Kibana FPC points to /app/moloch, should be /moloch?

[Jeroen0494]

Hi,

Moloch can only be reached via http://localhost/moloch and not via http://localhost/app/moloch, despite the NGINX configuration specifying /app/moloch. When visiting /app/moloch you need to provide your credentials again, after which you'll receive the message "Bad Request". When visiting /moloch, everything works well.

In Kibana Discover, the FPC link in a network packet points to /app/moloch instead of /moloch, resulting in this error. Either move Moloch to /app/moloch, or alter the link in Kibana to point to /moloch.

I'm not sure why Moloch even runs on /moloch instead of /app/moloch, maybe that is the real bug, which is why I haven't committed a pull request.

Jeroen

[pevma]

That is related to Scirius and Moloch set up combined toghether. in SELKS5 we have added config changes for both Scirius and Moloch (config) including adding a new user for the Moloch proxy during the execution of the first time set up script.

[Jeroen0494]

Okay, then the NGINX configuration should be changed to redirect /app/moloch to /moloch. That should fix everything. Should I write a patch?

Or you alter the Moloch configuration to listen on /app/moloch instead of /moloch.

[pevma]

A patch for which part? SELKS or KTS6 i dont understand ? This should be working out of the box on SELKS5 - or you are having troubles?

[Jeroen0494]

When I visit 'http://[ipadres]/app/moloch' I receive a bad request error. When I visit /moloch I am logged in directly without problems.

[pevma]

yes - that is as expected on SELKS5 - it should work out of the box like this.

[Jeroen0494]

But the link in Kibana points to /app/moloch, not /moloch.

[pevma]

ok - what version of Scirius and moloch do you have? (you are on SELKS5 right?)

[Jeroen0494]

Moloch version 1.6.1, Scirius version 3.0.1. I am on SELKS5, always the latest commits from SELKS5. I have some customizations for including Bro dashboards in Kibana, but they are on a separate index and do not conflict. The link in Kibana is simply pointing to the wrong location.

[Jeroen0494]

If I alter the NGINX configuration to rewrite /app/moloch to /moloch, it works. But that is a ugly hack.

[pevma]

you mean this here - https://github.com/StamusNetworks/SELKS/blob/SELKS5/staging/config/hooks/live/chroot-inside-Debian-Live.hook.chroot#L147 is not correct , right ?

[Jeroen0494]

Yes, that's it. There two ways to fix this: 1) Alter the Moloch configuration to listen on /app/moloch instead of /moloch 2) Alter the Kibana dashboards and NGINX configuration to point to /moloch

In hindsight altering the Moloch configuration seems like the simplest solution and more in line with the other apps (evebox on /app/evebox, kibana on /app/kibana). Just change webBasePath to /app/moloch.

-edit- seems evebox is on /evebox, not /app/evebox, and /kibana is redirected to /app/kibana. There is little consistency here... ;)

[pevma]

I think it had to do with the scripted fields in the Kibana dashboards as well. Have you made any changes to your kibana.yml ? (what is your base path there look like?)

[Jeroen0494]

I made no changes to kibana.yml

[pevma]

I think we made the change due to Kibana changes (one of their versions i think), we also changed the scripted fields in each of the dashboards as well (to point to /moloch for the FPC of the flow) - so i think if we make a change now we will also need a change in all the dashboards. Could you confirm ?

[Jeroen0494]

You are correct, the scripted fields in Dashboards point to /moloch and not /app/moloch. The scripted fields in Discover point to /app/moloch. So you would need to change all the dashboards, but that's a simple find and replace, correct?

[pevma]

I think we did with the purpose of all aps accessed via Scirius/SELKS to be done with https://selks.ip/application

[Jeroen0494]

Okay, this command should do it: sed -i s/"app\/moloch"/"moloch"/g index-pattern\:logstash-*.json Then update the NGINX configuration to point to /moloch

[pevma]

I think we purposefully did it by design to be like that and not to follow the traditional way.