search

amitn322 / blackesk

BLACK ESK SIEM is a SIEM platform built with Elasticsearch, Syslog-Ng and Kibana
29 stars 12 forks source link

Timezone hardcoded in syslog-ng #6

Closed skyblaster closed 3 years ago

skyblaster commented 3 years ago

In /syslog-ng/conf/syslog-ng.conf you have the following defined twice: time-zone("MST")

In my case, I ran the uninstall script, updated these entries to PST and then re-ran the install script. I found out that PST was not included in /usr/share/zoneinfo/ and had to update once again to PST8PDT. Also, as a newer Docker user, I learned that I had to trash the image and rebuild after making these changes for them to take effect.

Would it be possible to switch to GMT as the default, both in the environment variables file as well as well as the syslog-ng config?

Making the two time-zone statements within /syslog-ng/conf/syslog-ng.conf use an environment variable would certainly help, but a note in the Readme would suffice.

amitn322 commented 3 years ago

@skyblaster ,

Thank you for reporting that as well as trying the blackesk. I will update the source code to use environmental variables and push to git sometimes tomorrow. I will let you know when pushed.

skyblaster commented 3 years ago

@amitn322

I had a look at commit a4ad838113ceeeb0d394ae622ef85ec504702799 and found that the MST definitions really had no effect on my particular situation....which was new remote syslog messages showing up as 1 hour "old" within Kibana.

My problem appears simply to stem from the "America/Phoenix" environment variable that I didn't modify early on. and not knowing how to change the TZ of the syslog-ng container without rebuilding.

Maybe this is a trivial issue for Docker novices, but really all that's needed to save folks like me is to update the readme:

-Clone the repo and run the installer

+Clone the repo and modify some environment variables in .env
+Run the installer

You really shouldn't have to mention it in the readme, but a separate issue I encountered was missing the uninstall script before rebuilding which led to the following error:

Failed to authenticate user 'elastic' against http://X.X.X.X:9200/_security/_authenticate?pretty
Possible causes include:
 * The password for the 'elastic' user has already been changed on this cluster
 * Your elasticsearch node is running against a different keystore
   This tool used the keystore at /etc/elasticsearch/elasticsearch.keystore

ERROR: Failed to verify bootstrap password
amitn322 commented 3 years ago

hi @skyblaster , sorry about the delay. I have updated the readme file to include both uninstall and the environment settings.

Thank You,