No Alerts in Dashboard

[Wilks2222]

Hi,
I have a newly installed Standalone version of Security Onion (v2.3.182) runnnin on hypervisor thats not producing any alerts in the SOC Console. I have 6 Windows Servers running winlogbeat and with sysmon installed. When I run the curl testmynids.org/uid/index.html or testmynids.org/uid/index.html from a browser nothing triggers an alert. Winlogbeat is configured to send events to Eth0 (management) on port 5044.
I do have Eth1 configured for monitoring but we dont have SPAN port confgured on the virtual switch yet and I am seeing events for these servers within the KIbana dahsboards but nothing shows up for alerts.

So-Status Shows

[root@sec pillar]# so-status
Checking Docker status
Docker ----------------------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]

Checking container statuses

so-aptcacherng --------------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-curator ------------------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-dockerregistry ------------------------------------------------------------------------------------------------------------------------------------------------ [ OK ]
so-elastalert ---------------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-elasticsearch ------------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-filebeat ------------------------------------------------------------------------------------------------------------------------------------------------------ [ OK ]
so-fleet --------------------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-grafana ------------------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-idstools ------------------------------------------------------------------------------------------------------------------------------------------------------ [ OK ]
so-influxdb ------------------------------------------------------------------------------------------------------------------------------------------------------ [ OK ]
so-kibana -------------------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-kratos -------------------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-logstash ------------------------------------------------------------------------------------------------------------------------------------------------------ [ OK ]
so-mysql --------------------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-nginx --------------------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-playbook ------------------------------------------------------------------------------------------------------------------------------------------------------ [ OK ]
so-redis --------------------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-sensoroni ----------------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-soc ----------------------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-soctopus ------------------------------------------------------------------------------------------------------------------------------------------------------ [ OK ]
so-steno --------------------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-backend ----------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-coordinator ------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-filestream -------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-frontend ---------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-gatekeeper -------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-manager ----------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]
so-suricata ------------------------------------------------------------------------------------------------------------------------------------------------------ [ OK ]
so-telegraf ------------------------------------------------------------------------------------------------------------------------------------------------------ [ OK ]
so-wazuh --------------------------------------------------------------------------------------------------------------------------------------------------------- [ OK ]

MDengine is set to SURICATA

root@sec pillar]# cat global.sls | grep mdengine
mdengine: 'SURICATA'

Suricata Log Only Shows the Following:

[root@sec pillar]# cat /opt/so/log/suricata/suricata.log
29/11/2022 -- 02:08:03 - - This is Suricata version 6.0.8 RELEASE running in SYSTEM mode
29/11/2022 -- 02:08:03 - - CPUs/cores online: 4
29/11/2022 -- 02:08:03 - - dropped the caps for main thread
29/11/2022 -- 02:08:03 - - eve-log output device (regular) initialized: /nsm/eve-%Y-%m-%d-%H:%M.json
29/11/2022 -- 02:08:03 - - DNP3 log sub-module initialized.
29/11/2022 -- 02:08:03 - - JsonDNP3Log logger not enabled: protocol dnp3 is disabled
29/11/2022 -- 02:08:03 - - DNP3 log sub-module initialized.
29/11/2022 -- 02:08:03 - - JsonDNP3Log logger not enabled: protocol dnp3 is disabled
29/11/2022 -- 02:08:03 - - stats output device (regular) initialized: stats.log
29/11/2022 -- 02:08:03 - - Running in live mode, activating unix socket
29/11/2022 -- 02:08:05 - - 1 rule files processed. 28898 rules successfully loaded, 0 rules failed
29/11/2022 -- 02:08:05 - - Threshold config parsed: 0 rule(s) found
29/11/2022 -- 02:08:06 - - 28901 signatures processed. 1139 are IP-only rules, 5144 are inspecting packet payload, 22593 inspect application layer, 0 are decoder event only
29/11/2022 -- 02:08:09 - - Going to use 1 thread(s)
29/11/2022 -- 02:08:09 - - Running in live mode, activating unix socket
29/11/2022 -- 02:08:09 - - Using unix socket file '/var/run/suricata/suricata-command.socket'
29/11/2022 -- 02:08:09 - - all 1 packet processing threads, 4 management threads initialized, engine started.
29/11/2022 -- 02:08:09 - - All AFP capture threads are running.

docker logs so-suricata

[root@sec /]# docker logs so-suricata
26/11/2022 -- 07:16:32 - - This is Suricata version 6.0.8 RELEASE running in SYSTEM mode
26/11/2022 -- 07:16:32 - - JsonDNP3Log logger not enabled: protocol dnp3 is disabled
26/11/2022 -- 07:16:32 - - JsonDNP3Log logger not enabled: protocol dnp3 is disabled
26/11/2022 -- 07:16:58 - - all 1 packet processing threads, 4 management threads initialized, engine started.
29/11/2022 -- 02:08:03 - - This is Suricata version 6.0.8 RELEASE running in SYSTEM mode
29/11/2022 -- 02:08:03 - - JsonDNP3Log logger not enabled: protocol dnp3 is disabled
29/11/2022 -- 02:08:03 - - JsonDNP3Log logger not enabled: protocol dnp3 is disabled
29/11/2022 -- 02:08:09 - - all 1 packet processing threads, 4 management threads initialized, engine started.

I ran sudo so-rule-update as some people have suggested but it did not fix the issue

A search for event.dataset:alert does get results

salt-call state.highstate Produces the following message:
local:
Data failed to compile:
The function "state.highstate" is running as PID 220634 and was started at 2022, Nov 29 23:04:18.529429 with jid 20221129230418529429"

[dougburks]

I have a newly installed Standalone version of Security Onion (v2.3.182) runnnin on hypervisor thats not producing any alerts in the SOC Console. I have 6 Windows Servers running winlogbeat and with sysmon installed.

Winlogbeat+sysmon won't produce any alerts by default, but you could define criteria to generate an alert if you'd like:
https://docs.securityonion.net/en/2.3/playbook.html

I do have Eth1 configured for monitoring but we dont have SPAN port confgured on the virtual switch yet

Once you have your SPAN port configured, you will most likely start seeing NIDS alerts. If not, you can follow the troubleshooting steps here:
https://docs.securityonion.net/en/2.3/suricata.html#troubleshooting-alerts