Security Onion is a fantastic and continually impressive suite of SOC tools that work very well for small organizations. Most of the time at least. The installation is not user-friendly, and it is clearly expected that you know why or why not to chose a particular option.
For all my love of SecurityOnion 2.x, I am continually wishing it natively had more up-to-date wazuh agent support. There were significant changes in Wazuh 3.x to 4.x, including the change to TCP as the default communications protocol for the agents.
2022/10/13 21:52:06 wazuh-agent: ERROR: (1216): Unable to connect to '10.X.X.X:1514/tcp': 'No connection could be made because the target machine actively refused it.'.
*sigh*
Manipulating the SO firewall wasn’t sufficient. I thought that perhaps just adding tcp as a valid protocol:
sudo so-firewall addportgroup wazuh_4_agents sudo so-firewall addport wazuh_4_agents tcp 1514 sudo so-firewall apply
Sadly, that was insufficient. I gave up and went back to 3.13 which was released years ago.