SecurityOnion Azure Market Place Image Zeek & Salt clash on GID

[sweatdigital]

Version

2.4.190

Installation Method

Cloud image (Amazon, Azure, Google)

Description

configuration

Installation Type

Standalone

Location

cloud

Hardware Specs

Meets minimum requirements

CPU

8

RAM

32

Storage for /

472

Storage for /nsm

0

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

No, one or more services are failed (please provide detail below)

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

I am setting up SO on Azure via the Azure Marketplace image. The setup config wizard pops up, and I complete all the fields that are needed. When the last screen pops up with all the details I selected, and I say "yes". It kicks off the configuration setup of the SO server. It runs through the config for about 30 min, then it hits the following error.

[ERROR ] Group zeek is not present, but gid 937 is already taken by group salt
Result: False

I need help to understand how to resolve this.

I ran a test before on a test lab running Proxmox and the downloaded ISO, and it went smoothly without errors. However, when I select the Azure Marketplace Image and deploy it via an Azure VM, I hit a snag that Salt is using the gid that the Group Zeek where expecting.

Is there a way to assign a new gid for zeek and let it carry on from where it stopped?

If I rerun sudo /securityonion/setup/so-setup iso it seems not to clear what it has done, and I have to reload the Azure image.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[jertel]

Thanks for reporting this. Our automated testing discovered this last week (possibly caused by recent upstream OS package updates), and we made a change for the next release that attempts to avoid the problem. We're still reviewing new test results, as this appears to be somewhat intermittent.

[sweatdigital]

Thank you for the update. When is the next release planned or scheduled for Azure Marketplace? In the meantime, can I download the standard ISO and try that on an Azure VM?

[jertel]

I don't have a date for the next release, however, you can use the following workaround to get the Azure image up and running:

• Start a new VM with the Security Onion 2 image.
• SSH in and immediately cancel out of setup.
• Run the following commands in the SSH terminal:

sudo groupadd -g 928 kratos
sudo groupadd -g 930 elasticsearch
sudo groupadd -g 931 logstash
sudo groupadd -g 932 kibana
sudo groupadd -g 933 elastalert
sudo groupadd -g 937 zeek
sudo groupadd -g 938 salt
sudo groupadd -g 939 socore
sudo groupadd -g 940 suricata
sudo groupadd -g 948 elastic-agent-pr
sudo groupadd -g 949 elastic-agent
sudo groupadd -g 941 stenographer
sudo groupadd -g 947 elastic-fleet
sudo groupadd -g 960 kafka

sudo /securityonion/so-setup-network

• Continue with setup.

Thanks again for raising the issue.

[banners0319]

This is the second onion I have setup for a class at FSU and I'm getting this error message.

┌───────────────────┤ Security Onion Setup - 2.4.190 ├────────────────────┐
│ │
│ eth1 is unmanaged by Network Manager. Please remove it from other │
│ network management tools then re-run setup.

What is the fix for this? Thanks.
Shawn