No Suricata data coming sensor

[ihuxn4hi]

I'm just getting started with Security Onion and have a sensor that I can see is logging Suricata data at /nsm/suricata/eve-*.json but there are zero logs in the manager. Doing a tcpdump, I can see traffic going to and from the manager on port 5644 and others so I'm presuming the communication is OK. What can I look at to troubleshoot this?

Also, is it possible to monitor more than one interface on a sensor? I was reading https://docs.securityonion.net/en/2.3/suricata.html#configuration but didn't see anything about this.

Thanks!

[InfosecGoon]

If you have a distributed deployment, the Suricata logs are written to disk on the sensor, then picked up via Filebeat and sent to the Logstash service on the Manager, then put into a Redis Queue, and finally put into Elasticsearch. So, it could be broken anywhere after the first step. Are you running a Manager/Search node or a separate Search node?

If you want to monitor multiple physical interfaces, you can do that by using so-monitor-add to add them to the bond0 virtual interface that Security Onion is monitoring: https://docs.securityonion.net/en/2.3/so-monitor-add.html

[ihuxn4hi]

Thank you so much for your response and help with this. Your pointing me in the direction of the logs told me everything I needed to see. On the search node, I saw this:

[2023-02-02T22:40:15,260][WARN ][logstash.inputs.redis ] Redis connection error {:message=>"Error connecting to Redis on so-manager:9696 (Redis::TimeoutError)", :exception=>Redis::CannotConnectError}

I went and double checked my Security Group list of allowed inbound ports and sure enough, I missed 9696 and 9300 from the firewall list.

I see alerts coming in now so thank you very much!

Regarding having a sensor monitoring more than one interface, what would be your guidance? I can see the interface and I can see the traffic going across it, I just don't know how to add an additional interface to be monitored.

Thank you again for your help -- I really do appreciate it.

[InfosecGoon]

What is the output from "nmcli con" on the sensor? I'd like to see your current interface configuration.

[ihuxn4hi]

Here's the output from 'nmcli con' on the sensor:

root@so-sensor-01 [~]
# nmcli con
NAME                UUID                                  TYPE      DEVICE  
Wired connection 1  de89b4db-e73e-3db8-88c1-a5e73837d384  ethernet  ens7    
docker0             1814d2f0-c7c7-46ab-882c-0a70296a40b7  bridge    docker0 
ens6                eadd59c6-0618-448d-aa28-d7c7afca0f2c  ethernet  ens6

Interesting that there's supposedly a difference between the ens6 and ens7 interfaces. I've also noticed that there's an IP assigned to ens7 and none for ens6 so I'm not sure if that comes into play at all? I'll look at those interface configurations now.

Thanks again

[InfosecGoon]

I spoke with our developer team and unfortunately AWS doesn't support interface bonding in their environment -- if you want an additional interface to accept more mirror traffic, you'll need to add another sensor node to the grid.

[ihuxn4hi]

Bummer, but thank you for letting me know.

As a workaround, I've changed the target interface within AWS to the one that's being monitored. I'll have to keep an eye on throughput and dropped packets. Not ideal but better than nothing I suppose.

Thank you again for all of the help. I really do appreciate it.

Best regards