IPTables Dropping(Can't install Search Nodes or Agents)

[thatboy3]

Version

2.4.60

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

16gb

Storage for /

200gb

Storage for /nsm

Unknown

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

No, one or more services are failed (please provide detail below)

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I am trying to set up a distributed installation type. Whenever I create the manager node, I continuously get IPTables-dropped posted every 15-20 seconds. I am not able to connect search nodes to the manager through the installation. I get "setup is unable to access the manager." I have added the IP


address of the search node through SOC-Admin-Config, however I am still not able to connect it. Th

This is the 5+ attempt at trying to install the node and the agents. The first time, I was able to connect the search nodes, but I was not able to install the elastic agents onto the endpoints through the downloader. I kept getting install failed to connect on port xxx.

Now, I'm not even able to connect the search nodes on this new attempt. I'm sure there is more information needed to help, please ask and I would be grateful for any help. Thank you!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

The iptables messages you show in your screenshots are kernel messages https://docs.securityonion.net/en/2.4/console.html#console

When you want to add a node to your Security Onion grid as you mentioned you need to add the new nodes IP address to the firewall config in SOC. You also need to either wait ~15 minutes for the change to be automatically applied or hit the 'synchronize grid' button at the top of SOC.
You'll know that change has applied when you go back to your search node and you hit enter on the retry connection message and it successfully connects. You will then need to accept the new minion into your grid by going to the 'Grid Members' page and hitting accept on the new search node. Important to note that you won't see this new searchnode in your 'Grid Overview' page for a while as it gets setup in the background.

For your elastic agent troubles you need to allow them through the firewall as well. https://docs.securityonion.net/en/2.4/elastic-agent.html#elastic-agent

[thatboy3]

Yes sir, I did that as instructed waited and still nothing. I put the ips in the hostgroups under firewall and still will not install the agents. I saw the search node and did as instructed but it is also showing repeatedly iptables dropped now. What else could I be missing? Again, my IP's are in the host group as directed. My agents keep failing install even after waiting for the allotted time. Thanks!