qianlitp / watchad Goto Github PK

安装失败，是需要特殊的pip源地址吗？提示No matching distribution found for pika==1.0.0

这个报错是服务不通？

I saw in the diagram kerberos traffic.
Where do you get kerberos traffic? Seems packetbeat not suitable for this.

使用10个进程会出现这个问题

防止消息积压设置
消费者这里加上basic_qos

Hi!
I'm trying to run WatchAD, but everytime I run 'docker-compose up' I end up with this error:

watchad_logstash_1 | [2020-02-02T18:12:57,006][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://127.0.0.1:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::SocketException] Connection refused (Connection refused)"}

and ES doesn't show in docker stats as it is crashed:

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
3671ac967d7b watchad_watchad_mongo_1 0.25% 70.38MiB / 7.767GiB 0.88% 1.45kB / 0B 0B / 442kB 32
29b7406ba9c4 watchad_watchad_rabbitmq_1 0.19% 93.44MiB / 7.767GiB 1.17% 2.96kB / 1.26kB 0B / 311kB 128
9fa30549a8de watchad_watchad_redis_1 0.11% 3.098MiB / 7.767GiB 0.04% 1.81kB / 0B 0B / 0B 4
469986ea1dde watchad_watchad_logstash_1 2.08% 707.8MiB / 7.767GiB 8.90% 0B / 0B 0B / 6.51MB 44

Thank you for any help!

Traceback (most recent call last):
File "WatchAD.py", line 149, in
main()
File "WatchAD.py", line 135, in main
install(domain=options.domain, server=options.server, user=options.username, password=options.password)
File "WatchAD.py", line 33, in install
get_all_dc_names(domain)
File "/opt/WatchAD/scripts/init_settings.py", line 193, in get_all_dc_names
ldap_search = LDAPSearch(domain)
File "/opt/WatchAD/tools/LDAPSearch.py", line 21, in init
self.con = Connection(self._get_server(),
File "/opt/WatchAD/tools/LDAPSearch.py", line 28, in _get_server
return Server(main_config.ldap_account[self.domain]["server"], get_info=ALL)
KeyError: 'XXXXXXXX'

只有初始域管用户被查询的时候ObjectName为objectSid，如果不是即为objectCategory。
导致很难检测出来查询敏感用户。

查询语句 net user "fafa" /domain

如果查询非初始域管用户ObjectType会为SAM_DOMAIN

测试环境Server2019

    if relative_target_name in ["protected_storage", "lsarpc", "samr", "ntsvcs", "NETLOGON"]:
        return

This should be a known chang'j share name.

获取了一下activity_doc的数据发现并没有source_ip

为了避免这个问题，暂时修改为

时间日志分析功能感觉非常好用，后续的Kerberos流量分析功能还会继续开源吗

"docker-compose.yaml" 61L, 1395C written                                                                                                                                                                                            
[2019-12-11T06:31:27,642][INFO ][o.e.n.Node               ] version[5.2.1], pid[1], build[db0d481/2017-02-09T22:05:32.386Z], OS[Linux/4.15.0-65-generic/amd64], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/1.8.0_121/25.121-b13]
[2019-12-11T06:31:28,434][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [aggs-matrix-stats]
[2019-12-11T06:31:28,434][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [ingest-common]
[2019-12-11T06:31:28,434][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [lang-expression]
[2019-12-11T06:31:28,434][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [lang-groovy]
[2019-12-11T06:31:28,434][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [lang-mustache]
[2019-12-11T06:31:28,435][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [lang-painless]
[2019-12-11T06:31:28,435][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [percolator]
[2019-12-11T06:31:28,435][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [reindex]
[2019-12-11T06:31:28,435][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [transport-netty3]
[2019-12-11T06:31:28,435][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [transport-netty4]
[2019-12-11T06:31:28,435][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] no plugins loaded
[2019-12-11T06:31:28,577][WARN ][o.e.d.s.g.GroovyScriptEngineService] [groovy] scripts are deprecated, use [painless] scripts instead
[2019-12-11T06:31:29,016][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: No match found
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:125) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.cli.SettingCommand.execute(SettingCommand.java:54) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.cli.Command.main(Command.java:88) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:89) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:82) ~[elasticsearch-5.2.1.jar:5.2.1]
Caused by: java.lang.IllegalStateException: No match found
        at java.util.regex.Matcher.group(Matcher.java:536) ~[?:1.8.0_121]
        at org.elasticsearch.monitor.os.OsProbe.getControlGroups(OsProbe.java:216) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.monitor.os.OsProbe.getCgroup(OsProbe.java:414) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.monitor.os.OsProbe.osStats(OsProbe.java:466) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.monitor.os.OsService.<init>(OsService.java:45) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.monitor.MonitorService.<init>(MonitorService.java:45) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.node.Node.<init>(Node.java:345) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.node.Node.<init>(Node.java:232) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:241) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:241) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-5.2.1.jar:5.2.1]
        ... 6 more
[2019-12-11T06:32:31,344][INFO ][o.e.n.Node               ] [] initializing ...
[2019-12-11T06:32:31,410][INFO ][o.e.e.NodeEnvironment    ] [tJrR6Ce] using [1] data paths, mounts [[/usr/share/elasticsearch/data (/dev/sda2)]], net usable_space [266.1gb], net total_space [294.2gb], spins? [possibly], types [ext4]
[2019-12-11T06:32:31,410][INFO ][o.e.e.NodeEnvironment    ] [tJrR6Ce] heap size [494.9mb], compressed ordinary object pointers [true]
[2019-12-11T06:32:31,412][INFO ][o.e.n.Node               ] node name [tJrR6Ce] derived from node ID [tJrR6CeuT-i3TNaGoxZrTg]; set [node.name] to override
[2019-12-11T06:32:31,414][INFO ][o.e.n.Node               ] version[5.2.1], pid[1], build[db0d481/2017-02-09T22:05:32.386Z], OS[Linux/4.15.0-65-generic/amd64], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/1.8.0_121/25.121-b13]
[2019-12-11T06:32:32,236][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [aggs-matrix-stats]
[2019-12-11T06:32:32,237][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [ingest-common]
[2019-12-11T06:32:32,237][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [lang-expression]
[2019-12-11T06:32:32,237][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [lang-groovy]
[2019-12-11T06:32:32,237][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [lang-mustache]
[2019-12-11T06:32:32,237][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [lang-painless]
[2019-12-11T06:32:32,237][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [percolator]
[2019-12-11T06:32:32,237][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [reindex]
[2019-12-11T06:32:32,237][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [transport-netty3]
[2019-12-11T06:32:32,237][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] loaded module [transport-netty4]
[2019-12-11T06:32:32,238][INFO ][o.e.p.PluginsService     ] [tJrR6Ce] no plugins loaded
[2019-12-11T06:32:32,380][WARN ][o.e.d.s.g.GroovyScriptEngineService] [groovy] scripts are deprecated, use [painless] scripts instead
[2019-12-11T06:32:32,809][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: No match found
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:125) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.cli.SettingCommand.execute(SettingCommand.java:54) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.cli.Command.main(Command.java:88) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:89) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:82) ~[elasticsearch-5.2.1.jar:5.2.1]
Caused by: java.lang.IllegalStateException: No match found
        at java.util.regex.Matcher.group(Matcher.java:536) ~[?:1.8.0_121]
        at org.elasticsearch.monitor.os.OsProbe.getControlGroups(OsProbe.java:216) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.monitor.os.OsProbe.getCgroup(OsProbe.java:414) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.monitor.os.OsProbe.osStats(OsProbe.java:466) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.monitor.os.OsService.<init>(OsService.java:45) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.monitor.MonitorService.<init>(MonitorService.java:45) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.node.Node.<init>(Node.java:345) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.node.Node.<init>(Node.java:232) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:241) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:241) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-5.2.1.jar:5.2.1]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-5.2.1.jar:5.2.1]
        ... 6 more

参考 medcl/elasticsearch-rtf#65 解决办法修改docker-compose.yaml
watchad_elasticsearch:
image: elasticsearch:5.3.0

[root@test soft]# docker-compose up
Starting soft_watchad_elasticsearch_1 ...
soft_watchad_mongo_1 is up-to-date
Creating soft_watchad_logstash_1 ...
soft_watchad_rabbitmq_1 is up-to-date

Starting soft_watchad_elasticsearch_1 ... error
Starting soft_watchad_redis_1 ...
WARNING: Host is already in use by another container

ERROR: for soft_watchad_elasticsearch_1 Cannot start service watchad_elasticsearch: driver failed programming external connectivity on endpoint soft_watchad_elasticsearch_1 (00ae16186c844e2b45587140f5723b507a9d51421674bea653cd89db046284fd): Bind for 0.0.0.0:9200 failed: port is already allocated
Starting soft_watchad_redis_1 ... error

ERROR: for soft_watchad_redis_1 Cannot start service watchad_redis: driver failed programming external connectivity on endpoint soft_watchad_redis_1 (1fb2de77ad4e621880f62bf79c41fdb29e9221b1dd23e655ebcc3d7905d1f619): Bind for 0.0.0.0:6379 failed: port is already allocated

ERROR: for watchad_logstash "host" network_mode is incompatible with port_bindings

ERROR: for watchad_elasticsearch Cannot start service watchad_elasticsearch: driver failed programming external connectivity on endpoint soft_watchad_elasticsearch_1 (00ae16186c844e2b45587140f5723b507a9d51421674bea653cd89db046284fd): Bind for 0.0.0.0:9200 failed: port is already allocated

ERROR: for watchad_redis Cannot start service watchad_redis: driver failed programming external connectivity on endpoint soft_watchad_redis_1 (1fb2de77ad4e621880f62bf79c41fdb29e9221b1dd23e655ebcc3d7905d1f619): Bind for 0.0.0.0:6379 failed: port is already allocated
Traceback (most recent call last):
File "docker-compose", line 3, in
File "compose/cli/main.py", line 81, in main
File "compose/cli/main.py", line 203, in perform_command
File "compose/metrics/decorator.py", line 18, in wrapper
File "compose/cli/main.py", line 1186, in up
File "compose/cli/main.py", line 1182, in up
File "compose/project.py", line 702, in up
File "compose/parallel.py", line 108, in parallel_execute
File "compose/parallel.py", line 206, in producer
File "compose/project.py", line 688, in do
File "compose/service.py", line 564, in execute_convergence_plan
File "compose/service.py", line 480, in _execute_convergence_create
File "compose/parallel.py", line 108, in parallel_execute
File "compose/parallel.py", line 206, in producer
File "compose/service.py", line 478, in
File "compose/service.py", line 457, in create_and_start
File "compose/service.py", line 334, in create_container
File "compose/service.py", line 941, in _get_container_create_options
File "compose/service.py", line 1073, in _get_container_host_config
File "docker/api/container.py", line 598, in create_host_config
File "docker/types/containers.py", line 339, in init
docker.errors.InvalidArgument: "host" network_mode is incompatible with port_bindings
[100586] Failed to execute script docker-compose

Traceback (most recent call last):
File "WatchAD.py", line 159, in
main()
File "WatchAD.py", line 145, in main
install(domain=options.domain, server=options.server, user=options.username, password=options.password)
File "WatchAD.py", line 35, in install
get_all_dc_names(domain)
File "/home/polo/WatchAD/scripts/init_settings.py", line 194, in get_all_dc_names
ldap_search = LDAPSearch(domain)
File "/home/polo/WatchAD/tools/LDAPSearch.py", line 24, in init
auto_bind=True)
File "/usr/local/lib/python3.6/dist-packages/ldap3/core/connection.py", line 321, in init
self.do_auto_bind()
File "/usr/local/lib/python3.6/dist-packages/ldap3/core/connection.py", line 349, in do_auto_bind
raise LDAPBindError(self.last_error)
ldap3.core.exceptions.LDAPBindError: automatic bind not successful - invalidCredentials

请问一下，我看到这个检测是用的5145和5142这两个EventID，我这边在本地复测远程代码执行漏洞，并没有这两个Event事件产生，想问一下这个项目中是参考的哪个漏洞做的检测？可否可以给我提供一个链接？我这边的参考文档是https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/

感谢🙏

一套WatchAD是否支持多个域控日志的接入？

您好，在域控的事件查看器中的安全性中有大量的登入認證稽核失敗記錄，查看winlogbeat日誌（winlogbeat版本為6.2.0），有大量事件傳輸給WatchAD服務器中，查看在WatchAD服務器中的elasticsearch，有dc_log_日期的文件，但沒有dc_traffic_的文件，在WEB平台中的Configuration中能看到安裝時填的域名，請教下，可以如何排查問題點，非常感謝。

怎么算supervisor正确安装可使用
有配置要求吗

比如利用adidns spoof添加一条域内的解析记录或者导出所有的解析记录，这样的攻击场景如何检测？ 看了下日志只要认证的并无其他，抓包倒是可以看到ldap里一些信息，是不是只能流量侧检测了。

请问，安装本地测试环境的话，对系统有什么要求吗，我部署了几天，总是有不同的错误，至今都没有成功，我运行docker-compose up后，查看es的启动日志，总是显示max virtual memory areas vm.max_map_count 65530 is too low,网上的方法也不见好使，请问这到底是哪里的问题？
我是在虚拟机win server 2008中部署的。
感激不尽

https://github.com/0Kee-Team/WatchAD/blob/9dc767a65dc1c8a13b998eb7b761eadea96f8014/modules/detect/event_log/discovery/EnumerateGroup.py#L41-L51

• 第50行：sid 是否应该为 log.subject_info.user_sid

如题

安装的Docker 镜像包在哪里下载？

https://zhuanlan.zhihu.com/p/26781760

net user /domain //获得所有域用户列表

ad版本是windows2016 在es上也有index，前端也自动识别到各dc信息，但是在前端查询不到任何日志信息，请问如何排查，哪里查看日志？

docker-compose up，无报错等其他情况，端口是没有映射出来么？直接telnet端口是拒绝状态，如图所示：

使用WatchAD-web也在一台机子上运行后，访问只有nginx欢迎页面，不是预想的那个dashboard，是因为配置问题吗？引擎和web都是在一台linux服务器，性能应该是没问题的。可能有其他原因嘛？

1. 部署成功，但是没有日志看到，请问怎么排查？
2. 有没有WatchAD-web相关的使用文档，配置说明，发下链接

目前check时，报错pika.exceptions.ConnectionClosedByBroker: (530, "NOT_ALLOWED - access to vhost '/' refused for user 'WatchAD'")
2019-11-13 16:06:17,138 - WatchAD - ERROR - Can't connect to the MQ, please reconfirm the settings.
，无法连接MQ，已在rabbitmq上增加了WatchAD/WatchAD-by-0KEE,端口5672和15672都是打开的，谢谢！

Traceback (most recent call last):
File "/home/polo/WatchAD/tools/database/Consumer.py", line 71, in callback
self.handle_func(message)
File "/home/polo/WatchAD/start.py", line 89, in do_analyze
if data['type'] == "wineventlog":
KeyError:'type'

WatchAD/settings/logstash/logstash.conf

其中 Elasticsearch 和 Rabbitmq 的 host 都是 127.0.0.1，这样在 Docker 模式下， logstash 会去访问它容器内的端口，而不是访问实际服务的端口，这就导致直接使用docker-compose up来启动失效。

之前ES数据满了，清理后发现ES索引里只有dc_log，没有user_activity日志了，已尝试重启检测引擎、ES、logstash服务均没用，对应也有好几天没有任何告警生成了。

大佬能提供些解决思路吗？

如题、、、、好久木更新了耶

请问krb5的日志来自哪里?也是来自winlogbeat吗

2022-06-11 00:24:54,309 - WatchAD - INFO - Install the WatchAD ...
2022-06-11 00:24:54,309 - WatchAD - INFO - init the elasticsearch index template.
2022-06-11 00:24:54,345 - WatchAD - INFO - template "dc_log_template" already exists, delete it.
2022-06-11 00:24:54,397 - WatchAD - INFO - put template "dc_log_template" ...
2022-06-11 00:24:54,418 - WatchAD - INFO - template "krb5_ticket_template" already exists, delete it.
2022-06-11 00:24:54,432 - WatchAD - INFO - put template "krb5_ticket_template" ...
2022-06-11 00:24:54,469 - WatchAD - INFO - template "dc_traffic_template" already exists, delete it.
2022-06-11 00:24:54,482 - WatchAD - INFO - put template "dc_traffic_template" ...
2022-06-11 00:24:54,507 - WatchAD - INFO - template "user_activity_template" already exists, delete it.
2022-06-11 00:24:54,513 - WatchAD - INFO - put template "user_activity_template" ...
2022-06-11 00:24:54,533 - WatchAD - INFO - init the ldap configuration.
2022-06-11 00:24:56,141 - WatchAD - INFO - Search all domain controllers using LDAP.
2022-06-11 00:24:56,529 - WatchAD - INFO - AD1
2022-06-11 00:24:56,529 - WatchAD - INFO - domain controller count: 1
2022-06-11 00:24:56,529 - WatchAD - INFO - Save all domain controllers to settings.
2022-06-11 00:24:57,283 - WatchAD - INFO - init other settings.
2022-06-11 00:24:57,598 - WatchAD - INFO - init sensitive groups.
2022-06-11 00:24:57,776 - WatchAD - INFO - Administrators,Account Operators,Server Operators,Print Operators,Backup Operators,Replicator,Remote Desktop Users,Network Configuration Operators,Incoming Forest Trust Builders,Domain Admins,Enterprise Admins,Schema Admins,DnsAdmins,Group Policy Creator Owners
2022-06-11 00:24:57,836 - WatchAD - INFO - set learning end time: 2022-06-21 07:24:57.836277
2022-06-11 00:24:57,884 - WatchAD - INFO - set crontab tasks.
Traceback (most recent call last):
File "WatchAD.py", line 159, in
main()
File "WatchAD.py", line 145, in main
install(domain=options.domain, server=options.server, user=options.username, password=options.password)
File "WatchAD.py", line 43, in install
set_crontab_tasks()
File "/root/WatchAD/scripts/init_settings.py", line 289, in set_crontab_tasks
my_user_cron = CronTab(user=True)
TypeError: init() got an unexpected keyword argument 'user'

这里可以帮分析下问题点吗？

https://github.com/0Kee-Team/WatchAD/blob/49a95af7ffe2d646bc8eb29f26ca89aa63e64dd9/WatchAD.py#L67

1. 最后的5应为字符串，否则会报如下错误：
   

2. ENV_WATCHAD_ENGINE_NUM前面的ENV_应该去掉，否则会报如下错误：
   

修改logstash配置，已经将服务地址配置为部署项目的服务器IP，但使用docker-compose up命令后还是不能部署logstash，报错信息：[WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error.

WatchAD 和WatchAD-Web的保姆级安装教程： http://bigyoung.cn/blog/posts/23/

2020-08-20 20:43:28,113 - WatchAD - ERROR - es wait_log_in_database search error: TransportError(404, 'index_not_found_exception', 'no such index')
2020-08-20 20:43:28,118 - WatchAD - ERROR - es search error: TransportError(404, 'index_not_found_exception', 'no such index')dc_log_all

如图，ldap读取的用户里面的数据吧，输入域控账号密码，还是普通的账号密码都这样
参数 python3 Watch.py --install -d 域名 -s 域控 -u 域控用户 -p 域控密码

winlogbeat.yml中已经修改了新的IP地址并重启服务

2022-07-23 01:19:14,188 - WatchAD - INFO - put template "dc_log_template" ...
Traceback (most recent call last):
File "WatchAD.py", line 159, in
main()
File "WatchAD.py", line 145, in main
install(domain=options.domain, server=options.server, user=options.username, password=options.password)
File "WatchAD.py", line 31, in install
init_es_template()
File "/root/WatchAD/scripts/init_settings.py", line 41, in init_es_template
es.put_template(name=name, body=temp)
File "/root/WatchAD/tools/database/ElsaticHelper.py", line 71, in put_template
return self.es.indices.put_template(name=name, body=body, create=True, **kwargs)
File "/usr/local/lib/python3.6/site-packages/elasticsearch/_sync/client/utils.py", line 414, in wrapped
return api(*args, **kwargs)
TypeError: put_template() got an unexpected keyword argument 'template'

/modules/detect/event_log/persistence/DCShadow.py
此处的

这个方法返回的是一个str

接收的是一个dict

导致出现错误

Pulling watchad_rabbitmq (rabbitmq:management)...
Traceback (most recent call last):
File "site-packages/dockerpycreds/store.py", line 80, in _execute
File "subprocess.py", line 356, in check_output
File "subprocess.py", line 438, in run
subprocess.CalledProcessError: Command '['/usr/local/bin/docker-credential-desktop', 'get']' returned non-zero exit status 1.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "site-packages/docker/auth.py", line 264, in _resolve_authconfig_credstore
File "site-packages/dockerpycreds/store.py", line 35, in get
File "site-packages/dockerpycreds/store.py", line 93, in _execute
dockerpycreds.errors.StoreError: Credentials store docker-credential-desktop exited with "No stored credential for https://index.docker.io/v1/".

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "docker-compose", line 6, in
File "compose/cli/main.py", line 71, in main
File "compose/cli/main.py", line 127, in perform_command
File "compose/cli/main.py", line 1085, in up
File "compose/cli/main.py", line 1081, in up
File "compose/project.py", line 527, in up
File "compose/service.py", line 354, in ensure_image_exists
File "compose/service.py", line 1222, in pull
File "compose/progress_stream.py", line 102, in get_digest_from_pull
File "compose/service.py", line 1187, in _do_pull
File "site-packages/docker/api/image.py", line 381, in pull
File "site-packages/docker/auth.py", line 48, in get_config_header
File "site-packages/docker/auth.py", line 322, in resolve_authconfig
File "site-packages/docker/auth.py", line 235, in resolve_authconfig
File "site-packages/docker/auth.py", line 281, in _resolve_authconfig_credstore
docker.errors.DockerException: Credentials store error: StoreError('Credentials store docker-credential-desktop exited with "No stored credential for https://index.docker.io/v1/".',)
[34147] Failed to execute script docker-compose

请问这个流程分析的什么时候开源呢？先感谢大神了。