SELKS6 502 Bad Gateway after install

[timguyuk]

So Ive got to a point Ive managed to get everything sorted:

selks-first-time-setup_stamus and selks-upgrade_stamus had no errors,

However after a reboot I have to start manually: systemctl start elasticsearch.service systemctl start molochviewer-selks.service systemctl start molochpcapread-selks.service

And worst, I cant get anything from the management site. visiting https://x.x.x.x give me 502 Bad Gateway

After the 3 service starts selks-health-check_stamus shows everything ok.

Any advice,

Tim

[timguyuk]

NGINX Looks ok

root@SELKS:~# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful

[timguyuk]

ah

connect() failed (111: Connection refused) while connecting to upstream, client: x.x.x.x, server: selks, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8000/", host: "x.x.x.x0"

[pevma]

The health check shows everything is running and ok ? Did you make sure the nginx config is up to date - https://github.com/StamusNetworks/SELKS/wiki/First-time-setup#nginx-config ?

[timguyuk]

location /bootstrap.js { proxy_pass http://127.0.0.1:5601/bootstrap.js; proxy_redirect off; }

at least was missing, Ive taken that example conf and over written mine however same problem

Yes health check appears ok once 3 services are started

[pevma]

Ok, after adjusting the nginx conf - did you restart the nginx service?

[timguyuk]

Yes restart of nginx and reboot there after. I cant work out if its a nginx issue or if its selks. Ran update again just to be sure, nothing needs doing.

Just to be sure, this is my

server {
    listen 127.0.0.1:80;
    listen 443 default_server ssl;
    ssl_certificate /etc/nginx/ssl/scirius.crt;
    ssl_certificate_key /etc/nginx/ssl/scirius.key;
    server_name SELKS;
    access_log /var/log/nginx/scirius.access.log;
    error_log /var/log/nginx/scirius.error.log;

    # https://docs.djangoproject.com/en/dev/howto/static-files/#serving-static-files-in-production
    location /static/ { # STATIC_URL
        alias /var/lib/scirius/static/; # STATIC_ROOT
        expires 30d;
    }

    location /media/ { # MEDIA_URL
        alias /var/lib/scirius/static/; # MEDIA_ROOT
        expires 30d;
    }

    location /app/moloch/ {
        proxy_pass https://127.0.0.1:8005;
        proxy_redirect off;
    }

    location /plugins/ {
        proxy_pass http://127.0.0.1:5601/plugins/;
        proxy_redirect off;
    }

    location /dlls/ {
        proxy_pass http://127.0.0.1:5601/dlls/;
        proxy_redirect off;
    }

    location /socket.io/ {
        proxy_pass http://127.0.0.1:5601/socket.io/;
        proxy_redirect off;
    }

    location /dataset/ {
        proxy_pass http://127.0.0.1:5601/dataset/;
        proxy_redirect off;
    }

    location /translations/ {
        proxy_pass http://127.0.0.1:5601/translations/;
        proxy_redirect off;
 }

    location ^~ /built_assets/ {
        proxy_pass http://127.0.0.1:5601/built_assets/;
        proxy_redirect off;
    }

    location /ui/ {
        proxy_pass http://127.0.0.1:5601/ui/;
        proxy_redirect off;
    }

   location /spaces/ {
        proxy_pass http://127.0.0.1:5601/spaces/;
        proxy_redirect off;
    }

  location /node_modules/ {
        proxy_pass http://127.0.0.1:5601/node_modules/;
        proxy_redirect off;
    }

  location /bootstrap.js {
        proxy_pass http://127.0.0.1:5601/bootstrap.js;
        proxy_redirect off;
 }

 location /internal/ {
        proxy_pass http://127.0.0.1:5601/internal/;
        proxy_redirect off;
    }

 location ~ "^/([\d]{5}/.*)" {
        proxy_pass http://127.0.0.1:5601/$1;
        proxy_redirect off;
    }
 location /33984/ {
        proxy_pass http://127.0.0.1:5601/33912/;
        proxy_redirect off;
    }

 location / {
       proxy_pass http://127.0.0.1:8000;
       proxy_read_timeout 600;
       proxy_set_header Host $http_host;
       proxy_set_header X-Forwarded-Proto https;
       proxy_redirect off;
    }

}

[pevma]

Do you have success if you try to access it from the local browser ?

[timguyuk]

Im running the nodesktop version Im afriad.

OK So I went back and installed again. Running the first time script I was able to get the server running and I had been playing around with it for 1-2 hours. Ran the upgrade and it failed with the last page of output below. It could be a totally different error to previous or it could be the same and I missed it (forgot about it), however the current error I have is 502 bad Gateway again. I have snapshotted the server before the upgrade and I will go back and play with it some more. Welcome to close this off as unsolved if you need to and Ill start another thread once Ive play some more

Upgrade Output:

Operations to perform: Apply all migrations: accounts, auth, authtoken, contenttypes, rules, sessions, suricata Running migrations: Applying rules.0081_django-2... OK Applying rules.0082_source_use_sys_proxy... OK Applying rules.0083_multi_es_validation... OK Applying rules.0084_fakepermissionmodel... OK Applying auth.0009_alter_user_last_name_max_length... OK Applying auth.0010_alter_group_name_max_length... OK Applying auth.0011_update_proxy_permissions... OK Applying accounts.0004_group... OK Applying rules.0085_roles_migrations... OK Applying accounts.0005_remove_user_flags... OK Applying accounts.0006_fix_role_default_priority... OK Applying authtoken.0003_tokenproxy... OK Applying rules.0086_ruleset_suppressed_sids... OK Applying rules.0087_systemsettings_use_proxy_for_es... OK Applying suricata.0005_django-2... OK /var/lib/scirius Restarted supervisord error: <class 'socket.error'>, [Errno 104] Connection reset by peer: file: /usr/lib/python2.7/socket.py line: 480 Setting up libavahi-client3:amd64 (0.7-4+deb10u1) ... Setting up linux-headers-amd64 (4.19+105+deb10u12) ... Setting up libcurl3-gnutls:amd64 (7.64.0-4+deb10u2) ... Setting up nginx-full (1.14.2-2+deb10u4) ... [ ok ] Upgrading binary: nginx. Setting up dbus-user-session (1.12.20-0+deb10u1) ... Setting up libcups2:amd64 (2.2.10-6+deb10u4) ... Setting up nginx (1.14.2-2+deb10u4) ... Setting up openjdk-11-jre-headless:amd64 (11.0.11+9-1~deb10u1) ... Installing new version of config file /etc/java-11-openjdk/jfr/default.jfc ... Installing new version of config file /etc/java-11-openjdk/jfr/profile.jfc ... Installing new version of config file /etc/java-11-openjdk/security/blacklisted.certs ... Installing new version of config file /etc/java-11-openjdk/security/default.policy ... Installing new version of config file /etc/java-11-openjdk/security/java.security ... Installing new version of config file /etc/java-11-openjdk/security/public_suffix_list.dat ... Setting up openjdk-11-jre:amd64 (11.0.11+9-1~deb10u1) ... Setting up openjdk-11-jdk-headless:amd64 (11.0.11+9-1~deb10u1) ... Setting up openjdk-11-jdk:amd64 (11.0.11+9-1~deb10u1) ... Processing triggers for hicolor-icon-theme (0.17-2) ... Processing triggers for libc-bin (2.28-10) ... Processing triggers for ntp (1:4.2.8p12+dfsg-4) ... Processing triggers for mime-support (3.62) ... Processing triggers for initramfs-tools (0.133+deb10u1) ... update-initramfs: Generating /boot/initrd.img-4.19.0-17-amd64 Processing triggers for systemd (241-7~deb10u7) ... Processing triggers for ca-certificates (20200601~deb10u2) ... Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d...

done. done. Job for elasticsearch.service failed because a timeout was exceeded. See "systemctl status elasticsearch.service" and "journalctl -xe" for details. scirius: ERROR (not running) scirius: ERROR (no such file)

Upgrading Moloch..

Warning: Transient problem: connection refused Will retry in 30 seconds. 4 Warning: retries left. Warning: Transient problem: connection refused Will retry in 30 seconds. 3 Warning: retries left. Warning: Transient problem: connection refused Will retry in 30 seconds. 2 Warning: retries left. Warning: Transient problem: connection refused Will retry in 30 seconds. 1 Warning: retries left. curl: (7) Failed to connect to localhost port 9200: Connection refused \e[1m\nMoloch will not be upgraded!! Please check that Elasticsearch is up and running.

[pevma]

can you enable the test repo (last line)-

cat /etc/apt/sources.list.d/selks6.list 

deb http://packages.stamus-networks.com/selks6/debian/ buster main
deb http://packages.stamus-networks.com/selks6/debian-kernel/ buster main
deb http://packages.stamus-networks.com/selks6/debian-test/ buster main

And try the upgrade again ?
Also what is the output of selks-health-cehck_stamus before you run the upgrade?

[timguyuk]

So, I had deb http://packages.stamus-networks.com/selks6/debian-test/ buster main in the sources already so I took it out, AND, It worked!!!!!

With that line removed everything was the same however I didnt get the option to upgrade scirius.

I went back and dropped back via snapshot and ran again with test source enabled i both declined the scirius and approved the scirius question and regardless of what I choose its now saying bad gateway. I dont know if it is scirius or something else from the test source but removing it helps it upgrade.

Tim

[pevma]

Can you share which Scirius version worked and which did not please?

[dcbeckett]

Same issue on a setup after a upgrade (previously the system was running fine on the iso version, reckon that build was from start of 2020?) after running selks-upgrade_stamus the same 502 error appeared

selks-health-check_stamus shows all services are active

I updated nginx conf to wiki and re-ran first time setup (which ran into ticket 314 error due to KIBANA7_DASHBOARDS_PATH being missing) but neither fixed the 502 error

I'm not sure how best to find the version info on the broken system, but hopefully this will suffice

root@SELKS:/home/selks-user# dpkg -l | grep "suricata\|kibana\|nginx\|evebox"
ii  evebox                                1:0.14.0                                amd64        no description given
ii  kibana                                7.13.3                                  amd64        Explore and visualize your Elasticsearch data
ii  kibana-dashboards-stamus              2020122001                              amd64        Kibana 6 dashboard templates.
ii  libnginx-mod-http-auth-pam            1.14.2-2+deb10u4                        amd64        PAM authentication module for Nginx
ii  libnginx-mod-http-dav-ext             1.14.2-2+deb10u4                        amd64        WebDAV missing commands support for Nginx
ii  libnginx-mod-http-echo                1.14.2-2+deb10u4                        amd64        Bring echo and more shell style goodies to Nginx
ii  libnginx-mod-http-geoip               1.14.2-2+deb10u4                        amd64        GeoIP HTTP module for Nginx
ii  libnginx-mod-http-image-filter        1.14.2-2+deb10u4                        amd64        HTTP image filter module for Nginx
ii  libnginx-mod-http-subs-filter         1.14.2-2+deb10u4                        amd64        Substitution filter module for Nginx
ii  libnginx-mod-http-upstream-fair       1.14.2-2+deb10u4                        amd64        Nginx Upstream Fair Proxy Load Balancer
ii  libnginx-mod-http-xslt-filter         1.14.2-2+deb10u4                        amd64        XSLT Transformation module for Nginx
ii  libnginx-mod-mail                     1.14.2-2+deb10u4                        amd64        Mail module for Nginx
ii  libnginx-mod-stream                   1.14.2-2+deb10u4                        amd64        Stream module for Nginx
ii  nginx                                 1.14.2-2+deb10u4                        all          small, powerful, scalable web/proxy server
ii  nginx-common                          1.14.2-2+deb10u4                        all          small, powerful, scalable web/proxy server - common files
ii  nginx-full                            1.14.2-2+deb10u4                        amd64        nginx web/proxy server (standard version)
ii  suricata                              1:2021052601-0stamus0                   amd64        Suricata open source multi-thread IDS/IPS/NSM system.

If I run upgrade again, it notes that scirius doesnt exist?

root@SELKS:/home/selks-user# selks-upgrade_stamus 
NOTE:
Depending on the size and how busy the system is the upgrade may take a while.
Starting the upgrade sequence...

Hit:2 http://deb.debian.org/debian buster InRelease                                                                                                                            
Hit:3 http://security.debian.org/debian-security buster/updates InRelease                                                                                                      
Hit:4 http://packages.stamus-networks.com/selks6/debian buster InRelease                                                                                                       
Hit:5 http://packages.stamus-networks.com/selks6/debian-kernel buster InRelease                                                                                                
Hit:6 http://deb.debian.org/debian buster-updates InRelease                                                                                                                    
Get:7 http://packages.stamus-networks.com/selks6/debian-test buster InRelease [1,871 B]                                                                                     
Hit:1 http://evebox.org/files/debian stable InRelease                                                                                                                       
Hit:8 https://artifacts.elastic.co/packages/7.x/apt stable InRelease
Hit:9 https://packages.elastic.co/curator/5/debian9 stable InRelease
Get:10 http://packages.stamus-networks.com/selks6/debian-test buster/main amd64 Packages [2,887 B]
Fetched 4,758 B in 2s (3,014 B/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree       
Reading state information... Done
selks-scripts-stamus is already the newest version (2020121401).
The following packages were automatically installed and are no longer required:
  gunicorn libjsoncpp1 liblua5.3-0 python-gunicorn python-pyinotify
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
NOTE:
Starting second stage upgrade sequence...

outputs.7.pcap-log.enabled = yes
Hit:1 http://security.debian.org/debian-security buster/updates InRelease
Hit:2 http://deb.debian.org/debian buster InRelease                                                                                                                          
Hit:4 http://deb.debian.org/debian buster-updates InRelease                                                                                                                  
Hit:5 http://packages.stamus-networks.com/selks6/debian buster InRelease                                                                               
Hit:6 http://packages.stamus-networks.com/selks6/debian-kernel buster InRelease                                                                        
Hit:3 http://evebox.org/files/debian stable InRelease                                                                            
Hit:7 http://packages.stamus-networks.com/selks6/debian-test buster InRelease                                          
Hit:8 https://artifacts.elastic.co/packages/7.x/apt stable InRelease
Hit:9 https://packages.elastic.co/curator/5/debian9 stable InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
  gunicorn libjsoncpp1 liblua5.3-0 python-gunicorn python-pyinotify
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
scirius: ERROR (not running)
scirius: ERROR (no such file)

root@SELKS:/home/selks-user# selks-health-check_stamus 
● suricata.service - LSB: Next Generation IDS/IPS
   Loaded: loaded (/etc/init.d/suricata; generated)
   Active: active (running) since Thu 2021-07-08 10:23:01 EDT; 2min 38s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 5816 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)
    Tasks: 22 (limit: 4915)
   Memory: 414.4M
   CGroup: /system.slice/suricata.service
           └─5823 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -v --user=logstash

Jul 08 10:23:01 SELKS systemd[1]: Starting LSB: Next Generation IDS/IPS...
Jul 08 10:23:01 SELKS suricata[5816]: Starting suricata in IDS (af-packet) mode... done.
Jul 08 10:23:01 SELKS systemd[1]: Started LSB: Next Generation IDS/IPS.
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2021-07-08 10:22:59 EDT; 2min 40s ago
     Docs: https://www.elastic.co
 Main PID: 5463 (java)
    Tasks: 123 (limit: 4915)
   Memory: 4.4G
   CGroup: /system.slice/elasticsearch.service
           ├─5463 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTrac…
           └─5666 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller

Jul 08 10:22:44 SELKS systemd[1]: Starting Elasticsearch...
Jul 08 10:22:59 SELKS systemd[1]: Started Elasticsearch.
● logstash.service - logstash
   Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2021-07-08 10:13:37 EDT; 12min ago
 Main PID: 494 (java)
    Tasks: 57 (limit: 4915)
   Memory: 941.1M
   CGroup: /system.slice/logstash.service
           └─494 /usr/share/logstash/jdk/bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djruby.compile.invokedynamic=true -Djruby.ji…

Jul 08 10:22:55 SELKS logstash[494]: [2021-07-08T10:22:55,060][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSe…
Jul 08 10:22:57 SELKS logstash[494]: [2021-07-08T10:22:57,941][ERROR][logstash.outputs.elasticsearch][main][2ada9d36290a6a5138e7215602be65b6292137d135f48ec13447a6de7100c7bc] Attempted to send a bulk request but there are no living connections in the poo…
Jul 08 10:22:59 SELKS logstash[494]: [2021-07-08T10:22:59,272][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSe…
Jul 08 10:23:00 SELKS logstash[494]: [2021-07-08T10:23:00,082][WARN ][logstash.outputs.elasticsearch][main] Restored connection to ES instance {:url=>"http://127.0.0.1:9200/"}
Jul 08 10:23:01 SELKS logstash[494]: [2021-07-08T10:23:01,993][ERROR][logstash.outputs.elasticsearch][main][e55f734d663b7fb7ca21a05c69227f334d0c6198948f303fac6e50c03be43b13] Attempted to send a bulk request but there are no living connections in the poo…
Jul 08 10:23:02 SELKS logstash[494]: [2021-07-08T10:23:02,003][ERROR][logstash.outputs.elasticsearch][main][e55f734d663b7fb7ca21a05c69227f334d0c6198948f303fac6e50c03be43b13] Attempted to send a bulk request but there are no living connections in the poo…
Jul 08 10:23:02 SELKS logstash[494]: [2021-07-08T10:23:02,024][ERROR][logstash.outputs.elasticsearch][main][e55f734d663b7fb7ca21a05c69227f334d0c6198948f303fac6e50c03be43b13] Attempted to send a bulk request but there are no living connections in the poo…
Jul 08 10:23:02 SELKS logstash[494]: [2021-07-08T10:23:02,027][ERROR][logstash.outputs.elasticsearch][main][e55f734d663b7fb7ca21a05c69227f334d0c6198948f303fac6e50c03be43b13] Attempted to send a bulk request but there are no living connections in the poo…
Jul 08 10:23:02 SELKS logstash[494]: [2021-07-08T10:23:02,026][ERROR][logstash.outputs.elasticsearch][main][e55f734d663b7fb7ca21a05c69227f334d0c6198948f303fac6e50c03be43b13] Attempted to send a bulk request but there are no living connections in the poo…
Jul 08 10:23:04 SELKS logstash[494]: [2021-07-08T10:23:04,304][WARN ][logstash.outputs.elasticsearch][main] Restored connection to ES instance {:url=>"http://127.0.0.1:9200/"}
Hint: Some lines were ellipsized, use -l to show in full.
● kibana.service - Kibana
   Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2021-07-08 10:22:59 EDT; 2min 40s ago
     Docs: https://www.elastic.co
 Main PID: 5716 (node)
    Tasks: 18 (limit: 4915)
   Memory: 268.2M
   CGroup: /system.slice/kibana.service
           ├─5716 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist --logging.dest=/var/log/kibana/kibana.log --pid.file=/run/kibana/kibana.pid
           └─5781 /usr/share/kibana/node/bin/node --preserve-symlinks-main --preserve-symlinks /usr/share/kibana/src/cli/dist --logging.dest=/var/log/kibana/kibana.log --pid.file=/run/kibana/kibana.pid

Jul 08 10:22:59 SELKS systemd[1]: Started Kibana.
● evebox.service - EveBox Server
   Loaded: loaded (/lib/systemd/system/evebox.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2021-07-08 10:13:37 EDT; 12min ago
 Main PID: 495 (evebox)
    Tasks: 9 (limit: 4915)
   Memory: 12.3M
   CGroup: /system.slice/evebox.service
           └─495 /usr/bin/evebox server

Jul 08 10:14:12 SELKS evebox[495]: 2021-07-08 10:14:12  WARN evebox::server::main: Failed to get Elasticsearch version, will try again: request: error sending request for url (http://localhost:9200/): error trying to connect: tcp c…refused (os error 111)
Jul 08 10:14:15 SELKS evebox[495]: 2021-07-08 10:14:15  WARN evebox::server::main: Failed to get Elasticsearch version, will try again: request: error sending request for url (http://localhost:9200/): error trying to connect: tcp c…refused (os error 111)
Jul 08 10:14:18 SELKS evebox[495]: 2021-07-08 10:14:18  WARN evebox::server::main: Failed to get Elasticsearch version, will try again: request: error sending request for url (http://localhost:9200/): error trying to connect: tcp c…refused (os error 111)
Jul 08 10:14:21 SELKS evebox[495]: 2021-07-08 10:14:21  WARN evebox::server::main: Failed to get Elasticsearch version, will try again: request: error sending request for url (http://localhost:9200/): error trying to connect: tcp c…refused (os error 111)
Jul 08 10:14:24 SELKS evebox[495]: 2021-07-08 10:14:24  WARN evebox::server::main: Failed to get Elasticsearch version, will try again: request: error sending request for url (http://localhost:9200/): error trying to connect: tcp c…refused (os error 111)
Jul 08 10:14:27 SELKS evebox[495]: 2021-07-08 10:14:27  WARN evebox::server::main: Failed to get Elasticsearch version, will try again: request: error sending request for url (http://localhost:9200/): error trying to connect: tcp c…refused (os error 111)
Jul 08 10:14:30 SELKS evebox[495]: 2021-07-08 10:14:30  WARN evebox::server::main: Failed to get Elasticsearch version, will try again: request: error sending request for url (http://localhost:9200/): error trying to connect: tcp c…refused (os error 111)
Jul 08 10:14:33 SELKS evebox[495]: 2021-07-08 10:14:33  WARN evebox::server::main: Failed to get Elasticsearch version, will try again: request: error sending request for url (http://localhost:9200/): error trying to connect: tcp c…refused (os error 111)
Jul 08 10:14:36 SELKS evebox[495]: 2021-07-08 10:14:36  INFO evebox::server::main: Found Elasticsearch version 7.13.3 at http://localhost:9200
Jul 08 10:14:36 SELKS evebox[495]: 2021-07-08 10:14:36  INFO evebox::server::main: Starting server on 127.0.0.1:5636, tls=false
Hint: Some lines were ellipsized, use -l to show in full.
● molochviewer-selks.service - Moloch Viewer
   Loaded: loaded (/etc/systemd/system/molochviewer-selks.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2021-07-08 10:22:59 EDT; 2min 40s ago
 Main PID: 5760 (sh)
    Tasks: 12 (limit: 4915)
   Memory: 38.6M
   CGroup: /system.slice/molochviewer-selks.service
           ├─5760 /bin/sh -c /data/moloch/bin/node viewer.js -c /data/moloch/etc/config.ini >> /data/moloch/logs/viewer.log 2>&1
           └─5762 /data/moloch/bin/node viewer.js -c /data/moloch/etc/config.ini

Jul 08 10:22:59 SELKS systemd[1]: Started Moloch Viewer.
● molochpcapread-selks.service - Moloch Pcap Read
   Loaded: loaded (/etc/systemd/system/molochpcapread-selks.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2021-07-08 10:22:59 EDT; 2min 40s ago
 Main PID: 5756 (sh)
    Tasks: 5 (limit: 4915)
   Memory: 147.2M
   CGroup: /system.slice/molochpcapread-selks.service
           ├─5756 /bin/sh -c /data/moloch/bin/moloch-capture -c /data/moloch/etc/config.ini -m -s -R /data/nsm/  >> /data/moloch/logs/capture.log 2>&1
           └─5759 /data/moloch/bin/moloch-capture -c /data/moloch/etc/config.ini -m -s -R /data/nsm/

Jul 08 10:22:59 SELKS systemd[1]: Started Moloch Pcap Read.
scirius                          FATAL     can't find command '/usr/bin/gunicorn3'
ii  elasticsearch                         7.13.3                                  amd64        Distributed RESTful search engine built for the cloud
ii  elasticsearch-curator                 5.8.4                                   amd64        Have indices in Elasticsearch? This is the tool for you!\n\nLike a museum curator manages the exhibits and collections on display, \nElasticsearch Curator helps you curate, or manage your indices.
ii  evebox                                1:0.14.0                                amd64        no description given
ii  kibana                                7.13.3                                  amd64        Explore and visualize your Elasticsearch data
ii  kibana-dashboards-stamus              2020122001                              amd64        Kibana 6 dashboard templates.
ii  logstash                              1:7.13.3-1                              amd64        An extensible logging pipeline
ii  moloch                                2.7.1-1                                 amd64        Moloch Full Packet System
ii  scirius                               3.7.0-3                                 amd64        Django application to manage Suricata ruleset
ii  suricata                              1:2021052601-0stamus0                   amd64        Suricata open source multi-thread IDS/IPS/NSM system.
Filesystem     Type      Size  Used Avail Use% Mounted on
udev           devtmpfs  3.9G     0  3.9G   0% /dev
tmpfs          tmpfs     798M  9.0M  789M   2% /run
/dev/sda1      ext4       32G   11G   19G  37% /
tmpfs          tmpfs     3.9G     0  3.9G   0% /dev/shm
tmpfs          tmpfs     5.0M  4.0K  5.0M   1% /run/lock
tmpfs          tmpfs     3.9G     0  3.9G   0% /sys/fs/cgroup
tmpfs          tmpfs     798M  4.0K  798M   1% /run/user/115
tmpfs          tmpfs     798M     0  798M   0% /run/user/1000

[dcbeckett]

sudo apt install gunicorn3 /usr/bin/supervisorctl start scirius

seems to have fixed it

[zentavr]

sudo apt install gunicorn3 /usr/bin/supervisorctl start scirius

seems to have fixed it

This helped me as well. does something break the default python?