Salt Stopped Seeing my Sensors
99 views
Skip to first unread message
Tim Desrochers
Feb 24, 2015, 10:03:12 AM2/24/15
to securit...@googlegroups.com
Recently I have had to ssh to my sensors to execute any commands because when I try:
$ sudo salt '*' test.ping
$ sudo salt '*' cmd.run 'your command here'
it doesn't see my sensor or return any info from my sensor. The funny part is all files are copied as expected from Server to Sensor every 15 minutes, so it seems salt is working.
I assured all needed ports are open on the firewall.
Any thoughts?
$ sudo salt '*' test.ping
$ sudo salt '*' cmd.run 'your command here'
it doesn't see my sensor or return any info from my sensor. The funny part is all files are copied as expected from Server to Sensor every 15 minutes, so it seems salt is working.
I assured all needed ports are open on the firewall.
Any thoughts?
Doug Burks
Feb 24, 2015, 8:17:12 PM2/24/15
to securit...@googlegroups.com
Hi Tim,
When you do test.ping, do you get a response from the salt-minion on
the local box (the master server itself)?
Have you tried restarting the salt-master service on the master server?
Have you tried restarting the salt-minion service on the sensor?
Have you tried rebooting the master and sensor?
What is the output of the following on both the master and sensor?
sudo ufw status |grep 450
Are there any network firewalls between the master and sensor that
could be blocking the traffic?
If you run tcpdump on the management interface of the master server,
do you see traffic from the sensor hitting ports 4505/tcp and/or
4506/tcp?
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
When you do test.ping, do you get a response from the salt-minion on
the local box (the master server itself)?
Have you tried restarting the salt-master service on the master server?
Have you tried restarting the salt-minion service on the sensor?
Have you tried rebooting the master and sensor?
What is the output of the following on both the master and sensor?
sudo ufw status |grep 450
Are there any network firewalls between the master and sensor that
could be blocking the traffic?
If you run tcpdump on the management interface of the master server,
do you see traffic from the sensor hitting ports 4505/tcp and/or
4506/tcp?
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Tim Desrochers
Feb 26, 2015, 6:20:52 AM2/26/15
to securit...@googlegroups.com
Replies inline
On Tue, Feb 24, 2015 at 8:16 PM, Doug Burks <doug....@gmail.com> wrote:
Hi Tim,
When you do test.ping, do you get a response from the salt-minion on
the local box (the master server itself)?
I get a response from the master only
Have you tried restarting the salt-master service on the master server?
No
Have you tried restarting the salt-minion service on the sensor?
No, I did and this fixed the issue. $ sudo service salt-minion restart
Have you tried rebooting the master and sensor?
no but with the latest sudo soup it required a restart so now I have
What is the output of the following on both the master and sensor?
sudo ufw status |grep 450
did not do because a restart of the service fixed the issue
Are there any network firewalls between the master and sensor that
could be blocking the traffic?
No
If you run tcpdump on the management interface of the master server,
do you see traffic from the sensor hitting ports 4505/tcp and/or
4506/tcp?
did not do because a restart of the service fixed the issue
On Tue, Feb 24, 2015 at 10:03 AM, Tim Desrochers <tgdesr...@gmail.com> wrote:
> Recently I have had to ssh to my sensors to execute any commands because when I try:
>
> $ sudo salt '*' test.ping
> $ sudo salt '*' cmd.run 'your command here'
>
> it doesn't see my sensor or return any info from my sensor. The funny part is all files are copied as expected from Server to Sensor every 15 minutes, so it seems salt is working.
>
> I assured all needed ports are open on the firewall.
>
> Any thoughts?
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/3QSR7F2Gm6o/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages