Will not install on v2.3.91~WARNING~ WILL overwrite your Fireweall and TPM Filebeat Local files!!!!!!!!!!!!!!!!!

Question

Will not install on v2.3.91~WARNING~ WILL overwrite your Fireweall and TPM Filebeat Local files!!!!!!!!!!!!!!!!!

Bal33p opened this issue 2 years ago · comments

Indexes have not populated since installing Velo.. PLEASE HELP

Bal33p · Answer 1 · Tue Jan 18 2022 23:10:46 GMT+0800 (China Standard Time)

[2022-01-17T00:00:06,512][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"https://xxx.xxx.xxx.205:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :message=>"Got response code '401' contacting Elasticsearch at URL 'https://xxx.xxx.xxx.205:9200/'"}
[2022-01-17T00:00:07,154][WARN ][logstash.outputs.redis ] Failed to flush outgoing items {:outgoing_count=>125, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/redis-4.5.1/lib/redis/client.rb:163:in call'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/redis-4.5.1/lib/redis.rb:1263:in block in rpush'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/redis-4.5.1/lib/redis.rb:72:in block in synchronize'", "uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/monitor.rb:237:in block in mon_synchronize'", "org/jruby/RubyThread.java:759:in handle_interrupt'", "uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/monitor.rb:236:in block in mon_synchronize'", "org/jruby/RubyThread.java:759:in handle_interrupt'", "uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/monitor.rb:233:in mon_synchronize'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/redis-4.5.1/lib/redis.rb:72:in synchronize'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/redis-4.5.1/lib/redis.rb:1262:in rpush'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:152:in flush'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/stud-0.0.23/lib/stud/buffer.rb:221:in block in buffer_flush'", "org/jruby/RubyHash.java:1415:in each'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/stud-0.0.23/lib/stud/buffer.rb:216:in buffer_flush'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/stud-0.0.23/lib/stud/buffer.rb:159:in buffer_receive'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:209:in send_to_redis'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-codec-json-3.1.0/lib/logstash/codecs/json.rb:69:in encode'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:48:in block in encode'", "org/logstash/instrument/metrics/AbstractSimpleMetricExt.java:65:in time'", "org/logstash/instrument/metrics/AbstractNamespacedMetricExt.java:64:in time'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:47:in encode'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:123:in receive'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:105:in block in multi_receive'", "org/jruby/RubyArray.java:1821:in each'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:105:in multi_receive'", "org/logstash/config/ir/compiler/OutputStrategyExt.java:143:in multi_receive'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:121:in multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:299:in block in start_workers'"]}
[2022-01-17T00:00:07,154][WARN ][logstash.outputs.redis ] Failed to send backlog of events to Redis {:identity=>"redis://@rich-soni-01-pp:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not allowed when used memory > 'maxmemory'.>, :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/redis-4.5.1/lib/redis/client.rb:163:in call'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/redis-4.5.1/lib/redis.rb:1263:in block in rpush'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/redis-4.5.1/lib/redis.rb:72:in block in synchronize'", "uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/monitor.rb:237:in block in mon_synchronize'", "org/jruby/RubyThread.java:759:in handle_interrupt'", "uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/monitor.rb:236:in block in mon_synchronize'", "org/jruby/RubyThread.java:759:in handle_interrupt'", "uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/monitor.rb:233:in mon_synchronize'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/redis-4.5.1/lib/redis.rb:72:in synchronize'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/redis-4.5.1/lib/redis.rb:1262:in rpush'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:152:in flush'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/stud-0.0.23/lib/stud/buffer.rb:221:in block in buffer_flush'", "org/jruby/RubyHash.java:1415:in each'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/stud-0.0.23/lib/stud/buffer.rb:216:in buffer_flush'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/stud-0.0.23/lib/stud/buffer.rb:159:in buffer_receive'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:209:in send_to_redis'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-codec-json-3.1.0/lib/logstash/codecs/json.rb:69:in encode'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:48:in block in encode'", "org/logstash/instrument/metrics/AbstractSimpleMetricExt.java:65:in time'", "org/logstash/instrument/metrics/AbstractNamespacedMetricExt.java:64:in time'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:47:in encode'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:123:in receive'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:105:in block in multi_receive'", "org/jruby/RubyArray.java:1821:in each'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:105:in multi_receive'", "org/logstash/config/ir/compiler/OutputStrategyExt.java:143:in multi_receive'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:121:in multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:299:in block in start_workers'"]}

weslambert · Answer 2 · Tue Jan 18 2022 23:18:44 GMT+0800 (China Standard Time)

Thanks, I am aware of this issue and will have a look.

In the meantime, I have updated the Logstash config file, here:

https://github.com/weslambert/securityonion-velociraptor/blob/main/salt/logstash/pipelines/config/custom/9501_output_velociraptor.conf.jinja

Please keep in mind, this is not an officially supported integration, so using is it at your own risk and should not be done with a production system at this time. I'll be updating this repo very soon to improve stability, etc.

Bal33p · Answer 3 · Mon Jan 24 2022 23:37:27 GMT+0800 (China Standard Time)

Although this fixed the issue with authentiaction. ( thank you )
The install still breaks firewall rules and so we are not able to install this.
I have restored from backup to get everything working again