Apache issue?
297 views
Skip to first unread message
Matt .
Jun 12, 2015, 12:27:25 PM6/12/15
to securit...@googlegroups.com
After seeing the errors at /var/log/apache2/error.log, I thought I should relay just in case the problem is related to yesterdays update.
That said, if you think it's unrelated, feel free to ignore this request until the fires are out.
Thanks again,
Matt
Error received when going to any URL on the server remotely or locally is "Connection refused" and happened after the server rebooted from yesterday's updates.
su@server:~$ tail /var/log/apache2/error.log
[Fri Jun 12 15:50:28 2015] [warn] RSA server certificate CommonName (CN) `securityonion' do es NOT match server name!?
[Fri Jun 12 15:50:28 2015] [warn] RSA server certificate CommonName (CN) `securityonion' do es NOT match server name!?
[Fri Jun 12 15:50:29 2015] [error] Error while loading /opt/elsa/web/lib/Web.psgi: No such file or directory at (eval 6) line 4.\nBEGIN failed--compilation aborted at /etc/apache2/el sa_startup.pl line 19.\nCompilation failed in require at (eval 2) line 1.\n
[Fri Jun 12 15:50:29 2015] [error] Can't load Perl file: /etc/apache2/elsa_startup.pl for s erver 127.0.1.1:0, exiting...
[Fri Jun 12 15:56:47 2015] [warn] RSA server certificate CommonName (CN) `securityonion' do es NOT match server name!?
[Fri Jun 12 15:56:47 2015] [warn] RSA server certificate CommonName (CN) `securityonion' do es NOT match server name!?
[Fri Jun 12 15:56:48 2015] [warn] RSA server certificate CommonName (CN) `securityonion' do es NOT match server name!?
[Fri Jun 12 15:56:48 2015] [warn] RSA server certificate CommonName (CN) `securityonion' do es NOT match server name!?
[Fri Jun 12 15:56:49 2015] [error] Error while loading /opt/elsa/web/lib/Web.psgi: No such file or directory at (eval 6) line 4.\nBEGIN failed--compilation aborted at /etc/apache2/el sa_startup.pl line 19.\nCompilation failed in require at (eval 2) line 1.\n
[Fri Jun 12 15:56:49 2015] [error] Can't load Perl file: /etc/apache2/elsa_startup.pl for s erver 127.0.1.1:0, exiting...
su@server:~$
That said, if you think it's unrelated, feel free to ignore this request until the fires are out.
Thanks again,
Matt
Error received when going to any URL on the server remotely or locally is "Connection refused" and happened after the server rebooted from yesterday's updates.
su@server:~$ tail /var/log/apache2/error.log
[Fri Jun 12 15:50:28 2015] [warn] RSA server certificate CommonName (CN) `securityonion' do es NOT match server name!?
[Fri Jun 12 15:50:28 2015] [warn] RSA server certificate CommonName (CN) `securityonion' do es NOT match server name!?
[Fri Jun 12 15:50:29 2015] [error] Error while loading /opt/elsa/web/lib/Web.psgi: No such file or directory at (eval 6) line 4.\nBEGIN failed--compilation aborted at /etc/apache2/el sa_startup.pl line 19.\nCompilation failed in require at (eval 2) line 1.\n
[Fri Jun 12 15:50:29 2015] [error] Can't load Perl file: /etc/apache2/elsa_startup.pl for s erver 127.0.1.1:0, exiting...
[Fri Jun 12 15:56:47 2015] [warn] RSA server certificate CommonName (CN) `securityonion' do es NOT match server name!?
[Fri Jun 12 15:56:47 2015] [warn] RSA server certificate CommonName (CN) `securityonion' do es NOT match server name!?
[Fri Jun 12 15:56:48 2015] [warn] RSA server certificate CommonName (CN) `securityonion' do es NOT match server name!?
[Fri Jun 12 15:56:48 2015] [warn] RSA server certificate CommonName (CN) `securityonion' do es NOT match server name!?
[Fri Jun 12 15:56:49 2015] [error] Error while loading /opt/elsa/web/lib/Web.psgi: No such file or directory at (eval 6) line 4.\nBEGIN failed--compilation aborted at /etc/apache2/el sa_startup.pl line 19.\nCompilation failed in require at (eval 2) line 1.\n
[Fri Jun 12 15:56:49 2015] [error] Can't load Perl file: /etc/apache2/elsa_startup.pl for s erver 127.0.1.1:0, exiting...
su@server:~$
Doug Burks
Jun 12, 2015, 1:41:25 PM6/12/15
to securit...@googlegroups.com
Hi Matt,
My guess is you had ELSA disabled and therefore /etc/elsa_web.conf
doesn't exist.
Please try the following:
sudo a2dismod perl
sudo service apache2 restart
We have a package in testing which should resolve this automatically
for other users.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
My guess is you had ELSA disabled and therefore /etc/elsa_web.conf
doesn't exist.
Please try the following:
sudo a2dismod perl
sudo service apache2 restart
We have a package in testing which should resolve this automatically
for other users.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Matt .
Jun 12, 2015, 1:58:10 PM6/12/15
to securit...@googlegroups.com
I use ELSA regularly, it wasn't disabled a week or so ago when I last used it.
The /etc/elsa_web.conf does exist, here are its contents.
Should I still run the command?
su@server:~$ sudo vi /etc/elsa_web.conf
[sudo] password for su:
"/etc/elsa_web.conf" 176L, 4171C{
"data_db": {
"db": "syslog",
"username": "elsa",
"password": "biglog"
},
"version": {
"Author": "mcholste",
"Date": "2014-07-17 15:12:58 -0700 (Thu, 17 Jul 2014)",
"Rev": "1205",
"Sphinx": "Sphinx 2.1.9"
},
"query_timeout": "55",
"transforms": {
"whois": { "known_subnets": { "10.0.0.0": { "end": "10.255.255.255", "org": "MyOrg" }, "192.168.0.0": { "end": "192.168.255.255", "org": "MyOrg" }, "172.16.0.0": { "end": "172.31.255.255", "org": "MyOrg" } }, "known_orgs": { "MyOrg": { "name": "MyOrg", "org": "MyOrg", "descr": "MyOrg", "cc": "US", "country": "United States", "city": "Anytown", "state": "Somestate" } }
},
"parse": { "tld": [ { "field": "domain", "pattern": "\\.([a-zA-Z]+)$", "extractions": [ "tld" ] }, {1,1Top2 }, { "field": "site", "pattern": "\\.([a-zA-Z]+)$", "extractions": [ "tld" ] }, { "field": "uri", "pattern": "\\.([a-zA-Z]+)(:|/|$)", "extractions": [ "tld" ] } ], "url": [ { "field": "uri", "pattern": "(?:(?<proto>[a-zA-Z]+)://)?(?:(?<username>[^/]+):(?<password>[^/]+)@)?(?<domain>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|[^/]+\\.(?<tld>[a-zA-Z]+))(?::(?<port>\\d+))??(?<resource>/[^?]*)?(?:\\?(?<query_string>.*))?$", "extractions": [ "proto", "username", "password", "domain", "tld", "port", "resource", "query_string" ] } ], "mimetype": [ { "field": "msg", "pattern": "[\"'\\(\\[\\s\\|;:](?<mime>(?<type>application|audio|chemical|image|message|model|multipart|text|video)/(?<subtype>[\\w-_]+))[\"'\\)\\]\\s\\|;:]", "extractions": [ "mime", "type", "subtype" ] } ]
}
},
"apikeys": {
"elsa": "redacted"
},
"peers": {
"127.0.0.1": {50,938% "peers": {
"127.0.0.1": { "url": "https://127.0.0.1:3154/", "username": "elsa", "apikey": "redacted"
}
},
"admin_email_address": "root@localhost",
"connectors": {
},
"dashboards": {
},
"datasources": {
},
"plugins": {
"SNORT": "Info::Snort",
"WINDOWS": "Info::Windows",
"URL": "Info::Url",
"BRO_NOTICE": "Info::Bro"
},
"info": {
"snort": { "url_templates": [ "http://doc.emergingthreats.net/bin/view/Main/%d" ]
},
"url": { "url_templates": [ "http://whois.domaintools.com/%s" ]
},
"windows": { "url_templates": [ "http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=%d" ]
}
},
"max_concurrent_archive_queries": 4,
"schedule_interval": 60,
"node_info_cache_timeout": 60,
"email": {
"display_address": "norepl...@example.com",
"base_url": "http://elsa/",
"subject": "ELSA Alert"
},
"link_key": "secret",
"yui": {
"local": "inc"
},
"meta_db": {
"dsn": "dbi:mysql:database=elsa_web",98,377% "meta_db": {
"dsn": "dbi:mysql:database=elsa_web",
"username": "redacted",
"password": "redacted"
},
"auth": {
"method": "security_onion"
},
"admin_groups": [
"system",
"admin"
],
"auth_db": {
"dsn": "dbi:mysql:database=securityonion_db",
"username": "redacted",
"password": "",
"auth_statement": "SELECT PASSWORD(password) FROM user_info WHERE username=?",
"email_statement": "SELECT email FROM user_info WHERE username=?"
},
"peer_id_multiplier": 1000000000000,
"pcap_url": "https://192.x.x.x/capme",
"logdir": "/nsm/elsa/data/elsa/log",
"buffer_dir": "/nsm/elsa/data/elsa/tmp/buffers",
"debug_level": "TRACE",
"default_start_time_offset": 2,
"livetail": {
"poll_interval": 5,
"time_limit": 3600
}
}
~
The /etc/elsa_web.conf does exist, here are its contents.
Should I still run the command?
su@server:~$ sudo vi /etc/elsa_web.conf
[sudo] password for su:
"/etc/elsa_web.conf" 176L, 4171C{
"data_db": {
"db": "syslog",
"username": "elsa",
"password": "biglog"
},
"version": {
"Author": "mcholste",
"Date": "2014-07-17 15:12:58 -0700 (Thu, 17 Jul 2014)",
"Rev": "1205",
"Sphinx": "Sphinx 2.1.9"
},
"query_timeout": "55",
"transforms": {
"whois": { "known_subnets": { "10.0.0.0": { "end": "10.255.255.255", "org": "MyOrg" }, "192.168.0.0": { "end": "192.168.255.255", "org": "MyOrg" }, "172.16.0.0": { "end": "172.31.255.255", "org": "MyOrg" } }, "known_orgs": { "MyOrg": { "name": "MyOrg", "org": "MyOrg", "descr": "MyOrg", "cc": "US", "country": "United States", "city": "Anytown", "state": "Somestate" } }
},
"parse": { "tld": [ { "field": "domain", "pattern": "\\.([a-zA-Z]+)$", "extractions": [ "tld" ] }, {1,1Top2 }, { "field": "site", "pattern": "\\.([a-zA-Z]+)$", "extractions": [ "tld" ] }, { "field": "uri", "pattern": "\\.([a-zA-Z]+)(:|/|$)", "extractions": [ "tld" ] } ], "url": [ { "field": "uri", "pattern": "(?:(?<proto>[a-zA-Z]+)://)?(?:(?<username>[^/]+):(?<password>[^/]+)@)?(?<domain>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|[^/]+\\.(?<tld>[a-zA-Z]+))(?::(?<port>\\d+))??(?<resource>/[^?]*)?(?:\\?(?<query_string>.*))?$", "extractions": [ "proto", "username", "password", "domain", "tld", "port", "resource", "query_string" ] } ], "mimetype": [ { "field": "msg", "pattern": "[\"'\\(\\[\\s\\|;:](?<mime>(?<type>application|audio|chemical|image|message|model|multipart|text|video)/(?<subtype>[\\w-_]+))[\"'\\)\\]\\s\\|;:]", "extractions": [ "mime", "type", "subtype" ] } ]
}
},
"apikeys": {
"elsa": "redacted"
},
"peers": {
"127.0.0.1": {50,938% "peers": {
"127.0.0.1": { "url": "https://127.0.0.1:3154/", "username": "elsa", "apikey": "redacted"
}
},
"admin_email_address": "root@localhost",
"connectors": {
},
"dashboards": {
},
"datasources": {
},
"plugins": {
"SNORT": "Info::Snort",
"WINDOWS": "Info::Windows",
"URL": "Info::Url",
"BRO_NOTICE": "Info::Bro"
},
"info": {
"snort": { "url_templates": [ "http://doc.emergingthreats.net/bin/view/Main/%d" ]
},
"url": { "url_templates": [ "http://whois.domaintools.com/%s" ]
},
"windows": { "url_templates": [ "http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=%d" ]
}
},
"max_concurrent_archive_queries": 4,
"schedule_interval": 60,
"node_info_cache_timeout": 60,
"email": {
"display_address": "norepl...@example.com",
"base_url": "http://elsa/",
"subject": "ELSA Alert"
},
"link_key": "secret",
"yui": {
"local": "inc"
},
"meta_db": {
"dsn": "dbi:mysql:database=elsa_web",98,377% "meta_db": {
"dsn": "dbi:mysql:database=elsa_web",
"username": "redacted",
"password": "redacted"
},
"auth": {
"method": "security_onion"
},
"admin_groups": [
"system",
"admin"
],
"auth_db": {
"dsn": "dbi:mysql:database=securityonion_db",
"username": "redacted",
"password": "",
"auth_statement": "SELECT PASSWORD(password) FROM user_info WHERE username=?",
"email_statement": "SELECT email FROM user_info WHERE username=?"
},
"peer_id_multiplier": 1000000000000,
"pcap_url": "https://192.x.x.x/capme",
"logdir": "/nsm/elsa/data/elsa/log",
"buffer_dir": "/nsm/elsa/data/elsa/tmp/buffers",
"debug_level": "TRACE",
"default_start_time_offset": 2,
"livetail": {
"poll_interval": 5,
"time_limit": 3600
}
}
~
Doug Burks
Jun 12, 2015, 2:00:25 PM6/12/15
to securit...@googlegroups.com
Looking back at your original error message, do you have
/etc/apache2/elsa_startup.pl?
It should contain the following:
#!/usr/bin/env perl
use strict;
use warnings;
use Apache2::ServerUtil qw();
BEGIN {
return unless Apache2::ServerUtil::restart_count() > 1;
require lib;
lib->import('/opt/elsa/web/lib');
require Plack::Handler::Apache2;
my @psgis = ('/opt/elsa/web/lib/Web.psgi');
foreach my $psgi (@psgis) {
Plack::Handler::Apache2->preload($psgi);
}
}
1; # file must return true!
/etc/apache2/elsa_startup.pl?
It should contain the following:
#!/usr/bin/env perl
use strict;
use warnings;
use Apache2::ServerUtil qw();
BEGIN {
return unless Apache2::ServerUtil::restart_count() > 1;
require lib;
lib->import('/opt/elsa/web/lib');
require Plack::Handler::Apache2;
my @psgis = ('/opt/elsa/web/lib/Web.psgi');
foreach my $psgi (@psgis) {
Plack::Handler::Apache2->preload($psgi);
}
}
1; # file must return true!
Matt .
Jun 12, 2015, 2:09:43 PM6/12/15
to securit...@googlegroups.com
Yes /etc/apache2/elsa_startup.pl is there, and it's content is identical to what you provided below.
Doug Burks
Jun 12, 2015, 2:19:17 PM6/12/15
to securit...@googlegroups.com
Do you have /opt/elsa/web/lib/Web.psgi?
Matt .
Jun 12, 2015, 2:26:15 PM6/12/15
to securit...@googlegroups.com
Doug Burks
Jun 12, 2015, 2:28:22 PM6/12/15
to securit...@googlegroups.com
What's the output of the following?
dpkg -l |grep elsa
grep -i elsa /var/log/apt/term.log
dpkg -l |grep elsa
grep -i elsa /var/log/apt/term.log
Matt .
Jun 12, 2015, 2:34:23 PM6/12/15
to securit...@googlegroups.com
su@server:~$ dpkg -l |grep elsa
rc securityonion-elsa-extras 20131117-1ubuntu0securityonion88 SecurityOnion specific elsa config files
ii securityonion-elsa-node-perl 20130819-0ubuntu0securityonion3 This metapackage installs perl dependencies needed for ELSA Log Nodes.
ii securityonion-elsa-web-perl 20131029-0ubuntu0securityonion0ubuntu1 Metapackage for ELSA Web node perl dependencies.
su@server:~$ grep -i elsa /var/log/apt/term.log
Preparing to replace securityonion-elsa 1090-1ubuntu0securityonion11 (using .../securityonion-elsa_1205-1ubuntu0securityonion4_all.deb) ...
Unpacking replacement securityonion-elsa ...
Preparing to replace securityonion-elsa-extras 20131117-1ubuntu0securityonion58 (using .../securityonion-elsa-extras_20131117-1ubuntu0securityonion88_all.deb) ...
Unpacking replacement securityonion-elsa-extras ...
Setting up securityonion-elsa (1205-1ubuntu0securityonion4) ...
* Restarting ELSA web server.
Setting up securityonion-elsa-extras (20131117-1ubuntu0securityonion88) ...
Installing new version of config file /etc/elsa/patterns.d/securityonion/bro_notice ...
* /etc/elsa_web.conf has the correct group.
* /etc/elsa_node.conf has the correct group.
* Backing up /etc/elsa_web.conf to /etc/elsa_web.conf.20150611.
* Restarting ELSA web server.
* /var/www/elsa/local.php already exists, not overwriting.
Removing securityonion-elsa-extras ...
Removing securityonion-elsa ...
dpkg: warning: while removing securityonion-elsa, directory '/opt/elsa/web/inc' not empty so not removed.
dpkg: warning: while removing securityonion-elsa, directory '/opt/elsa/node/conf' not empty so not removed.
<trimmed thread>
rc securityonion-elsa-extras 20131117-1ubuntu0securityonion88 SecurityOnion specific elsa config files
ii securityonion-elsa-node-perl 20130819-0ubuntu0securityonion3 This metapackage installs perl dependencies needed for ELSA Log Nodes.
ii securityonion-elsa-web-perl 20131029-0ubuntu0securityonion0ubuntu1 Metapackage for ELSA Web node perl dependencies.
su@server:~$ grep -i elsa /var/log/apt/term.log
Preparing to replace securityonion-elsa 1090-1ubuntu0securityonion11 (using .../securityonion-elsa_1205-1ubuntu0securityonion4_all.deb) ...
Unpacking replacement securityonion-elsa ...
Preparing to replace securityonion-elsa-extras 20131117-1ubuntu0securityonion58 (using .../securityonion-elsa-extras_20131117-1ubuntu0securityonion88_all.deb) ...
Unpacking replacement securityonion-elsa-extras ...
Setting up securityonion-elsa (1205-1ubuntu0securityonion4) ...
* Restarting ELSA web server.
Setting up securityonion-elsa-extras (20131117-1ubuntu0securityonion88) ...
Installing new version of config file /etc/elsa/patterns.d/securityonion/bro_notice ...
* /etc/elsa_web.conf has the correct group.
* /etc/elsa_node.conf has the correct group.
* Backing up /etc/elsa_web.conf to /etc/elsa_web.conf.20150611.
* Restarting ELSA web server.
* /var/www/elsa/local.php already exists, not overwriting.
Removing securityonion-elsa-extras ...
Removing securityonion-elsa ...
dpkg: warning: while removing securityonion-elsa, directory '/opt/elsa/web/inc' not empty so not removed.
dpkg: warning: while removing securityonion-elsa, directory '/opt/elsa/node/conf' not empty so not removed.
Doug Burks
Jun 12, 2015, 2:43:52 PM6/12/15
to securit...@googlegroups.com
Any ideas why securityonion-elsa-extras was removed?
Try reinstalling it:
sudo apt-get update
sudo apt-get install securityonion-elsa-extras
Try reinstalling it:
sudo apt-get update
sudo apt-get install securityonion-elsa-extras
Matt .
Jun 12, 2015, 2:48:44 PM6/12/15
to securit...@googlegroups.com
As I think about it I did have a typo when trying to downgrade the ssl install, can't think of anything else.
Running update and reinstall of extras seems to have done the trick. Thank You
My apologize if my fat fingers downgrading or some such caused this extra work for you. :(
Running update and reinstall of extras seems to have done the trick. Thank You
My apologize if my fat fingers downgrading or some such caused this extra work for you. :(
brh.edis...@gmail.com
Sep 26, 2016, 6:08:24 AM9/26/16
to security-onion
Hi Doug,
I have kind of the same issue. When I try to browsw the ELSA webpage, it gives me the webpage in the style of Index/
and when I run
grep -i elsa /var/log/apt/term.log
Syntax error on line 19 of /etc/apache2/sites-enabled/elsa:
what do you think ?
I have kind of the same issue. When I try to browsw the ELSA webpage, it gives me the webpage in the style of Index/
and when I run
grep -i elsa /var/log/apt/term.log
Syntax error on line 19 of /etc/apache2/sites-enabled/elsa:
what do you think ?
Wes
Sep 26, 2016, 7:39:36 AM9/26/16
to security-onion
In the new thread, please include the output of sostat-redacted, attaching as a text file or using a service like Pastebin.com.
Also, please include a screenshot of the particular issue you are experiencing.
Thanks,
Wes
Reply all
Reply to author
Forward
0 new messages