Checking service salt-minion status
2025-11-21T17:12:19Z | INFO |   salt-minion is not running
2025-11-21T17:12:19Z | INFO |   salt-minion is not running
2025-11-21T17:12:19Z | INFO | Checking service salt-minion status
2025-11-21T17:12:19Z | INFO | Checking service salt-minion status
2025-11-21T17:12:19Z | INFO |   salt-minion is not running
2025-11-21T17:12:19Z | INFO |   salt-minion is not running
2025-11-21T17:12:19Z | INFO | Executing command: elastic-agent uninstall -f
2025-11-21T17:12:19Z | INFO | Executing command: elastic-agent uninstall -f
./so-functions: line 40: elastic-agent: command not found
./so-functions: line 40: elastic-agent: command not found
2025-11-21T17:12:19Z | INFO | System reinstall init has been completed.
2025-11-21T17:12:19Z | INFO | Restarting Docker...
2025-11-21T17:12:19Z | INFO | Executing command: systemctl restart docker

-----------------------------
 Parsing Username for Install
-----------------------------


-----------------------------
 Initializing Setup
-----------------------------

2025-11-21T17:12:20Z | INFO | Installing as the secsensor user

-----------------------------
 System Characteristics
-----------------------------

2025-11-21T17:12:20Z | INFO | Executing command: uptime
 17:12:20 up  1:49,  1 user,  load average: 0.08, 0.02, 0.01
2025-11-21T17:12:20Z | INFO | Executing command: uname -a
Linux onionsensor 5.15.0-314.193.5.4.el9uek.x86_64 #2 SMP Tue Nov 11 13:08:11 PST 2025 x86_64 x86_64 x86_64 GNU/Linux
2025-11-21T17:12:20Z | INFO | Executing command: free -h
               total        used        free      shared  buff/cache   available
Mem:            46Gi       1.1Gi        44Gi        17Mi       1.7Gi        45Gi
Swap:           23Gi          0B        23Gi
2025-11-21T17:12:20Z | INFO | Executing command: lscpu
Architecture:                            x86_64
CPU op-mode(s):                          32-bit, 64-bit
Address sizes:                           40 bits physical, 48 bits virtual
Byte Order:                              Little Endian
CPU(s):                                  12
On-line CPU(s) list:                     0-11
Vendor ID:                               GenuineIntel
BIOS Vendor ID:                          Intel
Model name:                              Intel(R) Xeon(R) CPU           X5690  @ 3.47GHz
BIOS Model name:                         Intel(R) Xeon(R) CPU X5690 @ 3.47GHz
CPU family:                              6
Model:                                   44
Thread(s) per core:                      2
Core(s) per socket:                      6
Socket(s):                               1
Stepping:                                2
Frequency boost:                         enabled
CPU(s) scaling MHz:                      97%
CPU max MHz:                             3459.0000
CPU min MHz:                             1596.0000
BogoMIPS:                                6933.71
Flags:                                   fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 popcnt aes lahf_lm epb pti ssbd ibrs ibpb stibp tpr_shadow flexpriority ept vpid dtherm ida arat vnmi flush_l1d
Virtualization:                          VT-x
L1d cache:                               192 KiB (6 instances)
L1i cache:                               192 KiB (6 instances)
L2 cache:                                1.5 MiB (6 instances)
L3 cache:                                12 MiB (1 instance)
NUMA node(s):                            1
NUMA node0 CPU(s):                       0-11
Vulnerability Gather data sampling:      Not affected
Vulnerability Indirect target selection: Not affected
Vulnerability Itlb multihit:             KVM: Mitigation: VMX disabled
Vulnerability L1tf:                      Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
Vulnerability Mds:                       Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
Vulnerability Meltdown:                  Mitigation; PTI
Vulnerability Mmio stale data:           Unknown: No mitigations
Vulnerability Reg file data sampling:    Not affected
Vulnerability Retbleed:                  Not affected
Vulnerability Spec rstack overflow:      Not affected
Vulnerability Spec store bypass:         Mitigation; Speculative Store Bypass disabled via prctl
Vulnerability Spectre v1:                Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:                Mitigation; Retpolines; IBPB conditional; IBRS_FW; STIBP conditional; RSB filling; PBRSB-eIBRS Not affected; BHI Not affected
Vulnerability Srbds:                     Not affected
Vulnerability Tsa:                       Not affected
Vulnerability Tsx async abort:           Not affected
Vulnerability Vmscape:                   Not affected
2025-11-21T17:12:20Z | INFO | Executing command: df -h
Filesystem           Size  Used Avail Use% Mounted on
devtmpfs             4.0M     0  4.0M   0% /dev
tmpfs                 24G     0   24G   0% /dev/shm
tmpfs                9.4G   18M  9.4G   1% /run
/dev/mapper/ol-root   70G   18G   53G  26% /
/dev/sdb1            960M  443M  518M  47% /boot
/dev/mapper/ol-home  353G  3.2G  350G   1% /home
/dev/md126           932G   19G  913G   3% /nsm
tmpfs                4.7G     0  4.7G   0% /run/user/939
tmpfs                4.7G     0  4.7G   0% /run/user/1000
2025-11-21T17:12:20Z | INFO | Executing command: ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:10:18:d9:37:43 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 172.25.70.56/24 brd 172.25.70.255 scope global noprefixroute ens1
       valid_lft forever preferred_lft forever
    inet6 fe80::210:18ff:fed9:3743/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: enp1s0: <BROADCAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:b3:cc:f7:eb:b7 brd ff:ff:ff:ff:ff:ff
5: sobridge: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:41:e0:13:c4 brd ff:ff:ff:ff:ff:ff
    inet 172.17.1.1/24 brd 172.17.1.255 scope global sobridge
       valid_lft forever preferred_lft forever
211: bond0: <NO-CARRIER,BROADCAST,MULTICAST,MASTER,UP> mtu 9000 qdisc noqueue state DOWN group default qlen 1000
    link/ether 5e:5b:a5:67:8f:b1 brd ff:ff:ff:ff:ff:ff
212: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:59:ab:3b:fc brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/24 brd 172.17.0.255 scope global docker0
       valid_lft forever preferred_lft forever
2025-11-21T17:12:20Z | INFO | Beginning Security Onion iso install
2025-11-21T17:12:20Z | INFO | Setup is running on TTY /dev/pts/0
2025-11-21T17:12:30Z | INFO | Setting up as node type sensor

-----------------------------
 Initializing Network
-----------------------------

2025-11-21T17:13:32Z | INFO | Disabling ipv6
2025-11-21T17:13:32Z | INFO | Disabling ipv6
2025-11-21T17:13:32Z | INFO | Executing command: sysctl -w net.ipv6.conf.all.disable_ipv6=1
2025-11-21T17:13:32Z | INFO | Executing command: sysctl -w net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.all.disable_ipv6 = 1
2025-11-21T17:13:32Z | INFO | Executing command: sysctl -w net.ipv6.conf.default.disable_ipv6=1
2025-11-21T17:13:32Z | INFO | Executing command: sysctl -w net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
2025-11-21T17:13:32Z | INFO | Executing command: hostnamectl set-hostname --static onionsensor
2025-11-21T17:13:32Z | INFO | Executing command: hostname -F /etc/hostname

-----------------------------
 Setting up the main interface
-----------------------------

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/39)
2025-11-21T17:13:32Z | INFO | Gathering the management IP. 
2025-11-21T17:13:38Z | INFO | Removing onion from /etc/hosts if present.
2025-11-21T17:13:39Z | INFO | Adding onion to /etc/hosts with IP: 172.25.70.55
2025-11-21T17:13:39Z | INFO | Checking manager connectivity
2025-11-21T17:13:39Z | INFO | Testing if setup is running on a cloud instance...
2025-11-21T17:13:39Z | INFO | This does not appear to be a cloud installation.
2025-11-21T17:13:42Z | INFO | MINION_ID = onionsensor_sensor
Install summary:
Security Onion Version: 2.4.170
Node Type: SENSOR
Hostname: onionsensor
Description: Security Onion PCAP sensor
Network: STATIC
Management NIC: ens1
Management IP: 172.25.70.56
Gateway: 172.25.70.1
DNS: 10.152.51.6 10.152.51.9
DNS Domain: lcco.co.lucas.oh.us
Proxy: N/A
Bond NIC(s):
  - enp1s0

-----------------------------
 Determine ES Heap Size
-----------------------------


-----------------------------
 Setting Logstash heap size
-----------------------------


-----------------------------
 Setting the MTU to 9000 on all monitor NICS
-----------------------------

2025-11-21T17:13:43Z | INFO | Interface set to bond0
2025-11-21T17:13:43Z | INFO | Setting up sensor interface
2025-11-21T17:13:43Z | INFO | Configuring bond interface settings, since this is a not a cloud installation...
Warning: There is another connection with the name 'bond0'. Reference the connection by its uuid '699a8235-65a7-420e-9749-aca8479f7646'
Connection 'bond0' (699a8235-65a7-420e-9749-aca8479f7646) successfully added.
Could not change any device features
Error: Connection activation failed: Unknown error
Hint: use 'journalctl -xe NM_CONNECTION=1588696d-8b6f-4f8e-8719-ab03ddc78175 + NM_DEVICE=enp1s0' to get more details.
2025-11-21T17:13:44Z | INFO | Ephemeral ports already reserved

-----------------------------
 Marking the current version
-----------------------------

2025-11-21T17:13:44Z | INFO | Clearing the old manager
2025-11-21T17:13:44Z | INFO | Executing command: dnf -v clean all
Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, playground, repoclosure, repodiff, repograph, repomanage, reposync, system-upgrade, versionlock
DNF version: 4.14.0
cachedir: /var/cache/yum/x86_64/9
Cleaning data: metadata packages dbcache
5 files removed
2025-11-21T17:13:44Z | INFO | Executing command: mkdir -vp /root/oldrepos
2025-11-21T17:13:44Z | INFO | Executing command: mv -v /etc/yum.repos.d/* /root/oldrepos/
renamed '/etc/yum.repos.d/securityonion.repo' -> '/root/oldrepos/securityonion.repo'
2025-11-21T17:13:44Z | INFO | Executing command: dnf repolist all
repo id                          repo name                               status
securityonion                    Security Onion Repo                     enabled
2025-11-21T17:13:45Z | INFO | Executing command: dnf repolist
repo id                              repo name
securityonion                        Security Onion Repo
2025-11-21T17:13:45Z | INFO | Executing command: dnf -y update --allowerasing --exclude=salt*,docker*,containerd*
Security Onion Repo                              25 MB/s | 3.8 MB     00:00    
Last metadata expiration check: 0:00:01 ago on Fri 21 Nov 2025 05:13:45 PM UTC.
Dependencies resolved.
Nothing to do.
Complete!
2025-11-21T17:13:46Z | INFO | Removing repo files added by oracle-repos package update
2025-11-21T17:13:46Z | INFO | Executing command: rm -f /etc/yum.repos.d/oracle-linux-ol9.repo
2025-11-21T17:13:46Z | INFO | Executing command: rm -f /etc/yum.repos.d/uek-ol9.repo
2025-11-21T17:13:46Z | INFO | Executing command: rm -f /etc/yum.repos.d/virt-ol9.repo
2025-11-21T17:13:46Z | INFO | Installing Salt
2025-11-21T17:13:46Z | INFO | Executing command: dnf -y install salt-3006.9 salt-minion-3006.9
Last metadata expiration check: 0:00:02 ago on Fri 21 Nov 2025 05:13:45 PM UTC.
Package salt-3006.9-0.x86_64 is already installed.
Package salt-minion-3006.9-0.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
2025-11-21T17:13:47Z | INFO | Executing command: mkdir -p /etc/salt/minion.d
2025-11-21T17:13:47Z | INFO | Executing command: salt-call state.apply salt.python_modules --local --file-root=../salt/
local:
----------
          ID: docker_module_package
    Function: file.recurse
        Name: /opt/so/conf/salt/module_packages/docker
      Result: True
     Comment: Recursively updated /opt/so/conf/salt/module_packages/docker
     Started: 17:13:48.723381
    Duration: 140.125 ms
     Changes:   
              ----------
              /opt/so/conf/salt/module_packages/docker/certifi-2024.7.4-py3-none-any.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
              /opt/so/conf/salt/module_packages/docker/charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
              /opt/so/conf/salt/module_packages/docker/docker-7.1.0-py3-none-any.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
              /opt/so/conf/salt/module_packages/docker/idna-3.8-py3-none-any.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
              /opt/so/conf/salt/module_packages/docker/requests-2.32.3-py3-none-any.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
              /opt/so/conf/salt/module_packages/docker/urllib3-2.2.2-py3-none-any.whl:
                  ----------
                  diff:
                      New file
                  mode:
                      0644
----------
          ID: docker_python_module_install
    Function: cmd.run
        Name: /opt/saltstack/salt/bin/python3.10 -m pip install docker --no-index --find-links=/opt/so/conf/salt/module_packages/docker/ --upgrade
      Result: True
     Comment: Command "/opt/saltstack/salt/bin/python3.10 -m pip install docker --no-index --find-links=/opt/so/conf/salt/module_packages/docker/ --upgrade" run
     Started: 17:13:48.864714
    Duration: 884.216 ms
     Changes:   
              ----------
              pid:
                  59087
              retcode:
                  0
              stderr:
                  WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
              stdout:
                  Looking in links: /opt/so/conf/salt/module_packages/docker/
                  Requirement already satisfied: docker in /opt/saltstack/salt/lib/python3.10/site-packages (7.1.0)
                  Requirement already satisfied: requests>=2.26.0 in /opt/saltstack/salt/lib/python3.10/site-packages (from docker) (2.32.3)
                  Requirement already satisfied: urllib3>=1.26.0 in /opt/saltstack/salt/lib/python3.10/site-packages (from docker) (1.26.18)
                  Requirement already satisfied: charset-normalizer<4,>=2 in /opt/saltstack/salt/lib/python3.10/site-packages (from requests>=2.26.0->docker) (3.2.0)
                  Requirement already satisfied: idna<4,>=2.5 in /opt/saltstack/salt/lib/python3.10/site-packages (from requests>=2.26.0->docker) (3.7)
                  Requirement already satisfied: certifi>=2017.4.17 in /opt/saltstack/salt/lib/python3.10/site-packages (from requests>=2.26.0->docker) (2024.7.4)

Summary for local
------------
Succeeded: 2 (changed=2)
Failed:    0
------------
Total states run:     2
Total run time:   1.024 s
2025-11-21T17:13:49Z | INFO | Executing command: salt-call state.apply salt.patch.x509_v2 --local --file-root=../salt/
local:
----------
          ID: patch_x509_v2_state_module
    Function: file.replace
        Name: /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py
      Result: True
     Comment: No changes needed to be made
     Started: 17:13:51.059495
    Duration: 29.884 ms
     Changes:   

Summary for local
------------
Succeeded: 1
Failed:    0
------------
Total states run:     1
Total run time:  29.884 ms
2025-11-21T17:13:51Z | INFO | Configuring minion type as sensor
2025-11-21T17:13:51Z | INFO | Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='{host: {mainint: ens1}}'
2025-11-21T17:13:53Z | INFO | Executing command: systemctl enable salt-minion
2025-11-21T17:13:53Z | INFO | Executing command: systemctl enable salt-minion
2025-11-21T17:13:53Z | INFO | Executing command: systemctl restart salt-minion
2025-11-21T17:13:53Z | INFO | Executing command: systemctl restart salt-minion
2025-11-21T17:13:54Z | INFO | Not an appliance
2025-11-21T17:13:54Z | INFO | Check if hypervisor or managerhype
2025-11-21T17:13:54Z | INFO | Verifying setup
WARNING: Errors detected during setup.
--------- ERRORS ---------
[ERROR   ] Encountered StreamClosedException
Error: Connection activation failed: Unknown error
--------------------------

This is the last so-setup after I ran the so-setup iso command. I also have allowed the sensor to join the ManagerSerach member.

[Mr-Dilkington]

Here's mine. This is a standalone install using securityonion-2.4.160-20250625.iso. I've used an older version on purpose as I think this is telling us something. I am 100% sure I used this ISO previously and didn't have this problem. This is also on a completely different hypervisor from the one where I first ran into this. There is only one thing I can think of that has changed (and might coincide with the observation I made above wrt Proxmox) - the version of Proxmox is different. When all of this was working before, I believe I was on v8 but upgraded to v9 a few weeks after it was released. I believe that's when my grid broke or more specifically, the sensor stopped sending data to the manager/receiver. Again, I have done multiple installations of manager, receiver and search nodes without issue but when installing a sensor node or a standalone node (which of course includes the sensor), this is what happens. Anyhow, here is the log:

sosetup.log

[Mr-Dilkington]

Decided something else. Tried changing the capture interface in proxmox by changing from a virtio nic to an E1000. Rebooted, tried to rerun setup and it's doing the "could not resolve host: sigs.securityonion.net" thing again. Tried to resolve on another host to confirm no issues with DNS. Took a few seconds but resolved. I can see the server querying my local DNS (as well as the test system which had no issue resolving that address) and it's getting a response yet it claims to be waiting for a response. This is another variation of the failed install I've seen before and it will now just sit stuck at resolving that address indefinitely.

[Mr-Dilkington]

One install success. This time succeeded with an airgap install, securityonion-2.4.160-20250625.iso and E1000 for the capture interface. Not sure what the pattern is yet but possibly getting closer. Will go back to installing sensor on other hypervisor and try again with E1000 for capture interface but that one is the newest SO version and is also not airgapped.

[Mr-Dilkington]

Install on previous hypervisor (distributed layout) finally worked but after rebooting sensor, it never re-attaches to manager and states "System appears to be starting. No highstate has completed since the system
was restarted." when I attempt to confirm status via so-status.

Getting really hard to see any pattern here although using the simulated E1000 in proxmox for the capture interface seems to at least have changed something...

[Mr-Dilkington]

Last one for tonight. Wiped the sensor using the initial boot up from ISO one more time. Then redid the install again and everything finally worked. Still don't know why the previous install didn't work but again, the one thing that has changed here is changing the way the capture interface is presented to SO. As such, my recommendation is to try the same approach. I will create another sensor tomorrow and try everything again but go back to using the virtio NIC as the capture interface and attempt to attach to the same Manager as per above.

[reyesj2]

@Mr-Dilkington Checkout #15257 looks like a change with proxmox 9

@erlicthemad it looks like its all around the creation of bond0 / unable to manage slave interfaces to get them to join the bond0 interface. This is baremetal install not a VM in a hypervisor like proxmox? Do you have any other NIC available to use as monitor interface? What kind of NIC is it?

[erlicthemad]

I went back down and added an old 3Com network card. 3c509.

Now I see this in my interfaces.

[secsensor@onionsensor setup]$ sudo nmcli
[sudo] password for secsensor:
ens1: connected to ens1
"Broadcom and subsidiaries NetXtreme BCM5761"
ethernet (tg3), 00:10:18:D9:37:43, hw, mtu 1500
ip4 default
inet4 172.25.70.56/24
route4 172.25.70.0/24 metric 100
route4 default via 172.25.70.1 metric 100
inet6 fe80::210:18ff:fed9:3743/64
route6 fe80::/64 metric 1024

bond0: connected to bond0
"bond0"
bond, 00:04:76:C9:7D:B5, sw, mtu 9000

docker0: connected (externally) to docker0
"docker0"
bridge, 02:42:67:8A:EC:5F, sw, mtu 1500
inet4 172.17.0.1/24
route4 172.17.0.0/24 metric 0

sobridge: connected (externally) to sobridge
"sobridge"
bridge, 02:42:42:B8:2B:B3, sw, mtu 1500
inet4 172.17.1.1/24
route4 172.17.1.0/24 metric 0

lo: connected (externally) to lo
"lo"
loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536
inet4 127.0.0.1/8

enp1s0: disconnected
"Broadcom and subsidiaries NetXtreme BCM5764M"
1 connection available
ethernet (tg3), A0:B3:CC:F7:EB:B7, hw, mtu 1500

ens5: disconnected
"3Com 3c905C-TX/TX-M"
2 connections available
ethernet (3c59x), 00:04:76:C9:7D:B5, hw, mtu 1500

veth12395d7: unmanaged
"veth12395d7"
ethernet (veth), 72:01:6F:C5:65:8A, sw, mtu 1500

vethdbb44b3: unmanaged
"vethdbb44b3"
ethernet (veth), 82:7C:E9:BF:8A:43, sw, mtu 1500

DNS configuration:
servers: 10.152.51.6 10.152.51.9
domains: lcco.co.lucas.oh.us
interface: ens1

[erlicthemad]

Following the suggestion from before, I ran the command to delete BOND0. Then ran the so-install. Using both the 3c509 and enp1s0 interface and I wind up in the same situation.

As a test, I disabled enp1s0 in the setup, leaving only the 3c509 interface running, and I am still in the same position.

[erlicthemad]

Looking at the strelka-backend, I am seeing the following crash logs.

`
During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/bin/strelka-backend", line 4, in
import('pkg_resources').run_script('strelka==0.0.0', 'strelka-backend')
File "/usr/local/lib/python3.10/dist-packages/pkg_resources/init.py", line 722, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/local/lib/python3.10/dist-packages/pkg_resources/init.py", line 1561, in run_script
exec(code, namespace, namespace)
File "/usr/local/lib/python3.10/dist-packages/strelka-0.0.0-py3.10.egg/EGG-INFO/scripts/strelka-backend", line 41, in
main()
File "/usr/local/lib/python3.10/dist-packages/strelka-0.0.0-py3.10.egg/EGG-INFO/scripts/strelka-backend", line 34, in main
backend = strelka.strelka.Backend(config.dictionary)
File "/usr/local/lib/python3.10/dist-packages/strelka-0.0.0-py3.10.egg/strelka/strelka.py", line 198, in init
if self.coordinator.ping():
File "/usr/local/lib/python3.10/dist-packages/redis/commands/core.py", line 1194, in ping
return self.execute_command("PING", **kwargs)
File "/usr/local/lib/python3.10/dist-packages/redis/client.py", line 1255, in execute_command
conn = self.connection or pool.get_connection(command_name, **options)
File "/usr/local/lib/python3.10/dist-packages/redis/connection.py", line 1442, in get_connection
connection.connect()
File "/usr/local/lib/python3.10/dist-packages/redis/connection.py", line 704, in connect
raise ConnectionError(self._error_message(e))
redis.exceptions.ConnectionError: Error 113 connecting to onionsensor:6380. No route to host.
/usr/local/bin/strelka-backend:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
import('pkg_resources').run_script('strelka==0.0.0', 'strelka-backend')
2025-11-24 19:12:26 - [ERROR] root [strelka.init]: coordinator unavailable
Traceback (most recent call last):
File "/usr/local/lib/python3.10/dist-packages/redis/connection.py", line 698, in connect
sock = self.retry.call_with_retry(
File "/usr/local/lib/python3.10/dist-packages/redis/retry.py", line 46, in call_with_retry
return do()
File "/usr/local/lib/python3.10/dist-packages/redis/connection.py", line 699, in
lambda: self._connect(), lambda error: self.disconnect(error)
File "/usr/local/lib/python3.10/dist-packages/redis/connection.py", line 987, in _connect
raise err
File "/usr/local/lib/python3.10/dist-packages/redis/connection.py", line 975, in _connect
sock.connect(socket_address)
OSError: [Errno 113] No route to host

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.10/dist-packages/strelka-0.0.0-py3.10.egg/strelka/strelka.py", line 198, in init
if self.coordinator.ping():
File "/usr/local/lib/python3.10/dist-packages/redis/commands/core.py", line 1194, in ping
return self.execute_command("PING", **kwargs)
Traceback (most recent call last):
File "/usr/local/lib/python3.10/dist-packages/redis/connection.py", line 698, in connect
sock = self.retry.call_with_retry(
File "/usr/local/lib/python3.10/dist-packages/redis/retry.py", line 46, in call_with_retry
return do()
File "/usr/local/lib/python3.10/dist-packages/redis/connection.py", line 699, in
lambda: self._connect(), lambda error: self.disconnect(error)
File "/usr/local/lib/python3.10/dist-packages/redis/connection.py", line 987, in _connect
raise err
File "/usr/local/lib/python3.10/dist-packages/redis/connection.py", line 975, in _connect
sock.connect(socket_address)
OSError: [Errno 113] No route to host
`

When I check from the host there is no problem reaching my onion Manager Search node.
I also went into the docker container and found that I can ping the Manager Search node from strekla-backend without any problems. For a fraction of a second before it crashes out and resets.

[erlicthemad]

Looking at the containers. When I SH into any running container and need an IP address, all interfaces show up, and I can ping the Manager Search node. The working Strelka nodes are actually Redis servers.

[reyesj2]

We need to backtrack a bit on the installer failing, it can't add your NIC to the bond interface which is required for a sensor node

can you share ethtool -k enp1s0 and ethtool -k ens5

Have you tried running that journalctl -xe command or reviewing /var/log/messages for errors related to bond0 / NIC interface?

Connection 'bond0' (699a8235-65a7-420e-9749-aca8479f7646) successfully added.
Could not change any device features
Error: Connection activation failed: Unknown error
Hint: use 'journalctl -xe NM_CONNECTION=1588696d-8b6f-4f8e-8719-ab03ddc78175 + NM_DEVICE=enp1s0' to get more details.

[erlicthemad]

Here is the enp1s0

Features for enp1s0: rx-checksumming: on tx-checksumming: on tx-checksum-ipv4: on tx-checksum-ip-generic: off [fixed] tx-checksum-ipv6: on tx-checksum-fcoe-crc: off [fixed] tx-checksum-sctp: off [fixed] scatter-gather: on tx-scatter-gather: on tx-scatter-gather-fraglist: off [fixed] tcp-segmentation-offload: on tx-tcp-segmentation: on tx-tcp-ecn-segmentation: on tx-tcp-mangleid-segmentation: off tx-tcp6-segmentation: on generic-segmentation-offload: on generic-receive-offload: on large-receive-offload: off [fixed] rx-vlan-offload: on [fixed] tx-vlan-offload: on [fixed] ntuple-filters: off [fixed] receive-hashing: off [fixed] highdma: on rx-vlan-filter: off [fixed] vlan-challenged: off [fixed] tx-lockless: off [fixed] netns-local: off [fixed] tx-gso-robust: off [fixed] tx-fcoe-segmentation: off [fixed] tx-gre-segmentation: off [fixed] tx-gre-csum-segmentation: off [fixed] tx-ipxip4-segmentation: off [fixed] tx-ipxip6-segmentation: off [fixed] tx-udp_tnl-segmentation: off [fixed] tx-udp_tnl-csum-segmentation: off [fixed] tx-gso-partial: off [fixed] tx-tunnel-remcsum-segmentation: off [fixed] tx-sctp-segmentation: off [fixed] tx-esp-segmentation: off [fixed] tx-udp-segmentation: off [fixed] tx-gso-list: off [fixed] fcoe-mtu: off [fixed] tx-nocache-copy: off loopback: off [fixed] rx-fcs: off [fixed] rx-all: off [fixed] tx-vlan-stag-hw-insert: off [fixed] rx-vlan-stag-hw-parse: off [fixed] rx-vlan-stag-filter: off [fixed] l2-fwd-offload: off [fixed] hw-tc-offload: off [fixed] esp-hw-offload: off [fixed] esp-tx-csum-hw-offload: off [fixed] rx-udp_tunnel-port-offload: off [fixed] tls-hw-tx-offload: off [fixed] tls-hw-rx-offload: off [fixed] rx-gro-hw: off [fixed] tls-hw-record: off [fixed] rx-gro-list: off macsec-hw-offload: off [fixed] rx-udp-gro-forwarding: off hsr-tag-ins-offload: off [fixed] hsr-tag-rm-offload: off [fixed] hsr-fwd-offload: off [fixed] hsr-dup-offload: off [fixed]

Here is the ens5
Features for ens5: rx-checksumming: off [fixed] tx-checksumming: on tx-checksum-ipv4: on [fixed] tx-checksum-ip-generic: off [fixed] tx-checksum-ipv6: off [fixed] tx-checksum-fcoe-crc: off [fixed] tx-checksum-sctp: off [fixed] scatter-gather: on tx-scatter-gather: on [fixed] tx-scatter-gather-fraglist: off [fixed] tcp-segmentation-offload: off tx-tcp-segmentation: off [fixed] tx-tcp-ecn-segmentation: off [fixed] tx-tcp-mangleid-segmentation: off [fixed] tx-tcp6-segmentation: off [fixed] generic-segmentation-offload: on generic-receive-offload: on large-receive-offload: off [fixed] rx-vlan-offload: off [fixed] tx-vlan-offload: off [fixed] ntuple-filters: off [fixed] receive-hashing: off [fixed] highdma: off [fixed] rx-vlan-filter: off [fixed] vlan-challenged: off [fixed] tx-lockless: off [fixed] netns-local: off [fixed] tx-gso-robust: off [fixed] tx-fcoe-segmentation: off [fixed] tx-gre-segmentation: off [fixed] tx-gre-csum-segmentation: off [fixed] tx-ipxip4-segmentation: off [fixed] tx-ipxip6-segmentation: off [fixed] tx-udp_tnl-segmentation: off [fixed] tx-udp_tnl-csum-segmentation: off [fixed] tx-gso-partial: off [fixed] tx-tunnel-remcsum-segmentation: off [fixed] tx-sctp-segmentation: off [fixed] tx-esp-segmentation: off [fixed] tx-udp-segmentation: off [fixed] tx-gso-list: off [fixed] fcoe-mtu: off [fixed] tx-nocache-copy: off loopback: off [fixed] rx-fcs: off [fixed] rx-all: off [fixed] tx-vlan-stag-hw-insert: off [fixed] rx-vlan-stag-hw-parse: off [fixed] rx-vlan-stag-filter: off [fixed] l2-fwd-offload: off [fixed] hw-tc-offload: off [fixed] esp-hw-offload: off [fixed] esp-tx-csum-hw-offload: off [fixed] rx-udp_tunnel-port-offload: off [fixed] tls-hw-tx-offload: off [fixed] tls-hw-rx-offload: off [fixed] rx-gro-hw: off [fixed] tls-hw-record: off [fixed] rx-gro-list: off macsec-hw-offload: off [fixed] rx-udp-gro-forwarding: off hsr-tag-ins-offload: off [fixed] hsr-tag-rm-offload: off [fixed] hsr-fwd-offload: off [fixed] hsr-dup-offload: off [fixed]

And here is the log messages grepped for bond0

"
Nov 25 14:54:58 onionsensor kernel: bond0: (slave ens5): Error -22 calling dev_set_mtu
Nov 25 14:54:58 onionsensor NetworkManager[75112]: [1764082498.8602] device (bond0): attaching bond port ens5: failed
Nov 25 14:54:58 onionsensor NetworkManager[75112]: [1764082498.8602] device (ens5): Activation: connection 'bond0-slave-ens5' could not be attached as port
Nov 25 14:54:58 onionsensor NetworkManager[75112]: [1764082498.8607] device (ens5): released from controller device bond0
Nov 25 14:54:58 onionsensor NetworkManager[75112]: [1764082498.8609] device (ens5): Activation: failed for connection 'bond0-slave-ens5'
Nov 25 14:54:58 onionsensor NetworkManager[75112]: [1764082498.8618] policy: auto-activating connection 'bond0-slave-ens5' (80029ec1-5db1-4b33-a106-25e47f380173)
Nov 25 14:54:58 onionsensor NetworkManager[75112]: [1764082498.8620] device (ens5): Activation: starting connection 'bond0-slave-ens5' (80029ec1-5db1-4b33-a106-25e47f380173)
Nov 25 14:54:58 onionsensor kernel: bond0: (slave ens5): Error -22 calling dev_set_mtu
Nov 25 14:54:58 onionsensor NetworkManager[75112]: [1764082498.8906] device (bond0): attaching bond port ens5: failed
Nov 25 14:54:58 onionsensor NetworkManager[75112]: [1764082498.8906] device (ens5): Activation: connection 'bond0-slave-ens5' could not be attached as port
Nov 25 14:54:58 onionsensor NetworkManager[75112]: [1764082498.8912] device (ens5): released from controller device bond0
Nov 25 14:54:58 onionsensor NetworkManager[75112]: [1764082498.8913] device (ens5): Activation: failed for connection 'bond0-slave-ens5'
Nov 25 14:54:58 onionsensor NetworkManager[75112]: [1764082498.8923] policy: auto-activating connection 'bond0-slave-ens5' (80029ec1-5db1-4b33-a106-25e47f380173)
Nov 25 14:54:58 onionsensor NetworkManager[75112]: [1764082498.8926] device (ens5): Activation: starting connection 'bond0-slave-ens5' (80029ec1-5db1-4b33-a106-25e47f380173)
Nov 25 14:54:58 onionsensor kernel: bond0: (slave ens5): Error -22 calling dev_set_mtu
Nov 25 14:54:58 onionsensor NetworkManager[75112]: [1764082498.9210] device (bond0): attaching bond port ens5: failed
Nov 25 14:54:58 onionsensor NetworkManager[75112]: [1764082498.9210] device (ens5): Activation: connection 'bond0-slave-ens5' could not be attached as port
Nov 25 14:54:58 onionsensor NetworkManager[75112]: [1764082498.9216] device (ens5): released from controller device bond0
Nov 25 14:54:58 onionsensor NetworkManager[75112]: [1764082498.9217] device (ens5): Activation: failed for connection 'bond0-slave-ens5'
"

I see the error in the MTU setting. Both Ethernet interfaces are set to 1500 MTU, but the bond seems to want to be set to 9000 MTU. I'm not sure where it's getting the desire for jumbo frames.

I have found a link to change the MTU of the bond0 interfaces. And changed them back down to 1500 to see if that helps.

This is what my interfaces look loke now
"
[secsensor@onionsensor log]$ ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:10:18:d9:37:43 brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 172.25.70.56/24 brd 172.25.70.255 scope global noprefixroute ens1
valid_lft forever preferred_lft forever
inet6 fe80::210:18ff:fed9:3743/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: enp1s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether a0:b3:cc:f7:eb:b7 brd ff:ff:ff:ff:ff:ff
4: ens5: <BROADCAST,NOARP,PROMISC,SLAVE,UP,LOWER_UP> mtu 1500 qdisc fq_codel master bond0 state UNKNOWN group default qlen 1000
link/ether 00:04:76:c9:7d:b5 brd ff:ff:ff:ff:ff:ff
altname enp55s9
5: bond0: <BROADCAST,MULTICAST,PROMISC,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:04:76:c9:7d:b5 brd ff:ff:ff:ff:ff:ff
7: sobridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ff:9e:31:61 brd ff:ff:ff:ff:ff:ff
inet 172.17.1.1/24 brd 172.17.1.255 scope global sobridge
valid_lft forever preferred_lft forever
8: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:f7:20:d7:e3 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/24 brd 172.17.0.255 scope global docker0
valid_lft forever preferred_lft forever
32: veth735ffe2@if31: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master sobridge state UP group default
link/ether 92:60:0f:d7:65:5a brd ff:ff:ff:ff:ff:ff link-netnsid 0
34: veth4bfc571@if33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master sobridge state UP group default
link/ether b2:f9:ee:9f:6c:f5 brd ff:ff:ff:ff:ff:ff link-netnsid 1
[secsensor@onionsensor log]$
"

[erlicthemad]

After making the changes to the bond0 MTU, I see that the so-strelka-backend has started and stabilized. But the other three are still missing.

so-strelka-filestream, so-strelka-frontend, and so-strelka-manager.