scirius icon indicating copy to clipboard operation
scirius copied to clipboard

Published 20 hours ago verified publisher icon StamusNetworks

ES not working in scirius ,the status light is gray

Open RonnieNiu opened this issue 5 years ago • 13 comments

HI guys:

I am from china , I have an issue which i cannit solved ,thanks for help! my scirius is SCIRIUS_VERSION="3.2.0,ES verison is Version: 6.6.2. image my scirius setting.py is : image the error info in elasticsearch.log is

image

RonnieNiu avatar Jul 19 '19 10:07 RonnieNiu

Is that SELKS 5.0 ? It seem like an auth err - have you done any changes to the default config - i see http auth adjustments ?

pevma avatar Jul 21 '19 13:07 pevma

ELK is 6.6.2 ,suricata is 4.1.0, I changed default config in scirius setting.py with add "http auth".

RonnieNiu avatar Jul 22 '19 02:07 RonnieNiu

my ELK installed on 10.104.131.4, my scirius and suricata installed on 192.168.13.128. I don't know if it has anything to do with this. thanks!

RonnieNiu avatar Jul 22 '19 02:07 RonnieNiu

Why did you do the change , what was needed? In SELKS authentication is done via Scirius by default and it works that way - hence my question - is it a diff auth mechanism you are using or ?

pevma avatar Jul 23 '19 16:07 pevma

Because my es is configured with authentication,I find nothing with authentication in scirius setting.py. When starting with the default configuration。I got error is :: image image

RonnieNiu avatar Jul 24 '19 09:07 RonnieNiu

Now I am talking about my use environment. I have distributed several suricata distributed at various network boundaries, and then ES and kibana are deployed at 10.104.116.212 to display the alarm events. Logstash is deployed at 10.3.4.79, and the event is played. Into the ES, since the previous rules were managed by oinkmaster, now I want to deploy the scirius management rules and deploy the scirius at 10.104.116.212. Thank you very much for helping

RonnieNiu avatar Jul 24 '19 09:07 RonnieNiu

What authentication is used on es , do you have Xpack enabled ?

pevma avatar Jul 29 '19 10:07 pevma

Yes ,use Xpack on es, the elasticsearch.yml is: image

RonnieNiu avatar Jul 31 '19 09:07 RonnieNiu

Currently Scirius is in charge of authentication and uses a proxy so it is not fully compatible yet with Xpack. To confirm that - can you disable Xpack security / auth, adjust the settings accordingly in /etc/scirius/local_settings.py and restart the machine and try again ?

pevma avatar Jul 31 '19 10:07 pevma

Yes ,disable Xpack on ES ,then ok . but scirius still no eve data image and kibana still error: image image

RonnieNiu avatar Aug 01 '19 06:08 RonnieNiu

It seems it could be a proxy issue - prohibiting the page display

pevma avatar Aug 02 '19 16:08 pevma

But I didn't set up the proxy, it's really strange, I don't know how to solve it. 😂😭😭😭😭😭😭

RonnieNiu avatar Aug 02 '19 16:08 RonnieNiu

I think you could try in a test setup - fresh install without xpack enabled - to see if you will get the same err?

pevma avatar Aug 02 '19 17:08 pevma