VulnWhisperer icon indicating copy to clipboard operation
VulnWhisperer copied to clipboard

Published 20 hours ago verified publisher icon HASecuritySolutions

Some visualizations not showing correctly in ELK6

Open ghost opened this issue 6 years ago • 7 comments

Describe the bug The visualizations at the top, "VulnWhisperer - Risk: Low" through "VulnWhisperer - Risk: Total" are not showing any data or colors. Also the bottom visualization "VulnWhisperer - ScanBarChart" is not showing the bar graphics. This is in the VulnWhisperer - Reporting dashboard along with all the other VulnWhisper dashboards. This only happens in the latest and current stable release of ELK6 and not on the ELK5 installations. This is doing the full install manually and not using docker.

Affected module Dashboard, Nessus

To Reproduce Steps to reproduce the behavior:

  1. For a test environment I downloaded Nessus Home, which is free, and created a few scans with a lot of vulnerabilities in them using Metasploitable 3. Scan type being credential full scans with full web app known vulnerability option. This provided a lot of nice data. Having it on a separate server also allowed me to test different VulnWhisperer and ELK stack installs without having to recreate and obtain new licenses for the server each time and allowed me to use the same data. Great for testing before moving it to the live production Nessus Pro servers.

  2. Created two Ubuntu 18.04.2 LTS servers (one for the ELK5 install and one for the ELK6 install). Updated and Upgraded both. Followed the steps exactly as they are written in the VulnWhisper README.md file. Pointed both to the Nessus server. Verified that both were able to grab scans from the Nessus server and created the csv files.

  3. Installed ELK5 on the first one. Did this following the steps as they were written exactly in the VulnWhisper README.md. On the ELK6 one followed all the steps except for:

echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list

which was slightly changed to:

echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list

so that it grabbed the ELK6 code instead.

  1. Verified that logstash was grabbing the csv files on both servers.

  2. On both servers, logged into Kibana, went to the Management, index patterns, and created logstash-vulnwhisperer-* and pointed it to the existing data. Went into Saved Objects in the same area and imported the json files from HASecuritySolutions/VulnWhisperer/tree/master/kibana/vuln_whisp_kibana in order.

Expected behavior For all visualizations to load correctly in ELK6 as they are in ELK5.

Screenshots If applicable, add screenshots to help explain your problem.

System in which VulnWhisperer runs (please complete the following information): Ubuntu 18.04.2 LTS server elk5 reporting dashboard bottom half elk5 reporting dashboard top half elk6 reporting dashboard bottom half elk6 reporting dashboard top half

ghost avatar Feb 21 '19 19:02 ghost

This is OP. Submitted with wrong account. Please let me know if you need any additional details. Thanks!

greengeek avatar Feb 21 '19 22:02 greengeek

Not sure if this is related, but found it interesting. I tried doing an upgrade from 5.x to 6.x using the x-pack. It performs a check up on the install and indexes and plugins before it allows one to continue. This is what it had to say about my logstash-vulnwhisperer-2019.02:

The [include_in_all] mapping parameter is now disallowed Resolving this issue is advised but not required to upgrade. Read Documentation Details: [[type: nessus, field: @timestamp], [type: nessus, field: @version], [type: default, field: @timestamp], [type: default, field: @version]]

The _all meta field is disabled by default on indices created in 6.0 No action required, but it is advised to read about the change. Read Documentation Details: types: [nessus, default]

links to: https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_mappings_changes.html#_the_literal_include_in_all_literal_mapping_parameter_is_now_disallowed

https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_mappings_changes.html#_the_literal__all_literal_meta_field_is_now_disabled_by_default

greengeek avatar Feb 22 '19 07:02 greengeek

What version of Kibana is this? I ran into a problem trying to recreate everything on 6.x because I couldn't even get metrics with coloured backgrounds working. Turns out this was in the 6.2.x days, up until 6.3 they'd actually rolled back that feature...

https://discuss.elastic.co/t/background-color-on-metric-visualization-in-kibana-6/120469

pemontto avatar Feb 26 '19 11:02 pemontto

Just for the record, the versions with which I have personally done the testing of the new ELK and what we are "officially supporting" as per the docker-compose, we are using version ELK 6.6.0.

qmontal avatar Feb 26 '19 12:02 qmontal

This would of been the latest one. I am not using the docker image. This was a clean install on a Ubuntu server. Looks like 6.6.2 is what I have on this server and 6.6.1 on the other server.

greengeek avatar Mar 14 '19 16:03 greengeek

Related to this issue, there is issue #157 and PR #174.

qmontal avatar Apr 16 '19 08:04 qmontal

Raised an issue finally: https://github.com/elastic/kibana/issues/35807

pemontto avatar Apr 30 '19 14:04 pemontto