Error while downloading remote metadata
649 views
Skip to first unread message
Sheldon Carmichael
Jul 25, 2018, 11:35:43 AM7/25/18
to security-onion
I have a Master Node & 2 Heavy Nodes. Master/Heavy at one site and 2nd Heavy at another site.
My Master & Heavy at the main site have been experiencing the errors below for the past few weeks when running SOUP. The Heavy Node at the 2nd location doesn't have the same issue. I saw it was using a cached timestamp, so I figured maybe it was a time issue.
After reviewing some network firewall logs, I noticed external NTP traffic was getting dropped from the Master/Heavy at the main site, but not from the Heavy at the 2nd site. So, I went ahead and just configured them all to talk to our internal NTP servers using /etc/ntp.conf. I also restarted the ntp.service and validated the changes took effect using ntpq -p. But, this doesn't seem to fix the issue and it is still occurring.
Any ideas? Am I even remotely on the right track? I know it also says I am not authorized to perform this operation, but I don't know where to begin with that.
Thanks in advance for the help.
================Error During SOUP===================
Starting Docker service...
Checking Security Onion Docker image status...
WARN[0005] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely
ERRO[0005] Metadata for timestamp expired
you are not authorized to perform this operation: server returned 401.
so-curator has been updated.
WARN[0010] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely
ERRO[0010] Metadata for timestamp expired
you are not authorized to perform this operation: server returned 401.
so-domainstats has been updated.
WARN[0010] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely
ERRO[0010] Metadata for timestamp expired
you are not authorized to perform this operation: server returned 401.
so-elastalert has been updated.
WARN[0010] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely
ERRO[0010] Metadata for timestamp expired
you are not authorized to perform this operation: server returned 401.
so-elasticsearch has been updated.
WARN[0010] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely
ERRO[0010] Metadata for timestamp expired
you are not authorized to perform this operation: server returned 401.
so-freqserver has been updated.
WARN[0010] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely
ERRO[0010] Metadata for timestamp expired
you are not authorized to perform this operation: server returned 401.
so-kibana has been updated.
WARN[0010] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely
ERRO[0010] Metadata for timestamp expired
you are not authorized to perform this operation: server returned 401.
so-logstash has been updated.
My Master & Heavy at the main site have been experiencing the errors below for the past few weeks when running SOUP. The Heavy Node at the 2nd location doesn't have the same issue. I saw it was using a cached timestamp, so I figured maybe it was a time issue.
After reviewing some network firewall logs, I noticed external NTP traffic was getting dropped from the Master/Heavy at the main site, but not from the Heavy at the 2nd site. So, I went ahead and just configured them all to talk to our internal NTP servers using /etc/ntp.conf. I also restarted the ntp.service and validated the changes took effect using ntpq -p. But, this doesn't seem to fix the issue and it is still occurring.
Any ideas? Am I even remotely on the right track? I know it also says I am not authorized to perform this operation, but I don't know where to begin with that.
Thanks in advance for the help.
================Error During SOUP===================
Starting Docker service...
Checking Security Onion Docker image status...
WARN[0005] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely
ERRO[0005] Metadata for timestamp expired
you are not authorized to perform this operation: server returned 401.
so-curator has been updated.
WARN[0010] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely
ERRO[0010] Metadata for timestamp expired
you are not authorized to perform this operation: server returned 401.
so-domainstats has been updated.
WARN[0010] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely
ERRO[0010] Metadata for timestamp expired
you are not authorized to perform this operation: server returned 401.
so-elastalert has been updated.
WARN[0010] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely
ERRO[0010] Metadata for timestamp expired
you are not authorized to perform this operation: server returned 401.
so-elasticsearch has been updated.
WARN[0010] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely
ERRO[0010] Metadata for timestamp expired
you are not authorized to perform this operation: server returned 401.
so-freqserver has been updated.
WARN[0010] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely
ERRO[0010] Metadata for timestamp expired
you are not authorized to perform this operation: server returned 401.
so-kibana has been updated.
WARN[0010] Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely
ERRO[0010] Metadata for timestamp expired
you are not authorized to perform this operation: server returned 401.
so-logstash has been updated.
Wes Lambert
Jul 27, 2018, 11:50:42 AM7/27/18
to securit...@googlegroups.com
Have you tried restating Docker or the affected machine(s)?
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Sheldon Carmichael
Jul 27, 2018, 12:49:36 PM7/27/18
to security-onion
Did you mean restarting? If so, I have restarted the 2 effected servers as a whole multiple times since the error showed up. Docker also gets restarted when running SOUP. Please let me know if i am misunderstanding your recommendation.
Wes Lambert
Jul 27, 2018, 1:09:20 PM7/27/18
to securit...@googlegroups.com
Yes, apologies for the typo.
Could a proxy be interfering with the traffic at the site with the Master + HN?
Please try:
sudo sed -i 's/--disable-content-trust=false/--disable-content-trust=true/' /usr/sbin/soup
Then try running soup again. Please let me know the result.
Thanks,
Wes
On Fri, Jul 27, 2018 at 12:49 PM Sheldon Carmichael <heartat...@gmail.com> wrote:
Did you mean restarting? If so, I have restarted the 2 effected servers as a whole multiple times since the error showed up. Docker also gets restarted when running SOUP. Please let me know if i am misunderstanding your recommendation.
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Sheldon Carmichael
Jul 27, 2018, 4:20:17 PM7/27/18
to security-onion
So that fixed it. Any advise on moving forward without having to disable the content-trust?
itc 34
Jul 17, 2019, 5:47:47 AM7/17/19
to security-onion
Hi all,
Still no solution to avoid loosing content-trust?
Still no solution to avoid loosing content-trust?
Reply all
Reply to author
Forward
0 new messages