search

StamusNetworks / SELKS

A Suricata based IDS/IPS/NSM distro
https://www.stamus-networks.com/open-source/#selks
GNU General Public License v3.0
1.45k stars 286 forks source link

Moloch molochpcapread couldn't stat oui file #347

Open b4b857f6ee opened 2 years ago

b4b857f6ee commented 2 years ago

Hello,

Fresh install first setup and upgrade. Fix a nginx problem with kibana with some issue here, just modify the nginx configuration :).

I configure option 2 FPC. I don't have internet on the system.

And the molochpcapread didn't not work, i guess because about the no internet access? Any idea :)?

image

image

pevma commented 2 years ago

It is opening , so it seems there is just no data?

b4b857f6ee commented 2 years ago

It is opening , so it seems there is just no data?

Yes and the service is not started... i don't understand why.... I got data on the scirius, on evebox, on kibana... but why not in moloch.... :/

pevma commented 2 years ago

The Moloch service starts with a delay on purpose as it depends on ES. You can always restart it - fyi - https://github.com/StamusNetworks/SELKS/wiki/Services-status-check Otherwise look for err message in the log file (the service shows it)

b4b857f6ee commented 2 years ago

The Moloch service starts with a delay on purpose as it depends on ES. You can always restart it - fyi - https://github.com/StamusNetworks/SELKS/wiki/Services-status-check Otherwise look for err message in the log file (the service shows it)

i already show it here image

b4b857f6ee commented 2 years ago

image

And the log

image

pevma commented 2 years ago

I think the first time set up maybe did not finish properly, I think it be due to the fact you had no internet connection for the setup ?

b4b857f6ee commented 2 years ago

I think the first time set up maybe did not finish properly, I think it be due to the fact you had no internet connection for the setup ?

I was having it, but i done it one more time without it yes. I really need it?

b4b857f6ee commented 2 years ago

I think the first time set up maybe did not finish properly, I think it be due to the fact you had no internet connection for the setup ?

I've just done it with internet. Not error. I got all running this time. I got pcacp in the /data/moloch/raw but still, nothing on the moloch interface x'D

in the /data/moloch/etc/config.ini i got this, so i guess the starting script didn't change the listening interface i have choose? image

b4b857f6ee commented 2 years ago

I change it with my suricata interface. I got 5 packet on moloch and.... nothing more ^^. Even if the pcap grow image

b4b857f6ee commented 2 years ago

Ok i restart, i can see all but i can't see the last. nothing after 12h50, ant it's now 13h02. Strange no ? image

b4b857f6ee commented 2 years ago

I got this in capture.log

image

b4b857f6ee commented 2 years ago

Ok i think i got a delta of 30 min before having the log in Moloch, normal?

nour1509 commented 9 months ago

Hi i need your help. i have the same problem ! but i have setup the arkime using internet but always the same problem

pevma commented 9 months ago

Did you try selecting different time span ?