No Alerts after upgrading 2.4.190 > 2.4.201 #15429

ejgh-oe · 2026-01-28T14:38:34Z

ejgh-oe
Jan 28, 2026

Version

Other (please provide detail below)

Installation Method

Security Onion ISO image

Description

upgrading

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

32

RAM

128GB

Storage for /

500GB

Storage for /nsm

3T

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi,
After upgrading from 2.4.190 to 2.4.201 I don't see any new Alerts unter the Alert Tab.

After upgrading (i.e. 2x soup on the manager node and waiting for all nodes to get upgraded) I went through the steps described in https://docs.securityonion.net/en/2.4/post-installation.html checked soc > config > server > modules > suricataengine > rulesetSources > default where I've got

"local-rules" points to a file in /nsm/rules/custom-local-repos/local-suricata holding the exact same custom suricata rules as in 2.4.190.

Also a full update of suricata had no errors.

I also "emptied" the local-rules file by running cat > /nsm/rules/custom-local-repos/local-suricata/tuned.rules, i.e. basically eliminating all local rules - no change.

When extending the timeframe for the Alerts display the last alerts have a pre-2.4.201-upgrade-timestamp.

Again, Grid says everything is OK as well as "so-status" indicating no errors whatsover. Likewise, PCAP works, i.e. packets are coming in via the sensor node.

To me it looks like S.O. completely forgot to send traffic through Suricata after upgrading to 2.4.201.

Any ideas on how I can get Suricata working again?

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by cm-ops

Feb 9, 2026

All rulesets configurations with the changes to Detections should be done via the new consolidated rulest option in soc > config > server > modules > suricataengine > rulesetSources > default. The other setting will be updated with a deprication warning and changed to readonly.

View full answer

MDCAllan · 2026-01-28T16:54:13Z

MDCAllan
Jan 28, 2026

I have had the same problem since 2.4.200 on a SO grid with 19 VM's. I've tried lots of stuff to get alerts working again, no luck. For a while I thought it had something to do with idstools not being properly removed, but it looks like the docker was removed, just not removed from the list of so-status items. I found another post on here mentioning that we can just manually remove that from the status list, which I did. I also followed the post-install instructions regarding the block file and custom rules. No custom rules in our deployment. (nothing but readme files in the custom-local-repos).

All indications are a healthy grid now. Green "OK" status on Elastalert, Strelka, and Suricata. CPU utilization on the grid hasn't changed much before and after the update... It seems like the grid is still processing incoming eventlog and network traffic data, just not generating (or displaying) alerts for it in the web interface. Dashboard is full of activity.

I have other systems in place to monitor security that meet our requirements, the SO Grid is our way of going above and beyond the bare minimum with more extensive monitoring and log aggregation, and it does a great job at that. I kinda assumed something went wrong during the update that broke something and have been hoping I'm not alone as it's probably too big of a problem to unravel for a single grid deployment. I was figuring on just rebuilding the grid here soon if I didn't see anyone else reporting similar problems. I'm seeing various posts here and elsewhere of similar issues since the 200 release. Hopefully someone figures it out! I suspect many of us are having the same problem, and it's probably a simple fix, we just have to figure out what setting we were all running before the 200 update that isn't compatible with the latest version of SO. I'll keep an eye on this thread. If I find a solution, I'll try to share. (unlikely, as this system is very complicated and I manage dozens of other complex systems, I can only be about ankle deep with any of them).

0 replies

cm-ops · 2026-01-29T16:32:39Z

cm-ops
Jan 29, 2026
Maintainer

Are there rules in /opt/so/saltstack/local/salt/suricata/rules/all-rulesets.rules on your manager and /opt/so/rules/suricata/all-rulesets.rules on your sensor?

In Detections are there Suricata rules?

On your sensor, do you see Suricata logs in /nsm/suricata? Is your Elastic agent running and healthy on the sensor?

2 replies

ejgh-oe Jan 29, 2026
Author

Hi,

First of all - thanks very much for looking into this, esp. since this problem brings down one of the main functions of SecurityOnion, i.a. alerting in case something weird happens on the network.

Are there rules in /opt/so/saltstack/local/salt/suricata/rules/all-rulesets.rules on your manager and /opt/so/rules/suricata/all-rulesets.rules on your sensor?

Yes, both nodes (manager and sensor) have the all-rulesets.rules file in their corresponding places:

manager-node:

[root@onion-mgr rules]# pwd
/opt/so/saltstack/local/salt/suricata/rules
[root@onion-mgr rules]# ls -l
total 31160
-rw-r-----. 1 socore socore 31905122 Jan 29 14:41 all-rulesets.rules
[root@onion-mgr rules]#

sensor node:

[root@onion-pcap suricata]# ls -l
total 31160
-rw-r--r--. 1 suricata socore 31905122 Jan 29 14:52 all-rulesets.rules
-rw-r--r--. 1 suricata socore        0 Jan 19 17:05 PLACEHOLDER
[root@onion-pcap suricata]#

In Detections are there Suricata rules?

Yes, around 80.000

On your sensor, do you see Suricata logs in /nsm/suricata?

Oops, looks kinda empty ...

[root@onion-pcap suricata]# pwd
/nsm/suricata
[root@onion-pcap suricata]# ls -lgat
total 48
drwxr-xr-x.  4 socore   4096 Jan 29 15:17 .
-rw-r--r--.  1 suricata    0 Jan 29 14:53 eve-2026-01-29-14:53.json
-rw-r--r--.  1 suricata   46 Jan 28 14:47 eve-2026-01-28-14:47.json.gz
-rw-r--r--.  1 suricata   46 Jan 28 14:15 eve-2026-01-28-14:15.json.gz
-rw-r--r--.  1 suricata   46 Jan 28 13:26 eve-2026-01-28-13:26.json.gz
-rw-r--r--.  1 suricata   46 Jan 28 10:45 eve-2026-01-28-10:45.json.gz
-rw-r--r--.  1 suricata   46 Jan 27 10:31 eve-2026-01-27-10:31.json.gz
-rw-r--r--.  1 suricata   46 Jan 26 17:10 eve-2026-01-26-17:10.json.gz
-rw-r--r--.  1 suricata   46 Jan 26 10:33 eve-2026-01-26-10:33.json.gz
-rw-r--r--.  1 suricata   46 Jan 25 10:36 eve-2026-01-25-10:36.json.gz
-rw-r--r--.  1 suricata   46 Jan 24 10:43 eve-2026-01-24-10:43.json.gz
-rw-r--r--.  1 suricata   46 Jan 23 10:29 eve-2026-01-23-10:29.json.gz
-rw-r--r--.  1 suricata   46 Jan 22 10:35 eve-2026-01-22-10:35.json.gz
drwxr-xr-x.  2 root        6 Mar 24  2024 suripcap
drwxr-xr-x. 14 root      246 Mar 24  2024 ..
drwxrwx---.  2 socore      6 Jan 19  2024 extracted
[root@onion-pcap suricata]#

but suricata is running:

[root@onion-pcap suricata]# so-status

                 Security Onion Status
              Container │ Status  │             Details
────────────────────────┼─────────┼─────────────────────
           so-sensoroni │ running │           Up 3 days
               so-steno │ running │           Up 3 days
     so-strelka-backend │ running │           Up 3 days
 so-strelka-coordinator │ running │           Up 3 days
  so-strelka-filestream │ running │           Up 3 days
    so-strelka-frontend │ running │           Up 3 days
  so-strelka-gatekeeper │ running │           Up 3 days
     so-strelka-manager │ running │           Up 3 days
            so-suricata │ running │          Up 3 hours
            so-telegraf │ running │           Up 3 days
                so-zeek │ running │ Up 3 days (healthy)

 ✔ This onion is ready to make your adversaries cry!

[root@onion-pcap suricata]#

BTW, same situation on the second sensor too 

>  Is your Elastic agent running and healthy on the sensor?

Yes absolutely

```[root@onion-pcap suricata]# systemctl status elasticsearch.so
Unit elasticsearch.so.service could not be found.
[root@onion-pcap suricata]# systemctl status elastic-agent
● elastic-agent.service - Elastic Agent is a unified agent to observe, monitor and protect your system.
     Loaded: loaded (/etc/systemd/system/elastic-agent.service; enabled; preset: disabled)
     Active: active (running) since Mon 2026-01-26 17:10:02 UTC; 3 days ago
   Main PID: 1681 (elastic-agent)
      Tasks: 265 (limit: 819308)
     Memory: 1.5G (peak: 1.5G)
        CPU: 7h 7min 18.030s
     CGroup: /system.slice/elastic-agent.service
             ├─1681 /opt/Elastic/Agent/elastic-agent
             ├─2524 /opt/Elastic/Agent/data/elastic-agent-8.18.8-bb58d0/components/agentbeat filebeat -E setup.ilm.enabled=false -E setup.template.enabled=false -E management.enabled=true -E management.restart_on_output_change=true -E l>
             ├─2638 /opt/Elastic/Agent/data/elastic-agent-8.18.8-bb58d0/components/agentbeat filebeat -E setup.ilm.enabled=false -E setup.template.enabled=false -E management.enabled=true -E management.restart_on_output_change=true -E l>
             ├─2656 /opt/Elastic/Agent/data/elastic-agent-8.18.8-bb58d0/components/agentbeat osquerybeat -E setup.ilm.enabled=false -E setup.template.enabled=false -E management.enabled=true -E management.restart_on_output_change=true ->
             ├─2670 /opt/Elastic/Agent/data/elastic-agent-8.18.8-bb58d0/components/agentbeat filebeat -E setup.ilm.enabled=false -E setup.template.enabled=false -E management.enabled=true -E management.restart_on_output_change=true -E l>
             ├─2713 /opt/Elastic/Agent/data/elastic-agent-8.18.8-bb58d0/components/agentbeat filebeat -E setup.ilm.enabled=false -E setup.template.enabled=false -E management.enabled=true -E management.restart_on_output_change=true -E l>
             ├─2767 /opt/Elastic/Agent/data/elastic-agent-8.18.8-bb58d0/components/agentbeat filebeat -E setup.ilm.enabled=false -E setup.template.enabled=false -E management.enabled=true -E management.restart_on_output_change=true -E l>
             ├─2876 /opt/Elastic/Agent/data/elastic-agent-8.18.8-bb58d0/components/osqueryd --disable_tables=carves,curl --pack_delimiter=_ --extensions_autoload=osquery/osquery.autoload --augeas_lenses=/opt/Elastic/Agent/data/elastic-a>
             └─2878 /opt/Elastic/Agent/data/elastic-agent-8.18.8-bb58d0/components/osquery-extension.ext --socket /var/run/2345207585/osquery.sock --timeout 10 --interval 3

Jan 26 17:10:02 onion-pcap systemd[1]: Started Elastic Agent is a unified agent to observe, monitor and protect your system..
Jan 26 17:10:05 onion-pcap osqueryd[2876]: osqueryd started [version=5.15.0]
lines 1-20/20 (END)

Please let me know if you need any additional logs, traces, etc. in order to track down the underlying problem.

MDCAllan Jan 29, 2026

I had a look at our grid to compare - very similar situation.

MDCAllan · 2026-01-29T20:16:04Z

MDCAllan
Jan 29, 2026

Well.. I found something:

My grid was set to default value, but that path doesn't exist. I switched the value to the one shown in the screenshot above and am seeing if that makes any difference.

1 reply

MDCAllan Jan 30, 2026

Red herring... the grid produced a "elastalert missing" error after this change, I tried increasing heap and memory allocations to see if that could be the cause at that point to no avail. Back to default on that setting.

For good measure, I did create that directory, but that also makes no difference.

On to the next observation:

"so_detection.is.reporting" is disabled for ALL rules on our Onion. Not sure how this happened, or if it's supposed to be that way?

ejgh-oe · 2026-01-30T18:17:06Z

ejgh-oe
Jan 30, 2026
Author

Red herring... the grid produced a "elastalert missing" error after this change, I tried increasing heap and memory allocations to see if that could be the cause at that point to no avail. Back to default on that setting.

Too bad that didn't help :-(

Seems we'll have to wait till hopefully someone from SecurityOnion comes up with an idea as to what's going on after the upgrade to 2.4.200 and how to fix this problem, esp. since this problem kills the most basic feature of a NIDS - alarms - completely.

4 replies

ejgh-oe Feb 1, 2026
Author

Two additional "observations":

Every sensor (got two of them) shows "Suricata Rules:no rules configured" in the SOC:
To cross check whether the underlying problem (i.e. no alerts from suricata) has something to do with "upgrade" vs. "fresh install" I installed an additional node from scratch using the 2.4.201-20260114 ISO image. Guess what: First I got the new node showed up under Administration > Grid Members, where I ACKed it but then it never appeared under Grid like new nodes normally do. Waited for two hours - nothing. Started installation from scratch, i.e. removing the node via Administration > Grid Members, re-installing via the ISO, then setting up the node as sensor -> same, i.e. the new sensor node still doesn't show up in the Grid. Rebooting the new sensor node and/or the management node didn't change a thing.

BTW, a so-status I did on the sensor node only gave so-status not yet available even for hours :-(

cm-ops Feb 2, 2026
Maintainer

Do you have a custom rules file configured in your suricata.yaml? When you restart Suricata, and check the /opt/so/log/suricata/suricata.log what rules is the service trying to load?

Do you see the following file - /opt/so/saltstack/local/salt/suricata/rules/all-rulesets.rules

On your node running Suricata, what do these show?

docker exec so-suricata /opt/suricata/bin/suricatasc -c "ruleset-stats" "/var/run/suricata/suricata-command.socket"
docker exec so-suricata /opt/suricata/bin/suricatasc -c "ruleset-reload-time" "/var/run/suricata/suricata-command.socket"

As far as troubleshooting, the steps would look something like below:

1. Run a suricata sync from detections and verify that it is successful; still probably worth taking a look at the sync logs to see if there is anything unusual
2. Confirm that the all-rulesets.rules file exists in the local dir
3. Apply the suricata state on the node; confirm that the all-rulesets.rules file exists in the /opt/so/rules dir
4. Either run those queries to see the current status of the ruleset load and/or restart suricata and tail the logs which will show ruleset load status

MDCAllan Feb 5, 2026

Interesting... well I'm guessing my problem is different:

cd /opt/so/saltstack/local/salt/suricata/rules/

ls

all-rulesets.rules
(opened with nano - contains 49796 lines)

{"message":[{"id":0,"rules_loaded":49787,"rules_failed":0,"rules_skipped":0}],"return":"OK"}
{"message":[{"id":0,"last_reload":"2026-02-05T00:03:33.924674+0000"}],"return":"OK"}

ejgh-oe Feb 5, 2026
Author

On the manager node:

Do you have a custom rules file configured in your suricata.yaml?

No, haven't even touched suricata.yaml in any way

When you restart Suricata, and check the /opt/so/log/suricata/suricata.log what rules is the service trying to load?

On the manager there's no suricata at all - not even any "so-suricata-" command
However on the node running Suricata (i.e. sensor node) -> see below

Do you see the following file - /opt/so/saltstack/local/salt/suricata/rules/all-rulesets.rules

Yes, it's there:

[root@onion-mgr ~]# ls -l /opt/so/saltstack/local/salt/suricata/rules/all-rulesets.rules
-rw-r-----. 1 socore socore 31978948 Feb  4 14:04 /opt/so/saltstack/local/salt/suricata/rules/all-rulesets.rules
[root@onion-mgr ~]#

Now for the sensor node that went through the upgrade 190 > 201:

When you restart Suricata, and check the /opt/so/log/suricata/suricata.log what rules is the service trying to load?

[root@onion-pcap ~]# so-suricata-restart
=========================================================================
Restarting suricata...

This could take a while if another Salt job is running.
Run this command with --force to stop all Salt jobs before proceeding.
=========================================================================
so-suricata
.
.
.

Summary for local
-------------
Succeeded: 26 (changed=1)
Failed:     0
-------------
Total states run:     26
Total run time:    2.282 s
[root@onion-pcap ~]#

but when I take a look at /opt/so/log/suricata/suricata.log I see like the following:

When you restart Suricata, and check the /opt/so/log/suricata/suricata.log what rules is the service trying to load?

[11 - Suricata-Main] 2026-02-05 11:46:32 Warning: detect: No rule files match the pattern /etc/suricata/rules/all.rules
[11 - Suricata-Main] 2026-02-05 11:46:32 Warning: detect: 1 rule files specified, but no rules were loaded!

which makes sense since there's no /etc/suricata/rules/all.rules on the sensor - the all.rules file is located in /opt/so/conf/suricata/rules/all.rules

Back to /opt/so/log/suricata/suricata.log:

...
[11 - Suricata-Main] 2026-02-05 11:46:32 Warning: threshold-config: can't suppress sid 2054639, gid 1: unknown rule
[11 - Suricata-Main] 2026-02-05 11:46:32 Warning: threshold-config: can't suppress sid 2026850, gid 1: unknown rule
[11 - Suricata-Main] 2026-02-05 11:46:32 Warning: threshold-config: can't suppress sid 2024897, gid 1: unknown rule
[11 - Suricata-Main] 2026-02-05 11:46:32 Warning: threshold-config: can't suppress sid 2025701, gid 1: unknown rule
...

Seems like the modifications I made to existing rules via Custom Detections also weren't picked up

Same for custom variables defined via Administration > Configuration > (advanced settings) > Suricata > Advanced - they too weren't loaded:

[11 - Suricata-Main] 2026-02-05 11:46:32 Error: rule-vars: Variable "F5VE1_DMZ_RZ1_V906" is not defined in configuration file
[11 - Suricata-Main] 2026-02-05 11:46:32 Error: threshold-config: failed to parse $F5VE1_DMZ_RZ1_V906
[11 - Suricata-Main] 2026-02-05 11:46:32 Error: rule-vars: Variable "F5VE1_DMZ_RZ1_V906" is not defined in configuration file
[11 - Suricata-Main] 2026-02-05 11:46:32 Error: threshold-config: failed to parse $F5VE1_DMZ_RZ1_V906

Last line in /opt/so/log/suricata/suricata.log:

[11 - Suricata-Main] 2026-02-05 11:46:33 Notice: threads: Threads created -> W: 31 FM: 1 FR: 1   Engine started.

These messages correspond to the status for the node on the GUI:

On your node running Suricata, what do these show?

docker exec so-suricata /opt/suricata/bin/suricatasc -c "ruleset-stats" "/var/run/suricata/suricata-command.socket"

[root@onion-pcap ~]# docker exec so-suricata /opt/suricata/bin/suricatasc -c "ruleset-stats" "/var/run/suricata/suricata-command.socket"
{"message":[{"id":0,"rules_loaded":0,"rules_failed":0,"rules_skipped":0}],"return":"OK"}
[root@onion-pcap ~]#

docker exec so-suricata /opt/suricata/bin/suricatasc -c "ruleset-reload-time" "/var/run/suricata/suricata-command.socket"

[root@onion-pcap ~]# docker exec so-suricata /opt/suricata/bin/suricatasc -c "ruleset-reload-time" "/var/run/suricata/suricata-command.socket"
{"message":[{"id":0,"last_reload":"2026-02-05T11:46:32.412144+0000"}],"return":"OK"}
[root@onion-pcap ~]#

As far as troubleshooting, the steps would look something like below:
Run a suricata sync from detections and verify that it is successful; still probably worth taking a look at the sync logs to see if there is anything unusual

(NB: Interstingly enough even the full sync takes only a couple of seconds which is very uncommon since it took some minutes )

Confirm that the all-rulesets.rules file exists in the local dir

On the sensore node it's in /var/cache/salt/minion/files/base/suricata/rules/all-rulesets.rules and /opt/so/rules/suricata/all-rulesets.rules (same size, same timestamp, same content - but not current date/time

On the manager node it's in /opt/so/saltstack/local/salt/suricata/rules/all-rulesets.rules

[root@onion-mgr ~]# ls -l /opt/so/saltstack/local/salt/suricata/rules/all-rulesets.rules
-rw-r-----. 1 socore socore 31995486 Feb  5 12:14 /opt/so/saltstack/local/salt/suricata/rules/all-rulesets.rules

which has a timestamp of when I triggered the manual full sync

Apply the suricata state on the node; confirm that the all-rulesets.rules file exists in the /opt/so/rules dir

Not sure what you ment by "apply the suricata state" but the /opt/so/rules/suricata looks like this

[root@onion-pcap ~]# ls -l /opt/so/rules/suricata/
total 31232
-rw-r--r--. 1 suricata socore 31978948 Feb  4 14:05 all-rulesets.rules
-rw-r--r--. 1 suricata socore        0 Jan 19 17:05 PLACEHOLDER
[root@onion-pcap ~]#

(again the "all-rulesets.rules" has a timestamp as of yesterday and is different in size compared to the /opt/so/saltstack/local/salt/suricata/rules/all-rulesets.rules file on the manager node)

Either run those queries to see the current status of the ruleset load and/or restart suricata and tail the logs which will show ruleset load status

Here's the full output of so-suricata-restart done on the sensor node

[root@onion-pcap ~]# so-suricata-restart
=========================================================================
Restarting suricata...

This could take a while if another Salt job is running.
Run this command with --force to stop all Salt jobs before proceeding.
=========================================================================
so-suricata
so-suricata
[INFO    ] Loading fresh modules for state activity
[INFO    ] Executing command '/usr/sbin/so-bpf-compile' in directory '/root'
[INFO    ] Running state [/nsm/suripcap] at time 12:26:59.320961
[INFO    ] Executing state file.directory for [/nsm/suripcap]
[INFO    ] The directory /nsm/suripcap is in the correct state
[INFO    ] Completed state [/nsm/suripcap] at time 12:26:59.325270 (duration_in_ms=4.309)
[INFO    ] Running state [/opt/so/conf/suricata] at time 12:26:59.325394
[INFO    ] Executing state file.directory for [/opt/so/conf/suricata]
[INFO    ] The directory /opt/so/conf/suricata is in the correct state
[INFO    ] Completed state [/opt/so/conf/suricata] at time 12:26:59.326164 (duration_in_ms=0.77)
[INFO    ] Running state [/opt/so/conf/suricata/bpf] at time 12:26:59.326290
[INFO    ] Executing state file.managed for [/opt/so/conf/suricata/bpf]
[INFO    ] File /opt/so/conf/suricata/bpf is in the correct state
[INFO    ] Completed state [/opt/so/conf/suricata/bpf] at time 12:26:59.328492 (duration_in_ms=2.201)
[INFO    ] Running state [suricata] at time 12:26:59.328863
[INFO    ] Executing state group.present for [suricata]
[INFO    ] Group suricata is present and up to date
[INFO    ] Completed state [suricata] at time 12:26:59.331125 (duration_in_ms=2.263)
[INFO    ] Running state [suricata] at time 12:26:59.331553
[INFO    ] Executing state user.present for [suricata]
[INFO    ] User suricata is present and up to date
[INFO    ] Completed state [suricata] at time 12:26:59.354802 (duration_in_ms=23.249)
[INFO    ] Running state [socore] at time 12:26:59.354925
[INFO    ] Executing state group.present for [socore]
[INFO    ] Group socore is present and up to date
[INFO    ] Completed state [socore] at time 12:26:59.355500 (duration_in_ms=0.575)
[INFO    ] Running state [/usr/sbin] at time 12:26:59.355606
[INFO    ] Executing state file.recurse for [/usr/sbin]
[INFO    ] The directory /usr/sbin is in the correct state
[INFO    ] Completed state [/usr/sbin] at time 12:26:59.417794 (duration_in_ms=62.188)
[INFO    ] Running state [/usr/sbin] at time 12:26:59.417921
[INFO    ] Executing state file.recurse for [/usr/sbin]
[INFO    ] The directory /usr/sbin is in the correct state
[INFO    ] Completed state [/usr/sbin] at time 12:26:59.449258 (duration_in_ms=31.336)
[INFO    ] Running state [/opt/so/rules/suricata] at time 12:26:59.449379
[INFO    ] Executing state file.directory for [/opt/so/rules/suricata]
[INFO    ] The directory /opt/so/rules/suricata is in the correct state
[INFO    ] Completed state [/opt/so/rules/suricata] at time 12:26:59.450154 (duration_in_ms=0.774)
[INFO    ] Running state [/opt/so/log/suricata] at time 12:26:59.450259
[INFO    ] Executing state file.directory for [/opt/so/log/suricata]
[INFO    ] The directory /opt/so/log/suricata is in the correct state
[INFO    ] Completed state [/opt/so/log/suricata] at time 12:26:59.451005 (duration_in_ms=0.747)
[INFO    ] Running state [/nsm/suricata] at time 12:26:59.451120
[INFO    ] Executing state file.directory for [/nsm/suricata]
[INFO    ] The directory /nsm/suricata is in the correct state
[INFO    ] Completed state [/nsm/suricata] at time 12:26:59.451837 (duration_in_ms=0.717)
[INFO    ] Running state [/nsm/suricata/extracted] at time 12:26:59.451940
[INFO    ] Executing state file.directory for [/nsm/suricata/extracted]
[INFO    ] The directory /nsm/suricata/extracted is in the correct state
[INFO    ] Completed state [/nsm/suricata/extracted] at time 12:26:59.452643 (duration_in_ms=0.703)
[INFO    ] Running state [/opt/so/rules/suricata/] at time 12:26:59.452762
[INFO    ] Executing state file.recurse for [/opt/so/rules/suricata/]
[INFO    ] The directory /opt/so/rules/suricata/ is in the correct state
[INFO    ] Completed state [/opt/so/rules/suricata/] at time 12:26:59.583812 (duration_in_ms=131.05)
[INFO    ] Running state [/usr/local/bin/surilogcompress] at time 12:26:59.583948
[INFO    ] Executing state file.managed for [/usr/local/bin/surilogcompress]
[INFO    ] File /usr/local/bin/surilogcompress is in the correct state
[INFO    ] Completed state [/usr/local/bin/surilogcompress] at time 12:26:59.594218 (duration_in_ms=10.271)
[INFO    ] Running state [/usr/local/bin/surilogcompress] at time 12:26:59.595740
[INFO    ] Executing state cron.present for [/usr/local/bin/surilogcompress]
[INFO    ] Executing command 'crontab' in directory '/root'
[INFO    ] Cron /usr/local/bin/surilogcompress already present
[INFO    ] Completed state [/usr/local/bin/surilogcompress] at time 12:26:59.598848 (duration_in_ms=3.107)
[INFO    ] Running state [/opt/so/conf/suricata/suricata.yaml] at time 12:26:59.598958
[INFO    ] Executing state file.managed for [/opt/so/conf/suricata/suricata.yaml]
[INFO    ] File /opt/so/conf/suricata/suricata.yaml is in the correct state
[INFO    ] Completed state [/opt/so/conf/suricata/suricata.yaml] at time 12:26:59.640613 (duration_in_ms=41.655)
[INFO    ] Running state [/opt/so/conf/suricata/threshold.conf] at time 12:26:59.640745
[INFO    ] Executing state file.managed for [/opt/so/conf/suricata/threshold.conf]
[INFO    ] File /opt/so/conf/suricata/threshold.conf is in the correct state
[INFO    ] Completed state [/opt/so/conf/suricata/threshold.conf] at time 12:26:59.651791 (duration_in_ms=11.046)
[INFO    ] Running state [/opt/so/conf/suricata/classification.config] at time 12:26:59.651912
[INFO    ] Executing state file.managed for [/opt/so/conf/suricata/classification.config]
[INFO    ] File /opt/so/conf/suricata/classification.config is in the correct state
[INFO    ] Completed state [/opt/so/conf/suricata/classification.config] at time 12:26:59.662905 (duration_in_ms=10.993)
[INFO    ] Running state [/usr/sbin/so-suricata-eve-clean] at time 12:26:59.663023
[INFO    ] Executing state file.managed for [/usr/sbin/so-suricata-eve-clean]
[INFO    ] File /usr/sbin/so-suricata-eve-clean is in the correct state
[INFO    ] Completed state [/usr/sbin/so-suricata-eve-clean] at time 12:26:59.673733 (duration_in_ms=10.709)
[INFO    ] Running state [/usr/sbin/so-suricata-rulestats] at time 12:26:59.673853
[INFO    ] Executing state file.managed for [/usr/sbin/so-suricata-rulestats]
[INFO    ] File /usr/sbin/so-suricata-rulestats is in the correct state
[INFO    ] Completed state [/usr/sbin/so-suricata-rulestats] at time 12:26:59.684271 (duration_in_ms=10.418)
[INFO    ] Running state [/opt/so/conf/so-status/so-status.conf] at time 12:26:59.684387
[INFO    ] Executing state file.append for [/opt/so/conf/so-status/so-status.conf]
/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/psutil_compat.py:16: DeprecationWarning: Please stop importing 'salt.utils.psutil_compat' and instead import 'psutil' directly as there's no longer a need for a compatability layer. The 'salt.utils.psutil_compat' will go away on Salt 3008.0 (Argon).
[INFO    ] Executing command git in directory '/root'
[INFO    ] Executing command 'grep' in directory '/root'
[INFO    ] ['unless condition is true']
[INFO    ] Completed state [/opt/so/conf/so-status/so-status.conf] at time 12:27:00.399054 (duration_in_ms=714.667)
[INFO    ] Running state [so-suricata] at time 12:27:00.400523
[INFO    ] Executing state docker_container.running for [so-suricata]
[INFO    ] {'container_id': {'added': 'ea99c968197acba27d5d58dbe0d0c40abdce372e9d008ec7cfa2374f0475f1a8'}, 'state': {'old': None, 'new': 'running'}}
[INFO    ] Completed state [so-suricata] at time 12:27:01.534447 (duration_in_ms=1133.923)
[INFO    ] Running state [/opt/so/conf/so-status/so-status.conf] at time 12:27:01.535106
[INFO    ] Executing state file.uncomment for [/opt/so/conf/so-status/so-status.conf]
[INFO    ] Pattern already uncommented
[INFO    ] Completed state [/opt/so/conf/so-status/so-status.conf] at time 12:27:01.536965 (duration_in_ms=1.858)
[INFO    ] Running state [/usr/sbin/so-suricata-eve-clean > /dev/null 2>&1] at time 12:27:01.537099
[INFO    ] Executing state cron.present for [/usr/sbin/so-suricata-eve-clean > /dev/null 2>&1]
[INFO    ] Executing command 'crontab' in directory '/root'
[INFO    ] Cron /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1 already present
[INFO    ] Completed state [/usr/sbin/so-suricata-eve-clean > /dev/null 2>&1] at time 12:27:01.539942 (duration_in_ms=2.843)
[INFO    ] Running state [/usr/sbin/so-suricata-rulestats > /dev/null 2>&1] at time 12:27:01.540068
[INFO    ] Executing state cron.present for [/usr/sbin/so-suricata-rulestats > /dev/null 2>&1]
[INFO    ] Executing command 'crontab' in directory '/root'
[INFO    ] Cron /usr/sbin/so-suricata-rulestats > /dev/null 2>&1 already present
[INFO    ] Completed state [/usr/sbin/so-suricata-rulestats > /dev/null 2>&1] at time 12:27:01.542216 (duration_in_ms=2.149)
local:
----------
          ID: suripcapdir
    Function: file.directory
        Name: /nsm/suripcap
      Result: True
     Comment: The directory /nsm/suripcap is in the correct state
     Started: 12:26:59.320961
    Duration: 4.309 ms
     Changes:
----------
          ID: suridir
    Function: file.directory
        Name: /opt/so/conf/suricata
      Result: True
     Comment: The directory /opt/so/conf/suricata is in the correct state
     Started: 12:26:59.325394
    Duration: 0.77 ms
     Changes:
----------
          ID: suribpf
    Function: file.managed
        Name: /opt/so/conf/suricata/bpf
      Result: True
     Comment: File /opt/so/conf/suricata/bpf is in the correct state
     Started: 12:26:59.326291
    Duration: 2.201 ms
     Changes:
----------
          ID: suricatagroup
    Function: group.present
        Name: suricata
      Result: True
     Comment: Group suricata is present and up to date
     Started: 12:26:59.328862
    Duration: 2.263 ms
     Changes:
----------
          ID: suricata
    Function: user.present
      Result: True
     Comment: User suricata is present and up to date
     Started: 12:26:59.331553
    Duration: 23.249 ms
     Changes:
----------
          ID: socoregroupwithsuricata
    Function: group.present
        Name: socore
      Result: True
     Comment: Group socore is present and up to date
     Started: 12:26:59.354925
    Duration: 0.575 ms
     Changes:
----------
          ID: suricata_sbin
    Function: file.recurse
        Name: /usr/sbin
      Result: True
     Comment: The directory /usr/sbin is in the correct state
     Started: 12:26:59.355606
    Duration: 62.188 ms
     Changes:
----------
          ID: suricata_sbin_jinja
    Function: file.recurse
        Name: /usr/sbin
      Result: True
     Comment: The directory /usr/sbin is in the correct state
     Started: 12:26:59.417922
    Duration: 31.336 ms
     Changes:
----------
          ID: suriruledir
    Function: file.directory
        Name: /opt/so/rules/suricata
      Result: True
     Comment: The directory /opt/so/rules/suricata is in the correct state
     Started: 12:26:59.449380
    Duration: 0.774 ms
     Changes:
----------
          ID: surilogdir
    Function: file.directory
        Name: /opt/so/log/suricata
      Result: True
     Comment: The directory /opt/so/log/suricata is in the correct state
     Started: 12:26:59.450258
    Duration: 0.747 ms
     Changes:
----------
          ID: surinsmdir
    Function: file.directory
        Name: /nsm/suricata
      Result: True
     Comment: The directory /nsm/suricata is in the correct state
     Started: 12:26:59.451120
    Duration: 0.717 ms
     Changes:
----------
          ID: suridatadir
    Function: file.directory
        Name: /nsm/suricata/extracted
      Result: True
     Comment: The directory /nsm/suricata/extracted is in the correct state
     Started: 12:26:59.451940
    Duration: 0.703 ms
     Changes:
----------
          ID: surirulesync
    Function: file.recurse
        Name: /opt/so/rules/suricata/
      Result: True
     Comment: The directory /opt/so/rules/suricata/ is in the correct state
     Started: 12:26:59.452762
    Duration: 131.05 ms
     Changes:
----------
          ID: surilogscript
    Function: file.managed
        Name: /usr/local/bin/surilogcompress
      Result: True
     Comment: File /usr/local/bin/surilogcompress is in the correct state
     Started: 12:26:59.583947
    Duration: 10.271 ms
     Changes:
----------
          ID: surilogcompress
    Function: cron.present
        Name: /usr/local/bin/surilogcompress
      Result: True
     Comment: Cron /usr/local/bin/surilogcompress already present
     Started: 12:26:59.595741
    Duration: 3.107 ms
     Changes:
----------
          ID: suriconfig
    Function: file.managed
        Name: /opt/so/conf/suricata/suricata.yaml
      Result: True
     Comment: File /opt/so/conf/suricata/suricata.yaml is in the correct state
     Started: 12:26:59.598958
    Duration: 41.655 ms
     Changes:
----------
          ID: surithresholding
    Function: file.managed
        Name: /opt/so/conf/suricata/threshold.conf
      Result: True
     Comment: File /opt/so/conf/suricata/threshold.conf is in the correct state
     Started: 12:26:59.640745
    Duration: 11.046 ms
     Changes:
----------
          ID: suriclassifications
    Function: file.managed
        Name: /opt/so/conf/suricata/classification.config
      Result: True
     Comment: File /opt/so/conf/suricata/classification.config is in the correct state
     Started: 12:26:59.651912
    Duration: 10.993 ms
     Changes:
----------
          ID: so-suricata-eve-clean
    Function: file.managed
        Name: /usr/sbin/so-suricata-eve-clean
      Result: True
     Comment: File /usr/sbin/so-suricata-eve-clean is in the correct state
     Started: 12:26:59.663024
    Duration: 10.709 ms
     Changes:
----------
          ID: so-suricata-rulestats
    Function: file.managed
        Name: /usr/sbin/so-suricata-rulestats
      Result: True
     Comment: File /usr/sbin/so-suricata-rulestats is in the correct state
     Started: 12:26:59.673853
    Duration: 10.418 ms
     Changes:
----------
          ID: append_so-suricata_so-status.conf
    Function: file.append
        Name: /opt/so/conf/so-status/so-status.conf
      Result: True
     Comment: unless condition is true
     Started: 12:26:59.684387
    Duration: 714.667 ms
     Changes:
----------
          ID: so-suricata
    Function: docker_container.running
      Result: True
     Comment: Created container 'so-suricata'
     Started: 12:27:00.400524
    Duration: 1133.923 ms
     Changes:
              ----------
              container_id:
                  ----------
                  added:
                      ea99c968197acba27d5d58dbe0d0c40abdce372e9d008ec7cfa2374f0475f1a8
              state:
                  ----------
                  new:
                      running
                  old:
                      None
----------
          ID: surirulereload
    Function: cmd.run
        Name: /usr/sbin/so-suricata-reload-rules >> /opt/so/log/suricata/reload.log 2>&1
      Result: True
     Comment: State was not run because none of the onchanges reqs changed
     Started: 12:27:01.535050
    Duration: 0.003 ms
     Changes:
----------
          ID: delete_so-suricata_so-status.disabled
    Function: file.uncomment
        Name: /opt/so/conf/so-status/so-status.conf
      Result: True
     Comment: Pattern already uncommented
     Started: 12:27:01.535107
    Duration: 1.858 ms
     Changes:
----------
          ID: clean_suricata_eve_files
    Function: cron.present
        Name: /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1
      Result: True
     Comment: Cron /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1 already present
     Started: 12:27:01.537099
    Duration: 2.843 ms
     Changes:
----------
          ID: suricata_rulestats
    Function: cron.present
        Name: /usr/sbin/so-suricata-rulestats > /dev/null 2>&1
      Result: True
     Comment: Cron /usr/sbin/so-suricata-rulestats > /dev/null 2>&1 already present
     Started: 12:27:01.540067
    Duration: 2.149 ms
     Changes:

Summary for local
-------------
Succeeded: 26 (changed=1)
Failed:     0
-------------
Total states run:     26
Total run time:    2.215 s
[root@onion-pcap ~]#

ejgh-oe · 2026-02-02T16:16:25Z

ejgh-oe
Feb 2, 2026
Author

Do you have a custom rules file configured in your suricata.yaml? When you restart Suricata, and check the /opt/so/log/suricata/suricata.log what rules is the service trying to load?...

Just to be clear: The checks you mentioned are to be done/run on the manager or sensor node?

1 reply

cm-ops Feb 3, 2026
Maintainer

Docker commands on sensor nodes. Troubleshooting steps on manager node.

Kronos1253 · 2026-02-04T12:31:04Z

Kronos1253
Feb 4, 2026

Red herring... the grid produced a "elastalert missing" error after this change, I tried increasing heap and memory allocations to see if that could be the cause at that point to no avail. Back to default on that setting.

Too bad that didn't help :-(

Seems we'll have to wait till hopefully someone from SecurityOnion comes up with an idea as to what's going on after the upgrade to 2.4.200 and how to fix this problem, esp. since this problem kills the most basic feature of a NIDS - alarms - completely.

Did you remove the block file? When upgrading to .200 there is a syncblock file that will stop alerts. Might have missed it if you referenced it already.

2 replies

MDCAllan Feb 4, 2026

Yes

ejgh-oe Feb 5, 2026
Author

Yes, same here - as by the book (https://docs.securityonion.net/en/2.4/nids.html#sync-block) ;-)

ejgh-oe · 2026-02-05T12:34:02Z

ejgh-oe
Feb 5, 2026
Author

Did the tests you mentioned - see above #15429 (reply in thread)

9 replies

ejgh-oe Feb 6, 2026
Author

Here we go:

then started a full suricata sync

which went OK

...waited around 10 minutes and ...

on all sensors and alerts are also coming in. So happy to see alerts again :-)

BTW, does 47456 (see screenshot above) seem a reasonable number wrt suricata rules loaded?

ejgh-oe Feb 6, 2026
Author

Looks like somehow my custom rules defined in a rules file (see #15429 (comment)) aren't picked up since I'm again getting alerts for connections I've defined "pass" rules in the custom rules file a long time ago already

ejgh-oe Feb 6, 2026
Author

Found a possible explanation/reason: soc > config > server > modules > suricataengine > customRulesets [adv] points to
/nsm/rules/detect-suricata/custom_file/tuned.rules

This is where my custom Suricata rules-file is actually stored

[root@onion-mgr custom_file]# pwd
/nsm/rules/detect-suricata/custom_file
[root@onion-mgr custom_file]# ls -la
total 88
drwxr-xr-x. 2 socore socore    25 Jan 28 14:39 .
drwxr-xr-x. 4 socore socore    44 Jun 29  2024 ..
-rw-r--r--. 1 socore socore 89552 Jan 28 14:39 tuned.rules
[root@onion-mgr custom_file]#

On the other hand soc > config > server > modules > suricataengine > rulesetSources > default > local-rules points to
/nsm/rules/custom-local-repos/local-suricata

and this directory only holds

[root@onion-mgr local-suricata]# pwd
/nsm/rules/custom-local-repos/local-suricata
[root@onion-mgr local-suricata]# ls -la
total 4
drwxr-xr-x. 3 socore socore   32 Feb  6 20:49 .
drwxr-xr-x. 6 socore socore   93 Jan 19 16:49 ..
drwxr-xr-x. 7 socore socore  119 Jan 19 16:49 .git
-rw-r--r--. 1 socore socore 1634 Jan 19 16:49 README
[root@onion-mgr local-suricata]#

So here are my questions:

Where should custom Suricata rules really go? /nsm/rules/detect-suricata/custom_file/ which is where I always had them or /nsm/rules/custom-local-repos/local-suricata?
Which of the two settings - soc > config > server > modules > suricataengine > rulesetSources > default > local-rules or soc > config > server > modules > suricataengine > customRulesets is the relevant one when it comes to custom Suricata rules?

cm-ops Feb 9, 2026
Maintainer

All rulesets configurations with the changes to Detections should be done via the new consolidated rulest option in soc > config > server > modules > suricataengine > rulesetSources > default. The other setting will be updated with a deprication warning and changed to readonly.

Answer selected by ejgh-oe

ejgh-oe Feb 9, 2026
Author

Ah, that explains a lot... Since I had my custom rules in /nsm/rules/detect-suricata/custom_file whereas S.O. is actually looking at /nsm/rules/custom-local-repos/local-suricata which didn't hold any rules file my custom rules weren't picked up - makes sense. Haven't seen mentioned this change in the docs, but maybe I overlooked something in the first place.

Anyway, just moved my rules file to the new place, did a manual suricata full sync, waited around 15mins and now finally all false alarms are gone while other alarms still come in making my S.O. happy again (finally it's "make your adversaries cry" again instead of "makes the admin cry" ;-) ). Thanks alot for your help over the past days/weeks in getting my S.O. installation working again.

Two final questions in this context:

As for the /nsm/rules/custom-local-repos/local-suricata: as per the README in that directory it seems like that's git repo. Is it necessary to add/commit any custom rules file here so they get picked up by S.O. or is add/committing files optional in case one wants to be easily be able to step back. (As a matter of fact I'm holding my custom rules file in git on a separate server anyway, so keeping it under git in S.O. would just make it "double-git" )

Is just one rules file allowed in /nsm/rules/custom-local-repos/local-suricata or could I have multiple rules files?

cm-ops Feb 10, 2026
Maintainer

In /nsm/rules/custom-local-repos/local-suricata you should be able to drop your custom rules in a .rules file for import.

For multiple rules files:
https://docs.securityonion.net/en/2.4/nids.html#supported-source-path-formats

Configure it according to - Directory containing multiple .rules files (e.g., /nsm/rules/custom-local-repos/local-suricata-import/) (as an example in the docs).

MDCAllan · 2026-02-05T18:29:03Z

MDCAllan
Feb 5, 2026

Alerts stated working again today.... Last night before I left work, I was just going through various settings in the admin>configuration settings, looking for what may be causing the hangup and found that my global>pcapengine was set to transition mode. I believe this was based on a SO guide/doc I was reading some months ago about this becoming the default for regular grids. I decided to switch it back to STENO for now. Came in this morning and alerts are working again. Perhaps it's not supposed to be in transition mode during updates? I wonder...
Might want to have a look at that setting!

6 replies

ejgh-oe Feb 6, 2026
Author

Hi,
Too bad - when reading your first post I first thought, this finally might be the solution. BTW, my global > pcapengine was and is set to STENO which reflects that I'm getting packet captures on the sensor nodes. However with suricata not working they're not getting analyzed.

It really seems to have something to do with suricata not kicking in on a global basis.

MDCAllan Feb 6, 2026

Yea... I went from getting no alerts, to getting SOME alerts by switching that, but none of them are network traffic related, and all but 1 of my sensors now say "0 days pcap retention" and has no data in the suripcap directories in nsm.

MDCAllan Feb 7, 2026

Looks like I finally figured out what was causing my problem.. Turns out, somewhere along the way, the bond0 interfaces on the sensors assume MTU 9000. Not sure if this is a change that took place in an update or what, but the virtio interface I have attatched to these virtual machines were set to 1500. After changing the linux bridges on proxmox, and the interfaces on the sensors listening to those bridges ("hub-mode" aging 0) to MTU 9000, the sensors are gathering data again and we're getting alerts again. Works in Suricata or Stenographer mode.

dougburks Feb 9, 2026
Maintainer

@MDCAllan Please see the note on the Proxmox page in our documentation (https://securityonion.net/docs/proxmox.html):

If you are running Proxmox 9 or higher, then you may also need to set mtu 9000 for the Proxmox physical sniffing interface and its corresponding bridge interface.

MDCAllan Feb 10, 2026

Thanks Doug,

Yea we're hosted on proxmox (updated to 9 back in Sept), but this had been working fine up until maybe 6-8 weeks ago? There's no physical interface this connects to.. the sensor node just lives on the same physical server with a virtualized firewall... both attached to a virtual bridge (with no-aging set)....

Once I set the bridge and virtio interface on proxmox to MTU 9000, everything started working again. The bond0 was able to pick up the assigned interface as a slave. (before it was failing).

No Alerts after upgrading 2.4.190 > 2.4.201 #15429

Uh oh!

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 8 comments · 25 replies

Uh oh!

Uh oh!

Uh oh!

cm-ops Jan 29, 2026 Maintainer

Uh oh!

ejgh-oe Jan 29, 2026 Author

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

ejgh-oe Jan 30, 2026 Author

Uh oh!

Uh oh!

ejgh-oe Feb 1, 2026 Author

Uh oh!

cm-ops Feb 2, 2026 Maintainer

Uh oh!

cd /opt/so/saltstack/local/salt/suricata/rules/

ls

Uh oh!

ejgh-oe Feb 5, 2026 Author

Uh oh!

ejgh-oe Feb 2, 2026 Author

Uh oh!

cm-ops Feb 3, 2026 Maintainer

Uh oh!

Uh oh!

Uh oh!

ejgh-oe Feb 5, 2026 Author

Uh oh!

ejgh-oe Feb 5, 2026 Author

Uh oh!

ejgh-oe Feb 6, 2026 Author

Uh oh!

ejgh-oe Feb 6, 2026 Author

Uh oh!

ejgh-oe Feb 6, 2026 Author

Uh oh!

cm-ops Feb 9, 2026 Maintainer

Uh oh!

ejgh-oe Feb 9, 2026 Author

Uh oh!

cm-ops Feb 10, 2026 Maintainer

Uh oh!

Uh oh!

Uh oh!

ejgh-oe Feb 6, 2026 Author

Uh oh!

Replies: 8 comments 25 replies

cm-ops
Jan 29, 2026
Maintainer

ejgh-oe Jan 29, 2026
Author

ejgh-oe
Jan 30, 2026
Author

ejgh-oe Feb 1, 2026
Author

cm-ops Feb 2, 2026
Maintainer

ejgh-oe Feb 5, 2026
Author

ejgh-oe
Feb 2, 2026
Author

cm-ops Feb 3, 2026
Maintainer

ejgh-oe Feb 5, 2026
Author

ejgh-oe
Feb 5, 2026
Author

ejgh-oe Feb 6, 2026
Author

ejgh-oe Feb 6, 2026
Author

ejgh-oe Feb 6, 2026
Author

cm-ops Feb 9, 2026
Maintainer

ejgh-oe Feb 9, 2026
Author

cm-ops Feb 10, 2026
Maintainer

ejgh-oe Feb 6, 2026
Author