No alerts - Partial shards failure due to timeout #11482
Replies: 3 comments
-
Did you enable metrics inside elastic? The issue is all the metric indices have replicas assigned but you are in standalone. .ds-metrics-system.filesystem-default-2023.10.06-000001 0 r UNASSIGNED |
Beta Was this translation helpful? Give feedback.
-
I dont recall enabling metrics and I do not see where its enabled. Looking through the grid configuration the only item that comes up for metrics is influxdb\config\metrics-disabled and that is set to true. |
Beta Was this translation helpful? Give feedback.
-
Looking in elastic settings I see the following settings on: |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.20
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Standalone
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
4
RAM
24G
Storage for /
200G
Storage for /nsm
126G
Network Traffic Collection
span port
Network Traffic Speeds
Less than 1Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No errors
Logs
Yes, there are additional clues in /opt/so/log/ (please provide detail below)
Detail
I am fairly new to Security onion. Any assistance would be greatly appreciated.
My problem is I have nave gotten any alerts from this security onion install. I am not currently injesting pcap data yet. I do however have both windows and linux agents installed. I am also forwarding logs from pfsense. My initial install was 2.4.10 I recently upgraded to 2.4.20 thinking there may have been a fix. Nothing really seemed to change and I did not get any errors during the upgrade. I have gone through the playbook and enabled all the default playbooks that were imported that were marked critical or high. I am seeing the data from my agents and from pfsense just not getting any alerts. I also ran so-test and didnt get any alerts from that either.
Reoccurring elasticsearch log warning message:
Warnings in logstash:
Log entries in elasticfleet (I think these were primarily during a reboot. I dont know that they are relevant):
elasticalert errors:
security onion log errors
Shard Data:
sudo so-elasticsearch-query _cat/indices
sudo so-elasticsearch-query _cat/shards
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions