so-status

To check the status of Security Onion services, run sudo so-status:

Checking Docker status

    Docker ---------------------------------------- [ OK ]

Checking container statuses

    so-aptcacherng -------------------------------- [ OK ]
    so-curator ------------------------------------ [ OK ]
    so-dockerregistry ----------------------------- [ OK ]
    so-elastalert --------------------------------- [ OK ]
    so-elasticsearch ------------------------------ [ OK ]
    so-filebeat ----------------------------------- [ OK ]
    so-fleet -------------------------------------- [ OK ]
    so-grafana ------------------------------------ [ OK ]
    so-idstools ----------------------------------- [ OK ]
    so-influxdb ----------------------------------- [ OK ]
    so-kibana ------------------------------------- [ OK ]
    so-kratos ------------------------------------- [ OK ]
    so-logstash ----------------------------------- [ OK ]
    so-mysql -------------------------------------- [ OK ]
    so-nginx -------------------------------------- [ OK ]
    so-playbook ----------------------------------- [ OK ]
    so-redis -------------------------------------- [ OK ]
    so-sensoroni ---------------------------------- [ OK ]
    so-soc ---------------------------------------- [ OK ]
    so-soctopus ----------------------------------- [ OK ]
    so-steno -------------------------------------- [ OK ]
    so-strelka-backend ---------------------------- [ OK ]
    so-strelka-coordinator ------------------------ [ OK ]
    so-strelka-filestream ------------------------- [ OK ]
    so-strelka-frontend --------------------------- [ OK ]
    so-strelka-gatekeeper ------------------------- [ OK ]
    so-strelka-manager ---------------------------- [ OK ]
    so-suricata ----------------------------------- [ OK ]
    so-telegraf ----------------------------------- [ OK ]
    so-wazuh -------------------------------------- [ OK ]

so-status reads the list of enabled services from /opt/so/conf/so-status/so-status.conf and checks the status of each. If you ever disable a service, you may need to remove it from that file.

Quiet Mode

so-status supports a quiet mode:

sudo so-status -h

/usr/sbin/so-status  [-h] [-q|--quiet]

-h             Show this message.
-q|--quiet     Suppress the output and only return a
              single status code for overall status
0:Ok, 1:Error, 2:Starting/Pending, 99:Installing SO

sudo so-status -q
echo $?
0

Import Node

If you’re running a Security Onion Import node, then so-status will show so-steno, so-suricata, and so-zeek as DISABLED since they are not sniffing live traffic. Suricata and Zeek will still analyze pcaps normally when running so-import-pcap. Stenographer is not used at all in Import mode.