Closed jasondad36 closed 11 months ago
Rather than opening an issue, please start a new discussion at https://github.com/Security-Onion-Solutions/securityonion/discussions/categories/2-4. The discussion form will ask some questions that will help narrow down where the error might be. Thanks!
Hello, This is a fresh install on bare metal using the ISO for 2.4.10. The same box has been running the 2.3.X for several years with no issues. I installed on 10/1 and it worked fine for the first 2 days. Starting yesterday, I can log in but when selected Alerts, Dashboard, Hunt or Cases, i get an error 502.
I normally run this through Nginx > Authentik > SecurityOnion so I removed authentik to make sure it wasnt changing headers. No change. I then removed nginx and changed the dns entry to point directly to security onion. Still no change.
I can access pcap, downloads, and administration with no problem. I can also go into the user settings etc.
So-status shows green across the board. I have tried soup, no updates pending. I tried edge, chrome, firefox, safari and vivaldi.
Tcpdump on the monitor interface shows traffic coming in.
From Chrome Console:
Request URL: https://seconion.realdomain.com/api/events/?query=(*)+AND+tags:alert+AND+NOT+event.acknowledged:true+AND+NOT+event.escalated:true+%7C+groupby+rule.name+event.module*+event.severity_label&range=2023%2F10%2F03+02:30:57+PM+-+2023%2F10%2F04+02:30:57+PM&format=2006%2F01%2F02+3:04:05+PM&zone=America%2FChicago&metricLimit=500&eventLimit=500 Request Method: GET Status Code: 502 Bad Gateway Remote Address: 192.168.5.20:443 Referrer Policy: strict-origin-when-cross-origin
from /opt/so/log/nginx/error.log:
2023/10/04 18:48:56 [error] 23#23: 27655 upstream prematurely closed connection while reading response header from upstream, client: 192.168.2.114, server: seconion.realdomain.com, request: "GET /api/events/?query=(NOT+so_case.status:closed+AND+NOT+so_case.category:template)+AND+_index:%22:so-case%22+AND+so_kind:case&range=2022%2F10%2F04+01:48:57+PM+-+2023%2F10%2F04+01:48:57+PM&format=2006%2F01%2F02+3:04:05+PM&zone=America%2FChicago&metricLimit=100&eventLimit=500 HTTP/2.0", upstream: "http://192.168.5.20:9822/api/events/?query=(NOT+so_case.status:closed+AND+NOT+so_case.category:template)+AND+_index:%22*:so-case%22+AND+so_kind:case&range=2022%2F10%2F04+01:48:57+PM+-+2023%2F10%2F04+01:48:57+PM&format=2006%2F01%2F02+3:04:05+PM&zone=America%2FChicago&metricLimit=100&eventLimit=500", host: "seconion.realdomain.com", referrer: "https://seconion.realdomain.com/?flow=13342fa4-21ec-4391-833a-0876adc3f7cf" [root@seconion nginx]#
[root@seconion nginx]# so-status
───────────────────────────────────┼─────────┼─────────────────────── so-curator │ running │ Up 18 hours so-dockerregistry │ running │ Up 18 hours so-elastalert │ running │ Up 18 hours so-elastic-fleet │ running │ Up 18 hours so-elastic-fleet-package-registry │ running │ Up 18 hours (healthy) so-elasticsearch │ running │ Up 18 hours so-idstools │ running │ Up 18 hours so-influxdb │ running │ Up 18 hours (healthy) so-kibana │ running │ Up 18 hours so-kratos │ running │ Up 18 hours so-logstash │ running │ Up 41 minutes so-mysql │ running │ Up 18 hours (healthy) so-nginx │ running │ Up 6 hours (healthy) so-playbook │ running │ Up 18 hours so-redis │ running │ Up 18 hours so-sensoroni │ running │ Up 18 hours so-soc │ running │ Up 18 hours so-soctopus │ running │ Up 18 hours so-steno │ running │ Up 18 hours so-strelka-backend │ running │ Up 18 hours so-strelka-coordinator │ running │ Up 18 hours so-strelka-filestream │ running │ Up 18 hours so-strelka-frontend │ running │ Up 18 hours so-strelka-gatekeeper │ running │ Up 18 hours so-strelka-manager │ running │ Up 18 hours so-suricata │ running │ Up 12 hours so-telegraf │ running │ Up 18 hours so-zeek │ running │ Up 18 hours (healthy)
✔ This onion is ready to make your adversaries cry!
[root@seconion nginx]#
Replaying PCAP(s) at 10 Mbps on interface bond0... Actual: 111557 packets (12981286 bytes) sent in 10.38 seconds Rated: 1249999.6 Bps, 9.99 Mbps, 10742.09 pps Flows: 4102 flows, 394.99 fps, 2074477 flow packets, 45106 non-flow Statistics for network device: bond0 Successful packets: 55748 Failed packets: 0 Truncated packets: 0 Retried packets (ENOBUFS): 0 Retried packets (EAGAIN): 0 Replay completed. Warnings shown above are typically expected.