pevma
commented
5 years ago Is that SELKS 5.0 ?
It seem like an auth err - have you done any changes to the default config - i see http auth adjustments ?
Open RonnieNiu opened 5 years ago
pevma
commented
5 years ago Is that SELKS 5.0 ?
It seem like an auth err - have you done any changes to the default config - i see http auth adjustments ?
RonnieNiu
commented
5 years ago ELK is 6.6.2 ,suricata is 4.1.0, I changed default config in scirius setting.py with add "http auth".
RonnieNiu
commented
5 years ago my ELK installed on 10.104.131.4, my scirius and suricata installed on 192.168.13.128. I don't know if it has anything to do with this. thanks!
pevma
commented
5 years ago Why did you do the change , what was needed? In SELKS authentication is done via Scirius by default and it works that way - hence my question - is it a diff auth mechanism you are using or ?
RonnieNiu
commented
5 years ago Because my es is configured with authentication,I find nothing with authentication in scirius setting.py.
When starting with the default configuration。I got error is ::
RonnieNiu
commented
5 years ago Now I am talking about my use environment. I have distributed several suricata distributed at various network boundaries, and then ES and kibana are deployed at 10.104.116.212 to display the alarm events. Logstash is deployed at 10.3.4.79, and the event is played. Into the ES, since the previous rules were managed by oinkmaster, now I want to deploy the scirius management rules and deploy the scirius at 10.104.116.212. Thank you very much for helping
pevma
commented
5 years ago What authentication is used on es , do you have Xpack enabled ?
RonnieNiu
commented
5 years ago Yes ,use Xpack on es, the elasticsearch.yml is:
pevma
commented
5 years ago Currently Scirius is in charge of authentication and uses a proxy so it is not fully compatible yet with Xpack.
To confirm that - can you disable Xpack security / auth, adjust the settings accordingly in /etc/scirius/local_settings.py and restart the machine and try again ?
RonnieNiu
commented
5 years ago Yes ,disable Xpack on ES ,then ok . but scirius still no eve data
and kibana still error:
pevma
commented
5 years ago It seems it could be a proxy issue - prohibiting the page display
RonnieNiu
commented
5 years ago But I didn't set up the proxy, it's really strange, I don't know how to solve it. 😂😭😭😭😭😭😭
pevma
commented
5 years ago I think you could try in a test setup - fresh install without xpack enabled - to see if you will get the same err?
HI guys:
I am from china , I have an issue which i cannit solved ,thanks for help! my scirius is SCIRIUS_VERSION="3.2.0,ES verison is Version: 6.6.2.
my scirius setting.py is :
the error info in elasticsearch.log is