No logs being sent from sensor to managersearch node

[BustedSec]

First, see history here #2628

I've got Security Onion in a distributed setup with a ManagerSearch node and a forward node. It shows up as connected in grid and I've confirmed salt connectivity. It is not sending any logs to the ManagerSearch server. I've confirmed it's got SPAN traffic flowing into the monitoring NIC's interface. The Sensor seems to be making local logs in /nsm/pcap /nsm/surricada and /nsm/zeek/logs. Those logs don't make it to the ManagerSearch node. Any ideas?

I am seeking assistance with troubleshooting. Running so-status on both machines shows everything is working as expected.

[defensivedepth]

Any errors when you run sudo salt-call state.highstate on both nodes?

Also, is this a network or ISO install? And version number?

[BustedSec]

Hi, The managersearch node is running ubuntu 18.04 under the hood and the sensor is built from the ISO image. Both were installed in the past week, and should be at 2.3.21 as soup says there is no newer available. The managersearch nodes output running salt-call state.highstate is shows summary Succeeded: 491 (changed=16), Failed: 0. The same command on the Forward Sensor produces Succeded: 491 (Changed=1, Failed: 0.). I also noticed today that on my SearchManager node the top is displaying Disconnected From Manager in the Web UI, this was not the case yesterday. The only change I've made since then is removing a minion from the node following the instructions at https://docs.securityonion.net/en/2.3/removing-a-node.html?highlight=remove This is especially strange since this is a ManagerSearch so as I understand it the Manager is on the same box that is now complaining about not being able to connect to the manager. I'm unsure if this message is referring to the second sensor I took offline or a communication problem on the managersearch node itself between internal. components.

Thanks for your help.

[defensivedepth]

@BustedSec Please run the following from the Manager - are the results expected?:

sudo salt \* test.ping

[BustedSec]

yes, replies back from itself and the minion

…

On Mon, Jan 18, 2021 at 1:03 PM Josh Brower ***@***.***> wrote: @BustedSec <https://github.com/BustedSec> Please run the following from the Manager - are the results expected?: sudo salt \* test.ping — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2634 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABYWWB4QKRYXL5V5BJD76QLS2RZXTANCNFSM4WDG5OBQ> .

[defensivedepth]

Can you please post the actual results from that command?

[BustedSec]

atlas-client-02_managersearch:
True
ats-trez-fwd2_sensor:
True
ats-so-fwd-02_sensor:
Minion did not return. [No response]
The minions may not have all finished running and any remaining minions will return upon completion. To look up the return data for this job later, run the following command:

salt-run jobs.lookup_jid 20210123191842905757

[defensivedepth]

Is this still an issue? Is the Manager behind a NAT?

[BustedSec]

I managed to get it working, it was a matter of using the so-firewall command and adding it to the minion and sensor groups. Ports that should be open were not open, the manager isn't behind NAT but the minion is.

[hkcs1147]

@BustedSec I am having the same problem, can you please tell me how you fixed this problem using the so-firewall command?

[TOoSmOotH]

#2025 (reply in thread)

[grakesh-061]

I have the same issue, I am trying setup in a virtual box, no FW in between. I even verified that all host groups have the right port group assigned. Still after running nmap scan, I cant see any logs generating (as it used to generate in eval mode). I have only Forward node and a manager node, NO search node. Can someone suggest, what could be the issue ?

[dougburks]

@grakesh-061 This discussion is many months old and has been marked as answered. Looks like you created a separate discussion over at #6653 and that is the proper place to continue this discussion.

[BustedSec]

That was a long time ago, I don't remember offhand. This post may help #5910

…

On Mon, Feb 26, 2024, 7:18 PM hkcs1147 ***@***.***> wrote: @BustedSec <https://github.com/BustedSec> I am having the same problem, can you please tell me how you fixed this problem using the so-firewall command? — Reply to this email directly, view it on GitHub <#2634 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABYWWB2N5YUPO7IJZPX6GB3YVVGA5AVCNFSM4WDG5OB2U5DIOJSWCZC7NNSXTOKENFZWG5LTONUW63SDN5WW2ZLOOQ5TQNRQGAYDQOA> . You are receiving this because you were mentioned.Message ID: <Security-Onion-Solutions/securityonion/repo-discussions/2634/comments/8600088 @github.com>