No hosts showing up in Fleet

[jchrisos1]

I built a new security onion manager/search node. When I log into the fleet GUI interface I don't see any nodes, not even my manager or forwarder node. I've used so-allow to allow port 8090. My last security onion manager/search was an install straight from the security onion installer and all my expected hosts showed up without issue. However, the manager I'm having issues with is a new Ubuntu 20.04 install and I installed security onion from git. The only differences I can think of between my old security onion install was 1) it was a VM and was 2) installed from the ISO image whereas my new install is 1) bare metal install of 2) ubuntu server 20.04 and I 3) installed from git.

The host firewall is not running. Any ideas where to focus my investigation? I looked at the docs but it mostly points back to fleet but I know there are a lot of differences with fleet running on security onion due to it using salt. I didn't see anything helpful here either. Thanks!

I've seen this asked for so I thought it might help:

@so-manager:$ sudo salt-call pillar.get global
[sudo] password for
local:
----------
airgap:
False
dockernet:
172.17.0.0
fleet_custom_hostname:
None
fleet_hostname:
so-manager
fleet_ip:
192.168.0.212
fleet_manager:
True
fleet_node:
False
fleet_packages-timestamp:
2022-11-11-04:29
fleet_packages-version:
2
hnmanager:
192.168.0.0/24,192.168.20.0/24,192.168.30.0/24,192.168.50.0/24
ids:
Suricata
imagerepo:
security-onion-solutions
managerip:
192.168.0.212
mdengine:
ZEEK
pipeline:
redis
sensoronikey:

soversion:
2.3.182
url_base:
so-manager..local
wazuh:
1
@so-manager:$ sudo ufw status
Status: inactive
@so-manager:~$

[jchrisos1]

No logs either :-/

@so-manager:$ tail /opt/so/log/fleet/status.log
@so-manager:$ sudo docker logs so-fleet
Migrations completed.
Migrations already completed. Nothing to do.
Migrations already completed. Nothing to do.
@so-manager:~$

[defensivedepth]

Check out the FleetDM install log at: /root/fleet-setup.log

Any errors?

[jchrisos1]

I don't see any errors. Everything has succeeded. Without posting the entire log (which I can if you want it):

root@so-manager:~# grep -i error fleet-setup.log 
root@so-manager:~# grep -i warn fleet-setup.log 
root@so-manager:~# grep Succeeded -A 1 fleet-setup.log 
Succeeded: 1 (changed=1)
Failed:    0
--
Succeeded: 55 (changed=2)
Failed:     0
--
Succeeded: 1 (changed=1)
Failed:    0
--
Succeeded: 1 (changed=1)
Failed:    0
--
Succeeded: 141 (changed=15)
Failed:      0
--
Succeeded: 55 (changed=1)
Failed:     0
root@so-manager:~# 

[jchrisos1]

I sanitized the log if it helps.
fleet-setup.log

[defensivedepth]

Looks like everything installed correctly. Next step would be to restart the launcher service on the Manager node and review the logs from the startup.

[jchrisos1]

I'm not sure where to look other than these two places which I found in the SO documentation:

root@so-manager:/opt/so/log/fleet# so-fleet-restart
=========================================================================
Restarting fleet...

This could take a while if another Salt job is running.
Run this command with --force to stop all Salt jobs before proceeding.
=========================================================================
so-fleet
so-fleet
local:
----------
[redacted due to length]
----------
          ID: so-fleet
    Function: docker_container.running
      Result: True
     Comment: Created container 'so-fleet'
     Started: 17:00:19.676259
    Duration: 1604.284 ms
     Changes:
              ----------
              container_id:
                  ----------
                  added:
                      7bafb45ed42500bdfd8cf8c7a41d470aed66d03cae136f28025c054dc7d859da
              state:
                  ----------
                  new:
                      running
                  old:
                      None
----------
          ID: append_so-fleet_so-status.conf
    Function: file.append
        Name: /opt/so/conf/so-status/so-status.conf
      Result: True
     Comment: File /opt/so/conf/so-status/so-status.conf is in correct state
     Started: 17:00:21.280856
    Duration: 2.466 ms
     Changes:

Summary for local
-------------
Succeeded: 66 (changed=1)
Failed:     0
-------------
Total states run:     66
Total run time:    5.057 s
root@so-manager:/opt/so/log/fleet# docker logs so-fleet
Migrations already completed. Nothing to do.
root@so-manager:/opt/so/log/fleet# cat /opt/so/log/fleet/status.log
root@so-manager:/opt/so/log/fleet# zcat /opt/so/log/fleet/status-202211*.log.gz
root@so-manager:/opt/so/log/fleet#

Still no change :-(