WebInterface - No events in Alerts & Dashboard tab

[YvesEutelsat]

Version

2.4.110

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

128G

Storage for /

275G

Storage for /nsm

1.7T

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

Good day,

I recently replaced the VM manager within the distributed deployment. On the search and sensor node, I used the command "SecurityOnion/setup/so-setup iso" to re-initiate the network configuration so they can join the VM manager. When connecting to the WebInterface, I can see under "Grid" search & sensor node. All containers are running showing green status.

Sensor is capturing traffic since in the pcap & suricata folder, there are files with latest date/time.

Would someone have a suggestion for next step so I can see the count increase in the WebInterface "Alerts & Dashboard" menu? I did follow the troubleshooting guideline within Security Onion documentation.

Assistance is much appreciated, thanks

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[InfosecGoon]

Check the logstash and elasticsearch logs on the Manager (in /opt/so/log) -- if the new Manager is having issues receiving data or writing it to Elasticsearch, there will be errors there.

Are the Search and Sensor nodes showing up properly in Grid Members and in Elastic Fleet?

[YvesEutelsat]

From the Manager /opt/so/log/elasticsearch/securitonion.log - Failed to validate incoming join request from {so-search}. Then there is something about UUID does not match.
From the Manager /opt/so/log/logstash/logstash.log - Failed to send backlog of events to Redis. I looked into Redis count and it is pretty high (420,000 counts). From documentation assistance, I stopped logstash and Redis count did not go down.

Looking in the Grid Members - Both sensors are under "Accepted members" and from the Grid menu everything is green.
But when clicking on Elastic Fleet or Kibana, I'm getting "404 page error" - I'm guessing because search node is not properly communicating with Manager.

Is it something possible to remove old Manager and after some configurations add a new one without interruption?

Thanks for your assistance

[InfosecGoon]

If the Search Node and the Manager have different Elasticsearch UUIDs, they're not going to be able to join as a cluster. That's the root issue.

When you re-ran setup on the Search Node, did you run the whole thing or just the network configuration?

[YvesEutelsat]

I just did the network configuration. My guess i'll have to run to whole thing, if so, will I lose everything?

Thanks