After upgrade to 2.4.200, Zeek docker container fails to start

[ZacharyPax]

Version

2.4.200

Installation Method

Security Onion ISO image

Description

upgrading

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

32

RAM

256GB

Storage for /

1TB

Storage for /nsm

13.5TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

Hello,

After upgrading to Security Onion 2.4.200 with SOUP, the so-zeek container fails to start. This is despite Suricata and Stenographer working. Traffic is present on the bond port, but Zeek doesn't analyze it and the docker container repeatedly gets stuck "starting" or fails out.

The docker container logs simply repeat this:

---

removing stale lock
checking configurations ...
logger scripts failed.
fatal error in /opt/zeek/share/zeek/site/local.zeek, line 3: can't find tuning/defaults

manager scripts failed.
fatal error in /opt/zeek/share/zeek/site/local.zeek, line 3: can't find tuning/defaults

proxy scripts failed.
fatal error in /opt/zeek/share/zeek/site/local.zeek, line 3: can't find tuning/defaults

worker-1-1 scripts failed.
fatal error in /opt/zeek/share/zeek/site/local.zeek, line 3: can't find tuning/defaults

/usr/local/sbin/zeek.sh: line 8: kill: (34) - No such process
checking configurations ...
logger scripts failed.
fatal error in /opt/zeek/share/zeek/site/local.zeek, line 3: can't find tuning/defaults

manager scripts failed.
fatal error in /opt/zeek/share/zeek/site/local.zeek, line 3: can't find tuning/defaults

proxy scripts failed.
fatal error in /opt/zeek/share/zeek/site/local.zeek, line 3: can't find tuning/defaults

worker-1-1 scripts failed.
fatal error in /opt/zeek/share/zeek/site/local.zeek, line 3: can't find tuning/defaults

/usr/local/sbin/zeek.sh: line 8: kill: (31) - No such process
checking configurations ...
logger scripts failed.
fatal error in /opt/zeek/share/zeek/site/local.zeek, line 3: can't find tuning/defaults

manager scripts failed.
fatal error in /opt/zeek/share/zeek/site/local.zeek, line 3: can't find tuning/defaults

proxy scripts failed.
fatal error in /opt/zeek/share/zeek/site/local.zeek, line 3: can't find tuning/defaults

worker-1-1 scripts failed.
fatal error in /opt/zeek/share/zeek/site/local.zeek, line 3: can't find tuning/defaults

/usr/local/sbin/zeek.sh: line 8: kill: (31) - No such process
checking configurations ...
logger scripts failed.
fatal error in /opt/zeek/share/zeek/site/local.zeek, line 3: can't find tuning/defaults

manager scripts failed.
fatal error in /opt/zeek/share/zeek/site/local.zeek, line 3: can't find tuning/defaults

proxy scripts failed.
fatal error in /opt/zeek/share/zeek/site/local.zeek, line 3: can't find tuning/defaults

worker-1-1 scripts failed.
fatal error in /opt/zeek/share/zeek/site/local.zeek, line 3: can't find tuning/defaults

/usr/local/sbin/zeek.sh: line 8: kill: (31) - No such process

Additionally, if it is worth mentioning, the file /opt/zeek/share/zeek/site/local.zeek simply does not exist. Nor does the entire directory structure going there (/opt/zeek does not exist.) I do not know if it existed prior to the upgrade.

Thanks,

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[ZacharyPax]

Good morning,

Despite the fact that tuning/defaults was not applied to the local salt config (hostname_standalone) it was applied to the grid config.

Removing tuning/defaults from the grid config and synchronizing Zeek indeed allows Zeek to start and operate as intended. I have no idea why this would be the case, but for me at least it's not really a concern.

Attached is an image demonstrating what I mean in the "zeek > config > local > load" section of the SOC configuration page.

After starting, Zeek is once again fully healthy. I'll leave this discussion open in case anyone has anything to add, if not feel free to close.

[cm-ops]

Is this something you tried to enable?

/opt/zeek/share/zeek/site/local.zeek is inside the container, it would be at /opt/so/conf/zeek/local.zeek on disk outside the container.

[ZacharyPax]

I have no recollection of trying to enable tuning/defaults, but truthfully this install is very old and has traversed hardware multiple times so it is possible I did and simply forgot about it.

[cm-ops]

Did you upgrade from a version older that 2.4.120? In 2.4.120 we upgraded to Zeek 7 and tuning/defaults was removed from local.zeek.

From 2.4.120 to current it is not in local.zeek.

https://github.com/Security-Onion-Solutions/securityonion/blob/2.4.111-20241217/salt/zeek/defaults.yaml
https://github.com/Security-Onion-Solutions/securityonion/blob/2.4.120-20250212/salt/zeek/defaults.yaml

[ZacharyPax]

Good morning,

no, I upgraded from 2.4.190 to 2.4.200.

Thanks,
Zachary