PCAP/ZEEK works in Eval, but not in standalone #14120
Replies: 3 comments 2 replies
-
|
Do you see any errors in the logs in /opt/so/log/logstash or /opt/so/log/elasticsearch? |
Beta Was this translation helpful? Give feedback.
-
|
I'm not seeing any errors in the logs. I can also get elastic agents to report back to the standalone and populate in elasticsearch. It just seems like anything generated by zeek gets ignored. |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
|
Looking at your /nsm/zeek/logs/current/ screenshot, I don't see logs that I would expect to see like conn.log, dns.log, ssl.log, etc. Please double-check that your traffic mirroring is configured correctly and that your sniffing interface is actually seeing real network traffic. You can verify that with tcpdump. |
Beta Was this translation helpful? Give feedback.
-
|
Ended up just remaking the box and giving it more resources. Seemed to work. |
Beta Was this translation helpful? Give feedback.
-
Version
2.4.111
Installation Method
Cloud image (Amazon, Azure, Google)
Description
other (please provide detail below)
Installation Type
Standalone
Location
cloud
Hardware Specs
Exceeds minimum requirements
CPU
8
RAM
32
Storage for /
270 GB
Storage for /nsm
0
Network Traffic Collection
other (please provide detail below)
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
Hi everyone!
I'm currently doing a test buildout of different Security Onion deployments using the AWS cloud image.One strange issues I was running into was the seemingly different deployment results between running SO under Eval vs under Standalone.
When running under eval, I have no issue ingesting network traffic data from traffic mirroring, uploading pcaps, and having suricata run rulesets. Security Onion works as I expect.
However, when I try a standalone deployment, it seems that SO fails to parse any network traffic data into elasticsearch. I can confirm that network logs exist by checking /nsm/zeek/* and that their current, so I know it's reaching the box. I suspect it has to do with elastic fleet seemingly not being setup correctly on start up. I'm not getting any errors,
but noticed that no elastic fleet server gets deployed.Would appreciate any help in troubleshooting this.
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions