search

JPCERTCC / LogonTracer

Investigate malicious Windows logon by visualizing and analyzing Windows event log
Other
2.75k stars 444 forks source link

Pulling logs from Elastic search #138

Open DayNja opened 10 months ago

DayNja commented 10 months ago

Good day, hope you all are doing well.

im having a little bit of trouble pulling logs from my standalone Elastic instance

the command i ran is as follows python3 logontracer.py --es --es-server https://192.168.1.2:9200 --es-cafile /home/ubuntu/elasticsearch-ca.pem --es-user elastic --es-pass Aabc98765! -z +4 -f 2023-06-15T08:00:00 -t 2023-06-16T08:00:30

and i get this error

Traceback (most recent call last): File "logontracer.py", line 2880, in main() File "logontracer.py", line 2874, in main parse_es(case) File "logontracer.py", line 2321, in parse_es context = create_default_context(cafile=FPATH + ES_CAFILE) File "/usr/lib/python3.8/ssl.py", line 745, in create_default_context context.load_verify_locations(cafile, capath, cadata) FileNotFoundError: [Errno 2] No such file or directory

SiteQ8 commented 10 months ago

It looks like the error is indicating that the file specified in the --es-cafile option (/home/ubuntu/elasticsearch-ca.pem) is not found. The FileNotFoundError: [Errno 2] No such file or directory suggests that the specified CA file cannot be located at the given path.

Here are a few steps to troubleshoot this issue:

  1. Verify File Path: Double-check that the file /home/ubuntu/elasticsearch-ca.pem exists at the specified location. You can use the ls command in the terminal to list the files in the /home/ubuntu/ directory:

    ls /home/ubuntu/

    Ensure that elasticsearch-ca.pem is present.

  2. Permissions: Ensure that the user running the Python script has the necessary permissions to access the file. You can use the ls -l command to check the file permissions:

    ls -l /home/ubuntu/elasticsearch-ca.pem

    Make sure the file is readable by the user running the script.

  3. Correct File Path in Script: Confirm that the script itself is referencing the correct file path. Open the logontracer.py script and locate the line where the create_default_context function is called with cafile=FPATH + ES_CAFILE. Ensure that FPATH is defined correctly and that the concatenation with ES_CAFILE results in the correct file path.

  4. Use Absolute Path: Instead of relying on the current working directory, provide the full absolute path to the CA file in the command. For example:

    python3 logontracer.py --es --es-server https://192.168.1.2:9200 --es-cafile /home/ubuntu/elasticsearch-ca.pem --es-user elastic --es-pass Aabc98765! -z +4 -f 2023-06-15T08:00:00 -t 2023-06-16T08:00:30

    This ensures that there is no ambiguity about the file path.

After performing these checks, you should be able to determine if the issue is related to the file's presence, permissions, or how it's referenced in the script.