Replies: 2 comments 1 reply
-
For the first question: make sure that you'd got communication between the minion and Manager nodes on all the required ports. There's a good list of them here: https://docs.securityonion.net/en/2.3/firewall.html The Grid page is built dynamically when minion nodes check in, so if you're not seeing them there you've probably blocked either port 443 (sensoroni) or port 8086 (influxdb) from your minions to your Manager. For question two, try adding nsm.mydomain.lan.mydomain.lan to the /etc/hosts file on the minions so they don't need to look it up in DNS. For question three, change the settings under "patch" in the minion file (/opt/so/saltstack/local/pillar/minions/*.sls)
|
Beta Was this translation helpful? Give feedback.
-
Looks like I've somewhat fixed my first 2 issues. I noticed there was no traffic between the nodes and the manager on 443 and it was actually related to DNS. But to make matters more complicated, it's because I'm using a Virtual IP (in pfSense) to expose the manager to the "outside" world (this is a nested firewall configuration, so outside in this case is still inside my network). Looks like DNS resolution wasn't happening for my local domain, so I configured it to work, but then ran into the issue that then the nodes were trying to resolve the Virtual IP which wouldn't work, so for now I've set a host override in the firewall and I'll keep checking to see how I can make this work even better. |
Beta Was this translation helpful? Give feedback.
-
Hi all! Just setup my first distributed install and have a couple of questions. I'm not sure if it would have been more appropriate to make separate topics for these, but maybe some of the items are related, so I'm going with a single post for now.
Let's start with the first question: I have 4 nodes, a manager, a search, and 2 forward nodes. At first I thought my setup wasn't working since I couldn't see any nodes on the Grid page, but eventually I noticed that alerts were coming in, I can see all nodes in Grafana, and running commands like
salt \* test.ping
from the manager gets a response from all nodes. So I'm really puzzled as to why I'm not seeing any of them show up on the Grid. I've rebooted all hosts and checked my firewall rules and everything seems ok.That brings me to question 2. During setup for each node, I identified a DNS Search Domain (I think it was actually called default search domain) for the domain I use in my network (let's call it
mydomain.lan
for now). Now the issue I'm running into is that I'm seeing a crazy amount of DNS requests for bad searches because the domain name is being repeated. It seems to be all related to the manager's domain name from what I can tell. My manager's FQDN isnsm.mydomain.lan
and while some DNS requests are actually being done for that domain, most are querying fornsm.mydomain.lan.mydomain.lan
.My last question should hopefully be a simple one: During setup, I identified that the various nodes would get their updates Directly, but I've since decided that I want to have updates go through the manager instead so I can limit internet access to the manager only. I found in the individual minion sls files that I can change the setting, but I can't for the life of me remember what the correct option was called during setup. I think it was
direct+proxy
ordirect+manager
but I can't remember and I don't even know if the sls file uses the same format. I've tried searching through Discussions and the Documentation but haven't found the answer.On that note, if the answer is actually in writing somewhere, if someone could provide a link I would greatly appreciate it. I've also considered simply re-running the ISO setup, but that feels like overkill for such a minor change. Would that be the appropriate way of doing it though?
Thanks in advance for any guidance!
Beta Was this translation helpful? Give feedback.
All reactions