Got to the web interface once, but now I cannot

[iqworks]

First, I have to say version 2.3.140 is easy to install and the web interface came up the first time using my laptop chrome browser. This is where I got the installation instructions “https://www.youtube.com/watch?v=TG-pPm7KVro “.
I installed SO version 2.3.140. After
I am using :
SO version 2.3.140.
I am trying to use SO on my windows 10 laptop, I don’t use the cloud.
I used securityonion-2.3.140-20220719.iso
I used Centos 7
For nodes, I just have laptops, TV’s and a printer.
I am using a dell laptop and windows 10 version 10.0.19044 build 19044
Not monitoring traffic right now until I get SO working.
These are the services I choose.

so-status shows most ok

sudo salt-call state.highstate – this is what I got (now I am thinking that I need to reinstall and just select the eval service for now?)

 My issue – I successfully installed SO 2.3.140, the sudo so-allow and the web interface came up using the suggested  IP URL. 

I used the suggested IP, and successfully got the web interface.

But two days later the same https://192.168.224.130/ comes up with

I ran sudo soup. 
When I ran sudo salt-call state.highstate, I saw this (I think this may be the problem)

Please let me know if you need anything else,
thanks for your advice and suggestions

[xfaith]

You could try manually starting alll dockers that are not started
so-elastalert-restasrt or so-elastalert-start.

I would also look at
docker logs so-elastalert and see if any errors are reported.

[iqworks]

David, thank you. I will give those a try as soon as I get back to this project. From: David Decker ***@***.***> Sent: Thursday, August 11, 2022 8:01 AM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: iqworks ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] Got to the web interface once, but now I cannot (Discussion #8519) You could try manually starting alll dockers that are not started so-elastalert-restasrt or so-elastalert-start. I would also look at docker logs so-elastalert and see if any errors are reported. — Reply to this email directly, view it on GitHub <#8519 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKPV34XBWSFCKD4OIMGGT3VYUITHANCNFSM56IPMNGA> . You are receiving this because you authored the thread. <https://github.com/notifications/beacon/ABKPV32IFSF55R6BXLDOTGDVYUITHA5CNFSM56IPMNGKYY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZGOAAZYLII.gif> Message ID: ***@***.*** ***@***.***> >

[iqworks]

does all statuses need to be OK? Could this affect my connection to the web interface? My main issue is that I cannot get a connection to the web interface. It worked once, but not now? Thanks again for your help From: David Decker ***@***.***> Sent: Thursday, August 11, 2022 8:01 AM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: iqworks ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] Got to the web interface once, but now I cannot (Discussion #8519) You could try manually starting alll dockers that are not started so-elastalert-restasrt or so-elastalert-start. I would also look at docker logs so-elastalert and see if any errors are reported. — Reply to this email directly, view it on GitHub <#8519 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKPV34XBWSFCKD4OIMGGT3VYUITHANCNFSM56IPMNGA> . You are receiving this because you authored the thread. <https://github.com/notifications/beacon/ABKPV32IFSF55R6BXLDOTGDVYUITHA5CNFSM56IPMNGKYY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZGOAAZYLII.gif> Message ID: ***@***.*** ***@***.***> >

[isaacgolding]

To answer your specific question all status need to be OK or things will not work right. If you just installed and didn't tinker with it at all then your install or configuration was messed up somehow.

I'd start over with a fresh install and if you only have a couple of laptops and a few other internet devices you don't need all the extra services that you installed. I would start over and make sure your machine (real or virtual) meets the min requirements found here:

https://docs.securityonion.net/en/2.3/hardware.html#standalone-deployments

Then start over and perform a basic standalone install.

[iqworks]

thanks isaac, will do as soon as i get back to this project.
thanks for the info

[iqworks]

Hi isaacgolding, I did as you suggested and reinstalled. Same thing happened, I could see the security onion the first time. But i noticed that when i did a restart, then i couldnt get the web interface again. same messages in the browser.

this time I used securityonion-2.3.150-20220820.iso. these are the changes in the install that i made :

Call up chrome and enter “ https://192.168.80.130/ “
Select advanced

Click “proceed to 192.168.80.130”

I get the login.

This is what you get.

Is it possible that one of my security onion install IP addresses gets changed when i do a restart?

thanks for your advice or suggestions.

[iqworks]

when i do a windows restart and try iq SO 22.04-desktop-amd64 MSEARCH 14 150 (securityonion-2.3.150-20220820.iso), this is what i get :

i think i need to look at the logs now (have to learn how to find and view them).
but if there are any ideas or suggestions, please let me know.

[iqworks]

i see so many suggestions about how to find and view the logs. Which logs should i look at ??
thanks again.

[dougburks]

As we've discussed previously, I would highly recommend that you stick with a simple IMPORT installation until you're fully comfortable with networking, virtualization, and logging.

If you follow the screenshots at https://docs.securityonion.net/en/2.3/first-time-users.html, then you'll have a graphical desktop and browser inside your VM and it might be easier to use that VM browser rather than trying to connect from a browser on your Windows host.

[iqworks]

Thanks Doug. The problem was I needed to start up the VM, then do so-status to see what has OK. I didn’t even have to wait for all of the dockers to show OK. Then I tried the url again and SO came up. I just understood that 5 minutes ago. 😊 From: Doug Burks ***@***.***> Sent: Tuesday, August 30, 2022 5:13 AM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: iqworks ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] Got to the web interface once, but now I cannot (Discussion #8519) As we've discussed previously <#5608> , I would highly recommend that you stick with a simple IMPORT installation until you're fully comfortable with networking, virtualization, and logging. If you follow the screenshots at https://docs.securityonion.net/en/2.3/first-time-users.html, then you'll have a graphical desktop and browser inside your VM and it might be easier to use that VM browser rather than trying to connect from a browser on your Windows host. — Reply to this email directly, view it on GitHub <#8519 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKPV3ZFUL54OY5HNCSKLALV3X3C7ANCNFSM56IPMNGA> . You are receiving this because you authored the thread. <https://github.com/notifications/beacon/ABKPV37AKN4M3ENA7Y2BI6TV3X3C7A5CNFSM56IPMNGKYY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZGOAA2YRZA.gif> Message ID: ***@***.*** ***@***.***> >

[iqworks]

Thanks again Doug Perhaps you could put those steps in your documentation? Some place in the installation guide that new people to security onion VM cannot miss. This issue took me weeks to fix. From: Doug Burks ***@***.***> Sent: Tuesday, August 30, 2022 5:13 AM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: iqworks ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] Got to the web interface once, but now I cannot (Discussion #8519) As we've discussed previously <#5608> , I would highly recommend that you stick with a simple IMPORT installation until you're fully comfortable with networking, virtualization, and logging. If you follow the screenshots at https://docs.securityonion.net/en/2.3/first-time-users.html, then you'll have a graphical desktop and browser inside your VM and it might be easier to use that VM browser rather than trying to connect from a browser on your Windows host. — Reply to this email directly, view it on GitHub <#8519 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKPV3ZFUL54OY5HNCSKLALV3X3C7ANCNFSM56IPMNGA> . You are receiving this because you authored the thread. <https://github.com/notifications/beacon/ABKPV37AKN4M3ENA7Y2BI6TV3X3C7A5CNFSM56IPMNGKYY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZGOAA2YRZA.gif> Message ID: ***@***.*** ***@***.***> >

[dougburks]

Perhaps you could put those steps in your documentation? Some place in the installation guide that new people to security onion VM cannot miss.

Here's the relevant documentation:
https://docs.securityonion.net/en/2.3/post-installation.html#services
https://docs.securityonion.net/en/2.3/so-status.html#so-status
https://docs.securityonion.net/en/2.3/salt.html#salt-minion-startup-options

It shouldn't take that long for the web interface to initialize. If it's taking too long, that could mean that your VM is under-powered for the services that you've enabled. Thus my previous recommendations for you to run in a simple IMPORT installation.

[iqworks]

thanks From: Doug Burks ***@***.***> Sent: Tuesday, August 30, 2022 10:33 AM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: iqworks ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] Got to the web interface once, but now I cannot (Discussion #8519) Perhaps you could put those steps in your documentation? Some place in the installation guide that new people to security onion VM cannot miss. Here's the relevant documentation: https://docs.securityonion.net/en/2.3/post-installation.html#services https://docs.securityonion.net/en/2.3/so-status.html#so-status https://docs.securityonion.net/en/2.3/salt.html#salt-minion-startup-options It shouldn't take that long for the web interface to initialize. If it's taking too long, that could mean that your VM is under-powered for the services that you've enabled. Thus my previous recommendations for you to run in a simple IMPORT installation. — Reply to this email directly, view it on GitHub <#8519 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKPV3YHANEGLMFFGS2AGLTV3ZATZANCNFSM56IPMNGA> . You are receiving this because you authored the thread. <https://github.com/notifications/beacon/ABKPV35ONFYUOMJJNU3WO7DV3ZATZA5CNFSM56IPMNGKYY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZGOAA2ZHDQ.gif> Message ID: ***@***.*** ***@***.***> >

[iqworks]

Thanks again Doug for getting back. Ohhhhh, “If it's taking too long, that could mean that your VM is under-powered for the services that you've enabled.” Makes a lot of sense now. Like I said, I choose ALL the services for the VM I created using “securityonion-2.3.140-20220719.iso” first, but my last VM creation I used “securityonion-2.3.150-20220820.iso” was created without any services selected. I looked at these 3 links and I didn’t find these simple steps : 1 – power on the security onion (for the desktop version not inside the VM). 2 – check the so-status and wait until everything is at OK (yep Doug, I did choose all of the tools the first time, but none this time). 3 – use your access IP address in a browser. I have two VMs. The first one has all services selected - securityonion-2.3.140-20220719.iso This caused my access url not to work And the access url gets this This is what I selected for the second one - securityonion-2.3.150-20220820.iso This allowed my access url to work This is what I get Perhaps I am missing something in these three links? No matter, things are working for now so I am good to go (I hope 😊), I hope this helps someone else. From: Doug Burks ***@***.***> Sent: Tuesday, August 30, 2022 10:33 AM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: iqworks ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] Got to the web interface once, but now I cannot (Discussion #8519) Perhaps you could put those steps in your documentation? Some place in the installation guide that new people to security onion VM cannot miss. Here's the relevant documentation: https://docs.securityonion.net/en/2.3/post-installation.html#services https://docs.securityonion.net/en/2.3/so-status.html#so-status https://docs.securityonion.net/en/2.3/salt.html#salt-minion-startup-options It shouldn't take that long for the web interface to initialize. If it's taking too long, that could mean that your VM is under-powered for the services that you've enabled. Thus my previous recommendations for you to run in a simple IMPORT installation. — Reply to this email directly, view it on GitHub <#8519 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKPV3YHANEGLMFFGS2AGLTV3ZATZANCNFSM56IPMNGA> . You are receiving this because you authored the thread. <https://github.com/notifications/beacon/ABKPV35ONFYUOMJJNU3WO7DV3ZATZA5CNFSM56IPMNGKYY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZGOAA2ZHDQ.gif> Message ID: ***@***.*** ***@***.***> >

[dougburks]

I looked at these 3 links and I didn’t find these simple steps :
1 – power on the security onion (for the desktop version not inside the VM).

If you need documentation to tell you to power on Security Onion, then perhaps you still need to learn more about virtualization and networking as we've discussed previously:
#5134
#5131
#5652

[iqworks]

Thanks Doug. From: Doug Burks ***@***.***> Sent: Wednesday, August 31, 2022 4:19 AM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: iqworks ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] Got to the web interface once, but now I cannot (Discussion #8519) I looked at these 3 links and I didn’t find these simple steps : 1 – power on the security onion (for the desktop version not inside the VM). If you need documentation to tell you to power on Security Onion, then perhaps you still need to learn more about virtualization and networking as we've discussed previously: #5134 <#5134> #5131 <#5131> #5652 <#5652> — Reply to this email directly, view it on GitHub <#8519 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKPV3Y6B3JYR5I2YTG3JTLV345SXANCNFSM56IPMNGA> . You are receiving this because you authored the thread. <https://github.com/notifications/beacon/ABKPV352XVKU7I5NPJFWCQDV345SXA5CNFSM56IPMNGKYY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZGOAA22URQ.gif> Message ID: ***@***.*** ***@***.***> >