PCAP/ZEEK works in Eval, but not in standalone

[yee-jonathan]

Version

2.4.111

Installation Method

Cloud image (Amazon, Azure, Google)

Description

other (please provide detail below)

Installation Type

Standalone

Location

cloud

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

270 GB

Storage for /nsm

0

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi everyone!

I'm currently doing a test buildout of different Security Onion deployments using the AWS cloud image.One strange issues I was running into was the seemingly different deployment results between running SO under Eval vs under Standalone.

When running under eval, I have no issue ingesting network traffic data from traffic mirroring, uploading pcaps, and having suricata run rulesets. Security Onion works as I expect.

However, when I try a standalone deployment, it seems that SO fails to parse any network traffic data into elasticsearch. I can confirm that network logs exist by checking /nsm/zeek/* and that their current, so I know it's reaching the box. I suspect it has to do with elastic fleet seemingly not being setup correctly on start up. I'm not getting any errors, but noticed that no elastic fleet server gets deployed.

Would appreciate any help in troubleshooting this.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.