search

Security-Onion-Solutions / securityonion

Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, detections, and case management. It also includes other tools such as osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, and Zeek.
https://securityonion.net
3.13k stars 485 forks source link

Receiving Error 502 after logging in and clicking Alerts through Cases #11471

Closed jasondad36 closed 11 months ago

jasondad36 commented 11 months ago

Hello, This is a fresh install on bare metal using the ISO for 2.4.10. The same box has been running the 2.3.X for several years with no issues. I installed on 10/1 and it worked fine for the first 2 days. Starting yesterday, I can log in but when selected Alerts, Dashboard, Hunt or Cases, i get an error 502.

I normally run this through Nginx > Authentik > SecurityOnion so I removed authentik to make sure it wasnt changing headers. No change. I then removed nginx and changed the dns entry to point directly to security onion. Still no change.

I can access pcap, downloads, and administration with no problem. I can also go into the user settings etc.

So-status shows green across the board. I have tried soup, no updates pending. I tried edge, chrome, firefox, safari and vivaldi.

Tcpdump on the monitor interface shows traffic coming in.

From Chrome Console:

Request URL: https://seconion.realdomain.com/api/events/?query=(*)+AND+tags:alert+AND+NOT+event.acknowledged:true+AND+NOT+event.escalated:true+%7C+groupby+rule.name+event.module*+event.severity_label&range=2023%2F10%2F03+02:30:57+PM+-+2023%2F10%2F04+02:30:57+PM&format=2006%2F01%2F02+3:04:05+PM&zone=America%2FChicago&metricLimit=500&eventLimit=500 Request Method: GET Status Code: 502 Bad Gateway Remote Address: 192.168.5.20:443 Referrer Policy: strict-origin-when-cross-origin

from /opt/so/log/nginx/error.log:

2023/10/04 18:48:56 [error] 23#23: 27655 upstream prematurely closed connection while reading response header from upstream, client: 192.168.2.114, server: seconion.realdomain.com, request: "GET /api/events/?query=(NOT+so_case.status:closed+AND+NOT+so_case.category:template)+AND+_index:%22:so-case%22+AND+so_kind:case&range=2022%2F10%2F04+01:48:57+PM+-+2023%2F10%2F04+01:48:57+PM&format=2006%2F01%2F02+3:04:05+PM&zone=America%2FChicago&metricLimit=100&eventLimit=500 HTTP/2.0", upstream: "http://192.168.5.20:9822/api/events/?query=(NOT+so_case.status:closed+AND+NOT+so_case.category:template)+AND+_index:%22*:so-case%22+AND+so_kind:case&range=2022%2F10%2F04+01:48:57+PM+-+2023%2F10%2F04+01:48:57+PM&format=2006%2F01%2F02+3:04:05+PM&zone=America%2FChicago&metricLimit=100&eventLimit=500", host: "seconion.realdomain.com", referrer: "https://seconion.realdomain.com/?flow=13342fa4-21ec-4391-833a-0876adc3f7cf" [root@seconion nginx]#

[root@seconion nginx]# so-status

                    Security Onion Status
                     Container │ Status  │               Details

───────────────────────────────────┼─────────┼─────────────────────── so-curator │ running │ Up 18 hours so-dockerregistry │ running │ Up 18 hours so-elastalert │ running │ Up 18 hours so-elastic-fleet │ running │ Up 18 hours so-elastic-fleet-package-registry │ running │ Up 18 hours (healthy) so-elasticsearch │ running │ Up 18 hours so-idstools │ running │ Up 18 hours so-influxdb │ running │ Up 18 hours (healthy) so-kibana │ running │ Up 18 hours so-kratos │ running │ Up 18 hours so-logstash │ running │ Up 41 minutes so-mysql │ running │ Up 18 hours (healthy) so-nginx │ running │ Up 6 hours (healthy) so-playbook │ running │ Up 18 hours so-redis │ running │ Up 18 hours so-sensoroni │ running │ Up 18 hours so-soc │ running │ Up 18 hours so-soctopus │ running │ Up 18 hours so-steno │ running │ Up 18 hours so-strelka-backend │ running │ Up 18 hours so-strelka-coordinator │ running │ Up 18 hours so-strelka-filestream │ running │ Up 18 hours so-strelka-frontend │ running │ Up 18 hours so-strelka-gatekeeper │ running │ Up 18 hours so-strelka-manager │ running │ Up 18 hours so-suricata │ running │ Up 12 hours so-telegraf │ running │ Up 18 hours so-zeek │ running │ Up 18 hours (healthy)

✔ This onion is ready to make your adversaries cry!

[root@seconion nginx]#

Replaying PCAP(s) at 10 Mbps on interface bond0... Actual: 111557 packets (12981286 bytes) sent in 10.38 seconds Rated: 1249999.6 Bps, 9.99 Mbps, 10742.09 pps Flows: 4102 flows, 394.99 fps, 2074477 flow packets, 45106 non-flow Statistics for network device: bond0 Successful packets: 55748 Failed packets: 0 Truncated packets: 0 Retried packets (ENOBUFS): 0 Retried packets (EAGAIN): 0 Replay completed. Warnings shown above are typically expected.

dougburks commented 11 months ago

Rather than opening an issue, please start a new discussion at https://github.com/Security-Onion-Solutions/securityonion/discussions/categories/2-4. The discussion form will ask some questions that will help narrow down where the error might be. Thanks!