Running Scirius on OS X: "Unable to get data from Elasticsearch" and Suricata is red about scirius HOT 14 CLOSED

Hi,

Regarding suricata status, you need to enable unix-command in your suricata YAML.

For elasticsearch, check that elasticsearch index related variable are correct (see https://github.com/StamusNetworks/scirius/blob/master/scirius/settings.py#L113).

from scirius.

Thank you for reply!

1 - Enabled unix-command in suricata.yaml:

unix-command:
  enabled: yes
  filename: custom.socket

Restarted suricata and scirius - still red (((

2 - my indexes i elasticsearch look like this:
logstash-2015.05.24; logstash-2015.06.04; logstash-2015.06.05; logstash-2015.06.06;...
So in local_settings.py I've changed default "logstash-" to "logstash-*" and restarted scirius - still have "Unable to get data from Elasticsearch" on red background

3 - in local_settings.py Ive also have:

USE_KIBANA = True
# Use django as a reverse proxy for kibana request
# This will allow you to use scirius authentication to control
# access to Kibana
KIBANA_PROXY = False
# Kibana URL
KIBANA_URL = "http://localhost:5601"

But still have under kibana dashboards says: Failed to get data

Please, what am I missing?

from scirius.

Well I think I know what's with my suricata - there is a bug in suricata when working with BSD-flavored operation systems... Getting Unable to change permission on socket: Invalid argument (22) -- https://redmine.openinfosecfoundation.org/issues/1353
So waiting for fix from openinfo...

But I still don't understand what's with my elasticsearch and kibana

from scirius.

from scirius.

Could you have one specific index for kibana in elasticsearch ?

from scirius.

Is that what you mean?

Or you mean make indexes which do not contain time-based events?

from scirius.

Yes, that's it! kibana-int is hard coded and you are using .kibana. I'll try to cook a patch to fix this.

from scirius.

Can't I just try deleting it? Or you wouldn't suggest doing so?

from scirius.

No, I've just pushed patches on master. Can you try them ?

In your local_settings.py, set

KIBANA_VERSION=4
KIBANA_INDEX=".kibana"

Then it should work.

from scirius.

doesn't work(((
I've removed previos scirius and cloned again:

git clone https://github.com/StamusNetworks/scirius /usr/local/var/www/scirius

made all changes like you've written and started server:

python /usr/local/var/www/scirius/manage.py runserver

and got this:

You have unapplied migrations; your app may not work properly until they are applied.
Run 'python manage.py migrate' to apply them.

and in browser got this:

from scirius.

Try to run the migrate command as proposed.

from scirius.

oh yeah! Stupid me! I was already sleeping! I've run the migrate command and now everything works fine!!! Waiting suricata 2.1beta5 - they promise to fix unix-socket on BSD operating systems... Thank you very much! If I notice something I'll let you know!

from scirius.

I've got this red "Unable to get data from Elasticsearch" message again… I'm using Apache as reverse proxy with ssl between elasticsearch and kibana: so the reverse proxy accepts the incoming Elasticsearch requests on port 443 (https) and pushes them to Elasticsearch on port 9200, which is what Elasticsearch is expecting. Part of kibana httpd-vhost:

ProxyRequests off
ProxyPass /elasticsearch/ http://127.0.0.1:9200/

<Location /elasticsearch/>
 ProxyPassReverse /
 SSLRequireSSL
</Location>

When kibana.elastcsearch_url is httpS://0.0.0.0/elasticsearch/

I was trying both (in local_settings.py): httpS://0.0.0.0/elasticsearch/ and default - http://127.0.0.1:9200/but it does not work((
Elasticsearch and kibana themselves work great…

from scirius.

well I've found out what's happening… Will open new issue…

from scirius.