Adding ELSA dashboard causes ELSA to hang
189 views
Skip to first unread message
Jeremy Clark
Sep 4, 2014, 1:58:12 PM9/4/14
to securit...@googlegroups.com
I have a server and remote sensor configuration. ELSA had been working correctly and I was able to query my remote sensor. I tried adding an ELSA dashboard, but now ELSA hangs. It just spins waiting for data to be returned. I cannot execute any queries, nor can I see the dashboard I created.
Jeremy Clark
Sep 4, 2014, 2:26:29 PM9/4/14
to securit...@googlegroups.com
On Thursday, September 4, 2014 1:58:12 PM UTC-4, Jeremy Clark wrote:
> I have a server and remote sensor configuration. ELSA had been working correctly and I was able to query my remote sensor. I tried adding an ELSA dashboard, but now ELSA hangs. It just spins waiting for data to be returned. I cannot execute any queries, nor can I see the dashboard I created.
> I have a server and remote sensor configuration. ELSA had been working correctly and I was able to query my remote sensor. I tried adding an ELSA dashboard, but now ELSA hangs. It just spins waiting for data to be returned. I cannot execute any queries, nor can I see the dashboard I created.
Update: ELSA eventually returns (~15 mins). I have deleted the dashboard I originally created. I rebooted the machine. ELSA still takes ~15 mins to even return the main query page. I had this same problem occur a few months ago and gave up on the dashboards. It seems like creating the dashboard creates the problem, then even after deleting it, ELSA is still slow to respond.
Michael Bower
Sep 4, 2014, 3:24:35 PM9/4/14
to securit...@googlegroups.com
Just adding my .02. I am also seeing this. It followed when I built a new server (thinking it was something on the old one). I saw the hang when tailing the logs too, I thought the server was hung up but the queries eventually went through.
Mike
Doug Burks
Sep 4, 2014, 4:12:40 PM9/4/14
to securit...@googlegroups.com
I just did the following:
- built a master server and sensor
- verified that ELSA worked properly
- added a new dashboard consisting of the following queries:
Conn - Top SRC IPs
Conn - Top DST IPs
Conn - Top DST Ports
- verified that the dashboard and standard queries still work
correctly and return quickly
Can you provide more information?
What exactly are you adding to the Dashboard?
Does your master server have full Internet access?
Are you sure the autossh tunnel is up between the master and the sensor?
Can you provide the output of the following from both master and sensor?
Please run the following command:
sudo sostat-redacted
sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses,
but there may be additional sensitive info that you still need to
redact manually.
Attach the output to your email in plain text format (.txt) OR use a
service like http://pastebin.com.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
- built a master server and sensor
- verified that ELSA worked properly
- added a new dashboard consisting of the following queries:
Conn - Top SRC IPs
Conn - Top DST IPs
Conn - Top DST Ports
- verified that the dashboard and standard queries still work
correctly and return quickly
Can you provide more information?
What exactly are you adding to the Dashboard?
Does your master server have full Internet access?
Are you sure the autossh tunnel is up between the master and the sensor?
Can you provide the output of the following from both master and sensor?
Please run the following command:
sudo sostat-redacted
sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses,
but there may be additional sensitive info that you still need to
redact manually.
Attach the output to your email in plain text format (.txt) OR use a
service like http://pastebin.com.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Michael Bower
Sep 4, 2014, 4:26:38 PM9/4/14
to securit...@googlegroups.com
Doug, I noticed it trying to load these dashboards: https://github.com/brad-shoop/elsa_dashboards.git
Specifically, the overview and net_hunting.
sostat-redacted attached.
Mike
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/_O9z4e0WE-E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Mike
Jeremy Clark
Sep 4, 2014, 4:42:52 PM9/4/14
to securit...@googlegroups.com
Having originally failed at adding a simple query, I just did a google search and tried this one: http://eyeis.net/2013/01/a-dress-for-elsa-web-activity-dashboard/
That one failed and caused the slow responses from ELSA. After you responded I tried again to add a simple query to my own test dashboard and it is working.
Based on your response, maybe this is simple. Can you define "full internet access"? The server has limited internet access. Sorry if I missed it, but I didn't see any firewall requirements regarding ELSA and internet access for the server.
Doug Burks
Sep 4, 2014, 5:53:34 PM9/4/14
to securit...@googlegroups.com
Replies inline.
On Thu, Sep 4, 2014 at 4:42 PM, Jeremy Clark <claj...@gmail.com> wrote:
> Having originally failed at adding a simple query, I just did a google search and tried this one: http://eyeis.net/2013/01/a-dress-for-elsa-web-activity-dashboard/
>
> That one failed and caused the slow responses from ELSA.
That dashboard is from January 2013 and many things have changed in
ELSA since then, so I'm not surprised that it doesn't work.
> After you responded I tried again to add a simple query to my own test dashboard and it is working.
>
> Based on your response, maybe this is simple. Can you define "full internet access"? The server has limited internet access. Sorry if I missed it, but I didn't see any firewall requirements regarding ELSA and internet access for the server.
If you use ELSA transforms like "whois", then ELSA will try do whois
queries out to the Internet.
On Thu, Sep 4, 2014 at 4:42 PM, Jeremy Clark <claj...@gmail.com> wrote:
> Having originally failed at adding a simple query, I just did a google search and tried this one: http://eyeis.net/2013/01/a-dress-for-elsa-web-activity-dashboard/
>
> That one failed and caused the slow responses from ELSA.
ELSA since then, so I'm not surprised that it doesn't work.
> After you responded I tried again to add a simple query to my own test dashboard and it is working.
>
> Based on your response, maybe this is simple. Can you define "full internet access"? The server has limited internet access. Sorry if I missed it, but I didn't see any firewall requirements regarding ELSA and internet access for the server.
queries out to the Internet.
Reply all
Reply to author
Forward
0 new messages