Kibana

[Eric Montellese]

Hello,

First off, thanks for all the hard work you guys do on log2timeline!

I've been trying to get log2timeline data into Kibana by following the info found in these posts:

• https://groups.google.com/forum/#!searchin/log2timeline-discuss/kibana/log2timeline-discuss/n4IyCUvVHxs/t5hK19OXfl8J
• http://blog.kiddaland.net/2013/11/visualize-output.html
  

The issue I've run into is the link to download the nginx.conf file from the instructions is returning a 404 error. So far I've used the siftbootstrap.sh script to install the tools on my Ubuntu 14.04 server distro which I noticed installed apache, elasticsearch, kibana and of course log2timeline.py. I've installed the pyelasticsearch plugin and confirmed it in psort.py -o list. I updated my kibana config.js file to point elastic search to my servers FQDN and kept the default port of 9200. Apache is also confirmed to be up and running and Kibana files are in /var/www/html/kibana. I think that just about covers the basics of the install, however I can't view the output of psort.py -z UTC -o elastic --case-name <casename> <storage.dump>

I get the following info from psort:

[INFO] Starting new HTTP connection (1): 127.0.0.1

[INFO] GET http://127.0.0.1:9200/<casename>/_mapping [status:200 request:0.007s]

No handlers could be found for logger "elasticsearch.trace"

[INFO] PUT http://127.0.0.1:9200/<casename>/event/_mapping [status:200 request:0.006s]

[INFO] GET http://127.0.0.1:9200/_cluster/health?wait_for_status=yellow [status:200 request:0.003s]

Inserting data[INFO] POST http://127.0.0.1:9200/<casename>/event/_bulk [status:200 request:0.307s]

.[INFO] POST http://127.0.0.1:9200/<casename>/event/_bulk [status:200 request:0.323s]

Looks good (I think), but when I go to the site http://<ipaddress>:9200/index.html#/app/dashboard/file/plaso.json I get the error message: 

{"error":"IndexMissingException[[index.html] missing]","status":404}

My first thought is that I don't have Apache configured correctly to view the site and if that's the case can anyone provide guidance on getting that fixed? Otherwise I could really use some guidance on getting this set up properly with either nginx or apache. 

[Kristinn Gudjonsson]

Hi

First of all, the source code for kibana has moved since the post came out, it moved to https://github.com/elastic/kibana/ instead of  https://github.com/elasticsearch/kibana/. That alone broke the actual link (re-branding efforts for ElasticSearch).

And the instructions were made for an earlier version of Kibana, since then they've released few version upgrades, most notably the last one that probably broke the instructions on the blog. And they no longer seem to have that sample nginx.conf file lying around. this is the link to the old one: https://raw.githubusercontent.com/elastic/kibana/3.0/sample/nginx.conf

That is the instructions were written for version 3.0 of Kibana.

What version of Kibana are you running? And what version of ElasticSearch?

Also, have you checked out timesketch? http://www.timesketch.org/ This is built on top of ES, does not use Kibana, and is specifically created to visual timeline data from plaso... and there is a separate timesketch output module too.

The new version of both timesketch and plaso will provide you with a much nicer method of using timesketch/ES.

--
You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-dis...@googlegroups.com.
To post to this group, send email to log2timeli...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kristinn Gudjonsson]

And we'll release another blog post that discusses more how we can use timesketch and plaso together, as soon as we get that release out the window ;)

[Eric Montellese]

Thanks for the quick response Kristinn, I am using Kibana 3. I gave Timesketch another go but I keep getting the same error message when trying to run it:

sqlalchemy.exc.OperationalError: (OperationalError) unable to open database file None None

It appears that I had a lot of errors/warnings during install but when it finished it said it successfully installed Timesketch and its dependencies (see attached). Is that normal or am I missing other dependencies? After doing some more reading to resolve the error I discovered that I have to be running the dev version of Plaso, which I am not. Not sure if that is whats causing the error though. When you guys push the new 1.3 release to the Ubuntu repo will Timesketch still require us to use dev build? I'm hesitant to try my luck installing Plaso on my own.

Thanks again.

[Johan Berggren]

Hi Eric,

This is Johan and I'm the author of Timesketch. The error indicates that you have not configured the database, and specifically it's location. By default Timesketch uses a sqlite database.

In timesketch.conf you have a line like this:

SQLALCHEMY_DATABASE_URI = u'sqlite:////tmp/database.db'

You should change this to where you want your database file to live. Also, make sure that you have permissions to read/write this file.

Regarding your other question. When the new Plaso release is out you will no longer need to use the dev version to use the Timesketch output module. It will be part of the stable release.

Kind regards,

/jbn