after a while installing security onion alerts stop working

[pavlos1982]

I have tried the installation both a vm and a separate machine, I still get the error did not complete please see the logs, however security onion run successfully and alerts works for a while then it stop working all together see screenshot, please help, thanks

I also noticed when this alert comes up: Listened ports status (netstat) changed (new port opened or closed) it seems to stop showing alerts after.

just to add when logged in Kibana the alerts show except on security onion not showing any alert

[dougburks]

I don't see any screenshot. Please review #1720 and include the following information:

• Security Onion version as seen in the lower left corner of SOC and in /etc/soversion. For example: 2.3.70
• Install source. Did you install from our Security Onion ISO image or did you perform a network installation?
• If network install, did you install from CentOS 7 or Ubuntu 18.04?
• Install type. ex. eval, standalone, forward node, search node, etc
• Does so-status show all services running?
• Do you get any failures when you run salt-call state.highstate from the node?
• Does the grid status show any failures?
• Explain your issue. For example: Installation fails when I select this series of options...
• Provide applicable logs. For example: if you are having problems during soup, provide /root/soup.log

[pavlos1982]

I am using version 2.3.70 of security onion, I re-downloaded the latest version (2.3.70-WAZUH ISO image) all installed successfully, but this time around the same problem when I monitor via ungroup it works for a while then the alert stop showing but however when using alert by (Group By Sensor, Source IP/Port, Destination IP/Port, Name) I do see it is showing the alert but my issue with using this alert is there is no time with it that is why I want to use ungroup that gives me the time of the alert see the screenshots attached.

the installation of security onion I used on a stand alone using a pendrive that copied security onion with balenaEtcher software as recommended on the security onion website.

installation type I used evaluation mode for testing first but then I wanted to use a standalone for my environment.

all services are running without any errors see screenshot

when running salt-call state.highstate no errors see screenshot:

no failures on the grid status

[pavlos1982]

I want to be able to do live monitoring that includes all of the alerts, it seem to work for few hours then stop

[dougburks]

when I monitor via ungroup it works for a while then the alert stop showing but however when using alert by (Group By Sensor, Source IP/Port, Destination IP/Port, Name) I do see it is showing the alert but my issue with using this alert is there is no time with it that is why I want to use ungroup that gives me the time of the alert see the screenshots attached.

I'm not sure I understand your description of the problem. Are you asking about the Listened ports status alert that is highlighted in the ungrouped screenshot? This is a Wazuh HIDS alert generated by the Security Onion system (as opposed to a NIDS alert generated by network traffic). Because of this, there is no IP address or port information and therefore it won't be shown when doing a Group By that requires that information.

For more information, please see:
https://docs.securityonion.net/en/2.3/wazuh.html
https://docs.securityonion.net/en/2.3/alerts.html

[pavlos1982]

before I receiving these alerts when I select the ungroup option under alerts:

and now I only see this

is there a way I can see all the HIDS alerts including the IP source and destination, plus the time and date? I just dont understand why before it was showing live alerts with time relevant to my current PC+ source ip and destination ip , then suddenly it stops

regards,

Paul

[pavlos1982]

After messing around with the settings I noticed this, when set to 8 hours the alerts shows but if I set it back to 24 hours no alerts, see the screenshots. Is there some-kind of limit on the logs? or is it maybe that it is using the CentOS time instead of the browser time ?

[dougburks]

In the Ungrouped view, scroll all the way down to the bottom of the page and you should see a Rows per page selection. When you adjust this value, it should adjust the el parameter in the URL, so you can also change this manually in the URL.

[pavlos1982]

Hi Doug,

Thanks for getting back to me, unfortunately in the URL I am not seeing any el see screenshot, again if you noticed between the two screenshot when I use 8 hours I am able to capture alerts for 8 hours to the current time, but when I extend this to 24 hours or above 8 hours it gives me a different result and I can only capture some alerts and it is also behind the my current time, thanks

[dougburks]

Looking at your screenshot, I see el=1000 near the end of blue highlighted section of the URL.

[pavlos1982]

Hi Doug,

Thanks got it lol, I must be going blind, increasing the el now I see the most recent alert, thank you, something else I noticed is there a way to prevent security onion to time out to keep the alert screen active or is this base on the browser itself? it seems after a while it goes inactive not sure if this is to do with the ssl certificate or something else?

[dougburks]

It seems we have answered this discussion about alerts. If you have other questions or problems, please start a separate discussion with appropriate title and provide detailed information there.

[pavlos1982]

Thank you for all your help Dough, I will start a new discussion.