Read before posting!

[dougburks]

Hello and welcome to the Security Onion Discussions Forum!

Please read these guidelines before posting!

Community Support
Community Support is considered best effort and there are no guarantees and no SLAs. Please do not mark discussions as urgent. If you need urgent, private, priority, or enterprise support, please consider purchasing support from Security Onion Solutions.

Github Community Guidelines
Please review the Github Community Guidelines.

Check Documentation First
Before posting for help, check the Help, FAQ, and other sections of the documentation to see if your question has already been answered there.

Etiquette
Please be patient, courteous, and respectful. Disrespectful messages can result in being banned.

Start a new discussion instead of replying to somebody else's discussion
Please search to see if you can find similar discussions that may help you. However, in order to avoid confusion, please do NOT reply to somebody else's discussion with your own issue. Instead, please start a new discussion and in that new discussion you can provide a hyperlink to the related discussion.

Tagging Individuals
Please do not tag an individual in a discussion unless that individual has already volunteered to help you in that discussion.

Make your discussion search friendly
When creating your discussion, please put a relevant and descriptive title in the Title field and avoid generic titles like Help. When copying text from your Security Onion deployment to the discussion, please copy as plain text when possible rather than taking a screenshot of the text. This allows others to search for and find your text.

Formatting
Make sure all code blocks, log snippets, and configuration samples are surrounded in triple back ticks to preserve original formatting. It should look like the below shaded area in the preview pane of your post:

some: value
something: else

Avoid yelling
Avoid typing in ALL CAPS as this looks like YELLING!

Document resolution for others
If you resolve your own discussion, don't forget to document the resolution for others who may experience the same.

Stay on topic
In order to keep the signal-to-noise ratio as high as possible, this discussion forum should only be used for questions directly relating to Security Onion itself. If you have generic questions about operating systems or networking, you should search the Internet for other forums or relevant information.

Provide sufficient technical info
In order to be as effective and efficient as possible, please consider the following when posing your question/problem to the group:
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html

Please include the following details where you can:

• Security Onion version as seen in the lower left corner of SOC and in /etc/soversion. For example: 2.4.10
• Is this a cloud deployment or on-prem? If on-prem, do you have Internet access or this an airgap installation?
• Did you install from our Security Onion ISO image or did you perform a network installation?
• If network installation, what distro and version did you install on?
• How many nodes do you have?
• What are the hardware specs of each of those nodes?
• How are each of those nodes configured? (ex. manager with 2 search nodes and 3 forward nodes)
• Are you experiencing issues monitoring network traffic? If so, are you sniffing from a tap or span port and what is the traffic volume?
• Does so-status show all services running?
• Do you get any failures when you run sudo salt-call state.highstate?
• Does the SOC Grid page show any failures?
• Explain your issue. For example: Installation fails when I select this series of options...
• Provide applicable logs. If you are having problems right after setup, provide /root/sosetup.log. If you are having problems during soup, provide /root/soup.log. If you are having problems with a specific component, provide that component's logs from /opt/so/log/.

If you need to include a large section of output, please do so as an attached file or Github gist rather than including the output directly in the reply itself.

If you attach files, please make sure they are plain text format. No Word docs or PDFs please.