SELKS
SELKS copied to clipboard
StamusNetworks
Logstash isnt ingesting data - fresh install
Hi all, Ive deployed SELKS 6 RC 1 on a VM The install process goes smooth, no issues.
It seems is picking up some data and triggering definitions
Ive encountered 2 issues so far: when clicked on Dashboards it brings Kibana, although Logstash isnt injecting any data
As a consequence no Dashboards are available.
Anyways just wanted to log and report this issue, the tool is fab excellent job guys
Thank you for trying out SELKS
What is the output of selks-health-check_stamus ?
Did the first time set up script finish without errors ?
-- Regards, Peter Manev
On 21 May 2020, at 17:30, myrsecurity [email protected] wrote:
Hi all, Ive deployed SELKS 6 RC 1 on a VM The install process goes smooth, no issues.
It seems is picking up some data and triggering definitions
Ive encountered 2 issues so far: when clicked on Dashboards it brings Kibana, although Logstash isnt injecting any data
As a consequence no Dashboards are available.
Anyways just wanted to log and report this issue, the tool is fab excellent job guys
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
Hi, thanks for coming back so quickly
Yes indeed, the install finishes without apparent errors.
Ive also noticed Logstash stalls when reboot, restart. I have to 'force shutdown' or 'reset' VM.
This is the output of the command :
● suricata.service - LSB: Next Generation IDS/IPS
Loaded: loaded (/etc/init.d/suricata; generated)
Active: active (running) since Thu 2020-05-21 17:09:05 CEST; 1h 31min ago
Docs: man:systemd-sysv-generator(8)
Process: 680 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCE SS)
Tasks: 10 (limit: 4915)
Memory: 783.2M
CGroup: /system.slice/suricata.service
└─798 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /va…
● elasticsearch.service - Elasticsearch
Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor pr eset: enabled)
Active: active (running) since Thu 2020-05-21 17:10:17 CEST; 1h 30min ago
Docs: https://www.elastic.co
Main PID: 696 (java)
Tasks: 95 (limit: 4915)
Memory: 1.7G
CGroup: /system.slice/elasticsearch.service
├─ 696 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.netwo…
└─1129 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86…
● logstash.service - logstash
Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-05-21 17:08:57 CEST; 1h 31min ago
Main PID: 366 (java)
Tasks: 37 (limit: 4915)
Memory: 1.0G
CGroup: /system.slice/logstash.service
└─366 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiat…
● kibana.service - Kibana
Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: e nabled)
Active: active (running) since Thu 2020-05-21 17:08:57 CEST; 1h 31min ago
Main PID: 372 (node)
Tasks: 11 (limit: 4915)
Memory: 978.3M
CGroup: /system.slice/kibana.service
└─372 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/.…
● evebox.service - EveBox Server
Loaded: loaded (/lib/systemd/system/evebox.service; enabled; vendor preset: e nabled)
Active: active (running) since Thu 2020-05-21 17:08:57 CEST; 1h 31min ago
Main PID: 365 (evebox)
Tasks: 8 (limit: 4915)
Memory: 54.6M
CGroup: /system.slice/evebox.service
└─365 /usr/bin/evebox server
● molochviewer-selks.service - Moloch Viewer
Loaded: loaded (/etc/systemd/system/molochviewer-selks.service; enabled; vend or preset: enabled)
Active: active (running) since Thu 2020-05-21 17:11:08 CEST; 1h 29min ago
Main PID: 1533 (sh)
Tasks: 12 (limit: 4915)
Memory: 46.3M
CGroup: /system.slice/molochviewer-selks.service
├─1533 /bin/sh -c /data/moloch/bin/node viewer.js -c /data/moloch/et…
└─1534 /data/moloch/bin/node viewer.js -c /data/moloch/etc/config.ini
● molochpcapread-selks.service - Moloch Pcap Read
Loaded: loaded (/etc/systemd/system/molochpcapread-selks.service; enabled; ve ndor preset: enabled)
Active: active (running) since Thu 2020-05-21 17:10:29 CEST; 1h 30min ago
Main PID: 1447 (sh)
Tasks: 5 (limit: 4915)
Memory: 175.6M
CGroup: /system.slice/molochpcapread-selks.service
├─1447 /bin/sh -c /data/moloch/bin/moloch-capture -c /data/moloch/et…
└─1448 /data/moloch/bin/moloch-capture -c /data/moloch/etc/config.in…
error: <class 'socket.error'>, [Errno 13] Permission denied: file: /usr/lib/pyth on2.7/socket.py line: 228
ii elasticsearch 7.7.0 am d64 Distributed RESTful search engine built for the cloud
ii elasticsearch-curator 5.8.1 am d64 Have indices in Elasticsearch? This is the tool for you!\n\nLike a mu seum curator manages the exhibits and collections on display, \nElasticsearch Cu rator helps you curate, or manage your indices.
ii evebox 1:0.11.1 am d64 no description given
ii kibana 7.7.0 am d64 Explore and visualize your Elasticsearch data
ii kibana-dashboards-stamus 2020042401 am d64 Kibana 6 dashboard templates.
ii logstash 1:7.7.0-1 al l An extensible logging pipeline
ii moloch 2.3.0-1 am d64 Moloch Full Packet System
ii scirius 3.4.0-9 am d64 Django application to manage Suricata ruleset
ii suricata 1:2020050401-0stamus0 am d64 Suricata open source multi-thread IDS/IPS/NSM system.
Filesystem Type Size Used Avail Use% Mounted on
udev devtmpfs 7.9G 0 7.9G 0% /dev
tmpfs tmpfs 1.6G 17M 1.6G 2% /run
/dev/vda1 ext4 238G 9.8G 216G 5% /
tmpfs tmpfs 7.9G 0 7.9G 0% /dev/shm
tmpfs tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs tmpfs 7.9G 0 7.9G 0% /sys/fs/cgroup
tmpfs tmpfs 1.6G 16K 1.6G 1% /run/user/1000
On version 5 ( installed last night ) seems to be a bit more stable, and the image below (logstash ) gets updated regularly.
All seems normal especially with mind the health status reads ok and the first time install goes ok.
The interesting part is that both Scirius and Kibana read its logs/events form eS - and one has the other complains ...
Lets try something.... Can you try to clear your browser cache and reload those dashboards with at least 24hr timespan ?
If that does not work -try to reset the dashboards from the GUI - left upper corner, settings, Kibana
Hi, Ive cleared the cache and reloaded on 24hour settings
I got the same error unfort
Discover functionality in Kiaban doesnt show any data
Im trying to get the Dashboard reset - not sure where to click
Checking and testing other dashboards - I got errors and data mixed
For SN-OVERVIEW
So some progress :)
Ok , let me have a better look. It seems ES 7.7.x might be breaking some things - just a speculation at the moment. When you installed did you do an upgrade after words or it was just a vanilla install?
Thank you
-- Regards, Peter Manev
On 21 May 2020, at 23:33, myrsecurity [email protected] wrote:
sorry same issue after REset SN dashboard
Do I have to reboot ?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
What is the “full error” ?
-- Regards, Peter Manev
On 22 May 2020, at 00:03, myrsecurity [email protected] wrote:
Checking and testing other dashboards - I got errors and data mixed
For SN-OVERVIEW
So some progress :)
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
full error
Error: Not Found
at Fetch._callee3$ (https://192.168.0.89/bundles/commons.bundle.js:3:3997981)
at l (https://192.168.0.89/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:970406)
at Generator._invoke (https://192.168.0.89/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:970159)
at Generator.forEach.e.
other full error ( DNS Dashboard )
Error: Not Found
at Fetch._callee3$ (https://192.168.0.89/bundles/commons.bundle.js:3:3997981)
at l (https://192.168.0.89/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:970406)
at Generator._invoke (https://192.168.0.89/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:970159)
at Generator.forEach.e.
I did the fresh install and tried to login in the console on .89 - didnt work. Run the upgrade which took few minutes, rebooted ( logstash stalled for 20 minutes then I 'forced shutdown' ) Started again, left few minutes and able to https x.x.x.89 triggered some alerts etc (by the way EICAR file isnt picked up or at least I cannot see a definiton being triggered, this is another story ) then opened Kibana and got the errors, logged the ticket, we are here
thank you
Ok thank you. When you tried to log in on the console and it did not work the first time - which console was that - the GUI or ssh/cmd ? Also one more question - how it did not work , wrong password or ?
-- Regards, Peter Manev
On 22 May 2020, at 00:08, myrsecurity [email protected] wrote:
I did the fresh install and tried to login in the console on .89 - didnt work. Run the upgrade which took few minutes, rebooted ( logstash stalled for 20 minutes then I 'forced shutdown' ) Started again, left few minutes and able to https x.x.x.89 triggered some alerts etc (by the way EICAR file isnt picked up or at least I cannot see a definiton being triggered, this is another story ) then opened Kibana and got the errors, logged the ticket, we are here
thank you
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
the first time didnt work on the GUI, via https.
Ive installed on single disk Debian, formatted the partition in full (no live CD), VM-Demo type, Graphic, 2 interfaces 1 monitor + dhcp bridged, PCAP capture but dont retain, 16GB RAM 4vcpus
I think it might be an issue with the loopback or the local dns - it attempts to load https://selks which doesnt work (404) - https://127.0.0.1 didnt neither, nor https://localhost hence I force the IP
this is the sequence
but on IP
seems to be binding listener service to 0.0.0.0 on nginx / apache
Sorry if i am repetitive - just wanted to double check check if you went through - https://github.com/StamusNetworks/SELKS/wiki/First-time-setup and it all returned ok ?
Hello, ah now I understand - I did the ISO deployment and run the initial configuration... but I didnt follow the entire document. Need to look at Molocj and GeoIP config ( maxmid license id )
WIll come back to you this week, thanks for the support