No new logs visible in elastic out of nowhere #15224

Maurice-De · 2025-11-13T16:05:42Z

Maurice-De
Nov 13, 2025

Version

2.4.190

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

48 devided over the different machines

RAM

300gb devided over the different machines

Storage for /

300gb

Storage for /nsm

3tb

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Hi, We have a distributed setup with 1 manager, 1 forwarder node and 3 search nodes. They ran fine for 2 years, but for some reason the logging seemed to stopped yesterday for (so far I can see) no obvious reason. All the status pages show ok and green. the only thing I could find was some logs from logstash that started yesterday about an expired certificate, but the strange part is that I cannot find which certificate is expired (every certificate in /etc/pki/ is still valid) and if this is even the culprit of the situation. I cannot find that elastic is read-only, the status sometimes states pending I think because of relocation of shards. Sometimes elastalert is missing, but comes back automatically.

[2025-11-13T15:00:19,087][INFO ][org.logstash.beats.BeatsHandler] [local: *.*.*.*:****, remote: *.*.*.*:****] Handling exception: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed (caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Nov 11 11:42:57 GMT 2025) [2025-11-13T15:00:19,087][WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception. io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:500) ~[netty-codec-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[netty-codec-4.1.126.Final.jar:4.1.126.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[netty-transport-4.1.126.Final.jar:4.1.126.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[netty-transport-4.1.126.Final.jar:4.1.126.Final] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[netty-transport-4.1.126.Final.jar:4.1.126.Final] at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357) ~[netty-transport-4.1.126.Final.jar:4.1.126.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) ~[netty-transport-4.1.126.Final.jar:4.1.126.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[netty-transport-4.1.126.Final.jar:4.1.126.Final] at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868) ~[netty-transport-4.1.126.Final.jar:4.1.126.Final] at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) ~[netty-transport-4.1.126.Final.jar:4.1.126.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796) ~[netty-transport-4.1.126.Final.jar:4.1.126.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:732) ~[netty-transport-4.1.126.Final.jar:4.1.126.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:658) ~[netty-transport-4.1.126.Final.jar:4.1.126.Final] at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[netty-transport-4.1.126.Final.jar:4.1.126.Final] at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998) ~[netty-common-4.1.126.Final.jar:4.1.126.Final] at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.126.Final.jar:4.1.126.Final] at java.lang.Thread.run(Thread.java:1583) ~[?:?] Caused by: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed at sun.security.ssl.Alert.createSSLException(Alert.java:130) ~[?:?] at sun.security.ssl.TransportContext.fatal(TransportContext.java:383) ~[?:?] at sun.security.ssl.TransportContext.fatal(TransportContext.java:326) ~[?:?] at sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[?:?] at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkClientCerts(CertificateMessage.java:1272) ~[?:?] at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1176) ~[?:?] at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1153) ~[?:?] at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?] at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1273) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?] at java.security.AccessController.doPrivileged(AccessController.java:714) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205) ~[?:?] at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1695) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1541) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1377) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1428) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[netty-codec-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[netty-codec-4.1.126.Final.jar:4.1.126.Final] ... 16 more Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:318) ~[?:?] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:267) ~[?:?] at sun.security.validator.Validator.validate(Validator.java:256) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:138) ~[?:?] at io.netty.handler.ssl.EnhancingX509ExtendedTrustManager.checkClientTrusted(EnhancingX509ExtendedTrustManager.java:62) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkClientCerts(CertificateMessage.java:1250) ~[?:?] at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1176) ~[?:?] at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1153) ~[?:?] at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?] at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1273) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?] at java.security.AccessController.doPrivileged(AccessController.java:714) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205) ~[?:?] at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1695) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1541) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1377) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1428) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[netty-codec-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[netty-codec-4.1.126.Final.jar:4.1.126.Final] ... 16 more Caused by: java.security.cert.CertPathValidatorException: validity check failed at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) ~[?:?] at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224) ~[?:?] at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144) ~[?:?] at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83) ~[?:?] at java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) ~[?:?] at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:313) ~[?:?] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:267) ~[?:?] at sun.security.validator.Validator.validate(Validator.java:256) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:138) ~[?:?] at io.netty.handler.ssl.EnhancingX509ExtendedTrustManager.checkClientTrusted(EnhancingX509ExtendedTrustManager.java:62) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkClientCerts(CertificateMessage.java:1250) ~[?:?] at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1176) ~[?:?] at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1153) ~[?:?] at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?] at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1273) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?] at java.security.AccessController.doPrivileged(AccessController.java:714) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205) ~[?:?] at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1695) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1541) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1377) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1428) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[netty-codec-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[netty-codec-4.1.126.Final.jar:4.1.126.Final] ... 16 more Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Nov 11 11:42:57 GMT 2025 at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:182) ~[?:?] at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:534) ~[?:?] at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190) ~[?:?] at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) ~[?:?] at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ~[?:?] at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224) ~[?:?] at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144) ~[?:?] at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83) ~[?:?] at java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) ~[?:?] at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:313) ~[?:?] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:267) ~[?:?] at sun.security.validator.Validator.validate(Validator.java:256) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:138) ~[?:?] at io.netty.handler.ssl.EnhancingX509ExtendedTrustManager.checkClientTrusted(EnhancingX509ExtendedTrustManager.java:62) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkClientCerts(CertificateMessage.java:1250) ~[?:?] at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1176) ~[?:?] at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1153) ~[?:?] at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?] at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1273) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?] at java.security.AccessController.doPrivileged(AccessController.java:714) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205) ~[?:?] at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1695) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1541) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1377) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1428) ~[netty-handler-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[netty-codec-4.1.126.Final.jar:4.1.126.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[netty-codec-4.1.126.Final.jar:4.1.126.Final] ... 16 more

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by cm-ops

Nov 25, 2025

This was handled by Security Onion Professional Services.

Replaced the certificate and key in Fleet > Logstash output.

View full answer

Maurice-De · 2025-11-14T14:55:46Z

Maurice-De
Nov 14, 2025
Author

Could it be some sort of mutual TLS where the client package of the elastic agent that is deployed by security onion still has the old certificate?

0 replies

reyesj2 · 2025-11-14T16:59:49Z

reyesj2
Nov 14, 2025
Maintainer

EDIT: commands should run from the manager / managersearch

You said all the certs are valid? We can recheck with something like (runs on each node that is part of the log ingest process)

sudo salt -C 'G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-receiver' cmd.run 'for f in /etc/pki/*.crt; do echo "$f"; openssl x509 -in "$f" -noout -enddate; done'

If all services are running can you try also checking elasticsearch status (and provide output)

sudo so-elasticsearch-troubleshoot

Have you done any customization to any logstash pipelines?
This will run so-logstash-health command on all the nodes that would be running logstash

sudo salt -C 'G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-receiver' cmd.run 'so-logstash-health'

1 reply

Maurice-De Nov 17, 2025
Author

Hi @reyesj2 ,

Thank you for the reply, for the customization: I did not change anything in the pipelines as far as I know.

sudo salt -C 'G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-receiver' cmd.run 'for f in /etc/pki/*.crt; do echo "$f"; openssl x509 -in "$f" -noout -enddate; done'

All certificates return valid, the first ones to expire are in February 2026.

sudo so-elasticsearch-troubleshoot

================ Elasticsearch Status ================

 All health indicators are green

================ Disk Usage Check ================

LOW:80% HIGH:85% FLOOD:90%

 manager disk usage: 80.92%
 search-03 disk usage: 80.69%
 search-02 disk usage: 52.63%
 search-01 disk usage: 49.27%

================ Unassigned Shards Check ================

 All shards are assigned

A little bit strange that there are 2 servers with 80% usage, and 2 with 50%.

sudo salt -C 'G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-receiver' cmd.run 'so-logstash-health'

03_searchnode:
    {
      "host": "so-logstash",
      "version": "8.18.8",
      "http_address": "0.0.0.0:9600",
      "id": "****",
      "name": "so-logstash",
      "ephemeral_id": "****",
      "snapshot": false,
      "status": "green",
      "symptom": "1 indicator is healthy ('pipelines')",
      "indicators": {
        "pipelines": {
          "status": "green",
          "symptom": "1 indicator is healthy ('search')",
          "indicators": {
            "search": {
              "status": "green",
              "symptom": "The pipeline is healthy",
              "details": {
                "status": {
                  "state": "RUNNING"
                },
                "flow": {
                  "worker_utilization": {
                    "last_5_minutes": 0.0001623,
                    "last_1_minute": 0.0001983,
                    "lifetime": 0.003165,
                    "last_1_hour": 0.0001316,
                    "last_15_minutes": 0.0001361,
                    "current": 0.0,
                    "last_24_hours": 0.0001342
                  }
                }
              }
            }
          }
        }
      }
    }
02_searchnode:
    {
      "host": "so-logstash",
      "version": "8.18.8",
      "http_address": "0.0.0.0:9600",
      "id": "****",
      "name": "so-logstash",
      "ephemeral_id": "****",
      "snapshot": false,
      "status": "green",
      "symptom": "1 indicator is healthy ('pipelines')",
      "indicators": {
        "pipelines": {
          "status": "green",
          "symptom": "1 indicator is healthy ('search')",
          "indicators": {
            "search": {
              "status": "green",
              "symptom": "The pipeline is healthy",
              "details": {
                "status": {
                  "state": "RUNNING"
                },
                "flow": {
                  "worker_utilization": {
                    "last_1_hour": 0.0001409,
                    "lifetime": 0.006298,
                    "last_1_minute": 0.0002048,
                    "last_5_minutes": 0.0001634,
                    "last_24_hours": 0.0001398,
                    "current": 0.0,
                    "last_15_minutes": 0.0001364
                  }
                }
              }
            }
          }
        }
      }
    }
01_searchnode:
    {
      "host": "so-logstash",
      "version": "8.18.8",
      "http_address": "0.0.0.0:9600",
      "id": "****",
      "name": "so-logstash",
      "ephemeral_id": "****",
      "snapshot": false,
      "status": "green",
      "symptom": "1 indicator is healthy ('pipelines')",
      "indicators": {
        "pipelines": {
          "status": "green",
          "symptom": "1 indicator is healthy ('search')",
          "indicators": {
            "search": {
              "status": "green",
              "symptom": "The pipeline is healthy",
              "details": {
                "status": {
                  "state": "RUNNING"
                },
                "flow": {
                  "worker_utilization": {
                    "last_5_minutes": 0.0001657,
                    "last_24_hours": 0.0001422,
                    "current": 0.001072,
                    "last_15_minutes": 0.0001371,
                    "last_1_hour": 0.0001377,
                    "lifetime": 0.006344,
                    "last_1_minute": 0.0002027
                  }
                }
              }
            }
          }
        }
      }
    }
_manager:
    {
      "host": "so-logstash",
      "version": "8.18.8",
      "http_address": "0.0.0.0:9600",
      "id": "****",
      "name": "so-logstash",
      "ephemeral_id": "****",
      "snapshot": false,
      "status": "green",
      "symptom": "1 indicator is healthy ('pipelines')",
      "indicators": {
        "pipelines": {
          "status": "green",
          "symptom": "1 indicator is healthy ('manager')",
          "indicators": {
            "manager": {
              "status": "green",
              "symptom": "The pipeline is healthy",
              "details": {
                "status": {
                  "state": "RUNNING"
                },
                "flow": {
                  "worker_utilization": {
                    "last_5_minutes": 0.0001212,
                    "last_1_minute": 0.000194,
                    "lifetime": 0.0001104,
                    "last_1_hour": 0.00009259,
                    "last_15_minutes": 0.0000962,
                    "current": 0.0,
                    "last_24_hours": 0.00009455
                  }
                }
              }
            }
          }
        }
      }
    }

reyesj2 · 2025-11-20T14:19:30Z

reyesj2
Nov 20, 2025
Maintainer

How are you ingesting logs? Via the Elastic Agent ?

If you go to SOC -> Downloads and download a fresh Elastic Agent are you able to install it on a new host and receive logs?

2 replies

Maurice-De Nov 20, 2025
Author

We have the elastic agent deployed on all nodes we want the logs from, I have tried to install a fresh downloaded agent from the SOC>Downloads page with no luck. I even found the command to rebuild the agents (because the download was not working and the MSI file was not there) with no luck.

In between all the certificate expired messages in the logstash logs there are also certificate expired messages from the IP's of the Security Onion nodes themself.

reyesj2 Nov 21, 2025
Maintainer

Is time sync'd up across your grid ? salt '*' cmd.run date

Can you share what your elastic fleet agent status page looks like? Are agents showing connected or some error?

In Dashboards do you have any logs at all for say the past 24h ?

cm-ops · 2025-11-25T15:20:56Z

cm-ops
Nov 25, 2025
Maintainer

This was handled by Security Onion Professional Services.

Replaced the certificate and key in Fleet > Logstash output.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

No new logs visible in elastic out of nowhere #15224

Uh oh!

{{title}}

Uh oh!

Replies: 4 comments 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

No new logs visible in elastic out of nowhere #15224

Uh oh!

Maurice-De Nov 13, 2025

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 4 comments · 3 replies

Uh oh!

Maurice-De Nov 14, 2025 Author

Uh oh!

Uh oh!

reyesj2 Nov 14, 2025 Maintainer

Uh oh!

Maurice-De Nov 17, 2025 Author

Uh oh!

reyesj2 Nov 20, 2025 Maintainer

Uh oh!

Maurice-De Nov 20, 2025 Author

Uh oh!

reyesj2 Nov 21, 2025 Maintainer

Uh oh!

cm-ops Nov 25, 2025 Maintainer

Maurice-De
Nov 13, 2025

Replies: 4 comments 3 replies

Maurice-De
Nov 14, 2025
Author

reyesj2
Nov 14, 2025
Maintainer

Maurice-De Nov 17, 2025
Author

reyesj2
Nov 20, 2025
Maintainer

Maurice-De Nov 20, 2025
Author

reyesj2 Nov 21, 2025
Maintainer

cm-ops
Nov 25, 2025
Maintainer