Starman restart is needed after install
292 views
Skip to first unread message
Karolis
Mar 6, 2014, 3:24:35 PM3/6/14
to securit...@googlegroups.com
Hi,
After adding sensor to server starman service restart on sensor is needed otherwise ELSA server does not sees the node.
After adding sensor to server starman service restart on sensor is needed otherwise ELSA server does not sees the node.
The error from /nsm/elsa/data/elsa/log/web.log on server:
Header: $VAR1 = {
'URL' => 'http://127.0.0.1:50001/API/info',
'connection' => 'keep-alive',
'Status' => '401',
'HTTPVersion' => '1.1',
'access-control-allow-origin' => '*',
'transfer-encoding' => 'chunked',
'date' => 'Tue, 04 Mar 2014 12:24:11 GMT',
'content-length' => 12,
'Reason' => 'Unauthorized',
'content-type' => 'text/plain',
'www-authenticate' => 'ApiKey'
};
'URL' => 'http://127.0.0.1:50001/API/info',
'connection' => 'keep-alive',
'Status' => '401',
'HTTPVersion' => '1.1',
'access-control-allow-origin' => '*',
'transfer-encoding' => 'chunked',
'date' => 'Tue, 04 Mar 2014 12:24:11 GMT',
'content-length' => 12,
'Reason' => 'Unauthorized',
'content-type' => 'text/plain',
'www-authenticate' => 'ApiKey'
};
body: $VAR1 = 'unauthorized';
Restarting starman on the sensor solves the issue:
service starman stop
service starman start
service starman start
Karolis
Doug Burks
Mar 7, 2014, 7:05:06 AM3/7/14
to securit...@googlegroups.com
Hi Karolis,
Thanks for your email. I've created Issue 500 to look into this:
https://code.google.com/p/security-onion/issues/detail?id=500
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
Thanks for your email. I've created Issue 500 to look into this:
https://code.google.com/p/security-onion/issues/detail?id=500
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
Doug Burks
Mar 21, 2014, 10:27:07 AM3/21/14
to securit...@googlegroups.com
Hi Karolis,
The only way I was able to duplicate this was if my sensor and server
had their clocks set to different times. In my case, my sensor was a
VM that was snapshotted a week ago so its system time was from March
14. When the master VM (with today's date of March 21) would make a
request to the ELSA API on the sensor VM, it would result in the same
Unauthorized error you reported because the request was from the
"future". I reverted both my VMs to their previous snapshots,
rebooted them and verified that they had the correct current time,
re-ran Setup, and everything worked correctly without having to reboot
the sensor VM.
Looking at your output, the date shown in the Unauthorized error was
March 4, but your email was on March 6, so I'm wondering if this could
explain what you were seeing.
--
Doug Burks
The only way I was able to duplicate this was if my sensor and server
had their clocks set to different times. In my case, my sensor was a
VM that was snapshotted a week ago so its system time was from March
14. When the master VM (with today's date of March 21) would make a
request to the ELSA API on the sensor VM, it would result in the same
Unauthorized error you reported because the request was from the
"future". I reverted both my VMs to their previous snapshots,
rebooted them and verified that they had the correct current time,
re-ran Setup, and everything worked correctly without having to reboot
the sensor VM.
Looking at your output, the date shown in the Unauthorized error was
March 4, but your email was on March 6, so I'm wondering if this could
explain what you were seeing.
Doug Burks
Karolis
Mar 24, 2014, 3:05:29 PM3/24/14
to securit...@googlegroups.com
Hi Doug,
Haven't had time today. I do my tests on 3 VMware machines (1 server + 2 sensors). I revert all the machines to the same snapshots in time so the server is allways 30 min or so behind the sensors. I will test ASAP, but I am pretty sure it is related to time sync you mentioned.
I have noticed this behavior on march 4 and copied the error message. Before posting ran additional tests untill march 6. That's why there is time difference between log and post dates.
p.s. Probably there should be some note about VM's and time sync in the test enviroinment in the documentation.
Karolis
Haven't had time today. I do my tests on 3 VMware machines (1 server + 2 sensors). I revert all the machines to the same snapshots in time so the server is allways 30 min or so behind the sensors. I will test ASAP, but I am pretty sure it is related to time sync you mentioned.
I have noticed this behavior on march 4 and copied the error message. Before posting ran additional tests untill march 6. That's why there is time difference between log and post dates.
p.s. Probably there should be some note about VM's and time sync in the test enviroinment in the documentation.
Karolis
For more options, visit https://groups.google.com/d/optout.
Doug Burks
Mar 24, 2014, 4:49:52 PM3/24/14
to securit...@googlegroups.com
Added to FAQ:
https://code.google.com/p/security-onion/wiki/FAQ#Why_does_the_ELSA_web_interface_not_recognize_one_of_my_ELSA_log
--
Doug Burks
https://code.google.com/p/security-onion/wiki/FAQ#Why_does_the_ELSA_web_interface_not_recognize_one_of_my_ELSA_log
Doug Burks
Reply all
Reply to author
Forward
0 new messages