timesketch icon indicating copy to clipboard operation
timesketch copied to clipboard

Published 20 hours ago verified publisher icon google

Wrong OPENSEARCH_HOST preset in timesketch.conf

Open pydvlpr opened this issue 3 years ago • 5 comments

Describe the bug After a fresh install I was not able to acces a new sketch.

It ended up in backtrace error messages in /opt/timesketch/logs/wsgi_error.log.

[2022-01-07 13:16:15 +0000] [14] [ERROR] Error handling request /api/v1/sketches/1/ Traceback (most recent call last): File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 159, in _new_conn conn = connection.create_connection( File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 84, in create_connection raise err File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 74, in create_connection sock.connect(sa) ConnectionRefusedError: [Errno 111] Connection refused

followed by several other backtrace connection error messages.

To Reproduce Steps to reproduce the behavior:

  1. Go to (https://github.com/google/timesketch/blob/master/docs/guides/admin/install.md)
  2. Follow instruction and install timesketch
  3. Start timesketch
  4. Access timesketch by webbrowser and logon
  5. Create new sketch
  6. Try to access new sketch.
  7. See log message in wsgi_error.log

Expected behavior After creation of a new sketch it should be accessable in the webbrowser.

Desktop (please complete the following information):

  • OS: Ubuntu 20.04.3 LTS
  • Browser firefox
  • Docker 20.10.7, build 20.10.7-oubuntu5-20.04.2

Additional context I was able to locate and fix the bug.

My timesketch installation was located in

/opt/timesketch

The configuration file

/opt/timesketch/etc/timesketch/timesketch.conf

contains the entries for opensearch as followed:

OPENSEARCH_HOST = '127.0.0.1' OPENSEARCH_PORT = 9200 OPENSEARCH_USER = None OPENSEARCH_PASSWORD = None OPENSEARCH_SSL = False OPENSEARCH_VERIFY_CERTS = True OPENSEARCH_TIMEOUT = 10

After changing the value of OPENSEARCH_HOST like this

OPENSEARCH_HOST = 'opensearch'

the connection error didn't occure any more.

I think the problem was that the preset value of OPENSEARCH_HOST didn't match the docker opensearch containers hostname.

pydvlpr avatar Jan 07 '22 14:01 pydvlpr

Same Problem, same Solution, thanks for the Issue Report !

nanomite-de avatar Jan 09 '22 13:01 nanomite-de

thx, we will fix it next week, feel free to make a PR if you want.

jaegeral avatar Jan 09 '22 13:01 jaegeral

Hi Alexander, I didnt't had the time to make a test deployment again, yet.

But I've looked into the deploy_timesketch.sh:

.. 79 # Fetch default Timesketch config files 80 curl -s $GITHUB_BASE_URL/data/timesketch.conf > timesketch/etc/timesketch/timesketch.conf ... 95 # Set up the Elastic connection 96 sed -i 's#^ELASTIC_HOST = \x27127.0.0.1\x27#ELASTIC_HOST = \x27'$OPENSEARCH_ADDRESS'\x27#' timesketch/etc/timesketch/timesketch.conf 97 sed -i 's#^ELASTIC_PORT = 9200#ELASTIC_PORT = '$OPENSEARCH_PORT'#' timesketch/etc/timesketch/timesketch.conf

You are looking for the variable named ELASTIC_HOST. But in the current sample file /data/timesketch.conf you copyied at first with curl there is no such variable. The variable there is

... 29 OPENSEARCH_HOST = '127.0.0.1' 30 OPENSEARCH_PORT = 9200 ...

I am pretty sure this is the bugs location, but didn't liked the idea of making a pull request without another test myself.

On Sun, Jan 9, 2022 at 2:49 PM Alexander J @.***> wrote:

thx, we will fix it next week, feel free to make a PR if you want.

— Reply to this email directly, view it on GitHub https://github.com/google/timesketch/issues/2097#issuecomment-1008301669, or unsubscribe https://github.com/notifications/unsubscribe-auth/AG3LATHGWETSTRVREB22QQDUVGG43ANCNFSM5LO4RB6Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you authored the thread.Message ID: @.***>

pydvlpr avatar Jan 10 '22 07:01 pydvlpr

bugfix 2097 still has a bug/typo in it.

The updated timesketch.conf generated by deploy_timesketch.sh has the following line:

OPNSEARCH_HOST = 'opensearch'

and it should be

OPENSEARCH_HOST = 'opensearch'

mark-hallman avatar Jan 11 '22 16:01 mark-hallman

Hi Mark, thanks for the Info and sorry for the typo. I'll fix it thus evening.

Martin

Mark Hallman @.***> schrieb am Di., 11. Jan. 2022, 17:46:

bugfix 2097 still has a bug/typo in it.

The updated timesketch.conf generated by deploy_timesketch.sh has the following line:

OPNSEARCH_HOST = 'opensearch'

and it should be

OPENSEARCH_HOST = 'opensearch'

— Reply to this email directly, view it on GitHub https://github.com/google/timesketch/issues/2097#issuecomment-1010156257, or unsubscribe https://github.com/notifications/unsubscribe-auth/AG3LATDOGJ3OWVNGYDQR73LUVRNFTANCNFSM5LO4RB6Q . You are receiving this because you authored the thread.Message ID: @.***>

pydvlpr avatar Jan 11 '22 17:01 pydvlpr

I assume because of the PR is closed and accepted so we can close this one out.

jaegeral avatar Aug 22 '22 20:08 jaegeral