Can't see any logs in kibana

[alxbob]

I setup a 3 elk cluster kibana and bro with xinetd-elasticsearch role i send traffic with /dev/stdout but i can't see any logsin kibana. Any advice?

[danielguerra69]

On the bottom of the manual is a section that handles this, dumping containers e.d. to analyse data tcpdump -i eth0 (or whatever you have) -w - | nc 1969.

always check your logs docker logs bro docker logs elasticsearch

And if you want an answer describe problem & your commands logging etc…

On 24 Nov 2016, at 17:33, alxbob notifications@github.com wrote:

I setup a 3 elk cluster kibana and bro with xinetd-elasticsearch role i send traffic with /dev/stdout but i can't see any logsin kibana. Any advice?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/danielguerra69/bro-debian-elasticsearch/issues/9, or mute the thread https://github.com/notifications/unsubscribe-auth/ALzmMvz9KhMCtVksLsjZVeXm9oHrWrxFks5rBbxjgaJpZM4K70wP.

[alxbob]

My mistake let me describe it as complete as possible: As far as i understand for live traffic capture i need 3 elk containers 1 kibana and 1 bro-xinetd so I modified the docker-compose.yml to this :+1:

VOLUMES

elastic-data-master: image: tianon/true volumes:

• /usr/share/elasticsearch/data

elastic-data-node01: image: tianon/true volumes:

• /usr/share/elasticsearch/data

elastic-data-node02: image: tianon/true volumes:

• /usr/share/elasticsearch/data

nginx

nginx: image: danielguerra/bro-elasticsearch-nginx hostname: nginx links:

• "elasticsearch-master:master"
• "elasticsearch-node01:node01"
• "elasticsearch-node02:node02" ports:
  • "9200:9200"
  • "9300:9300"

ELASTICSEARCH

elasticsearch-master: image: danielguerra/alpine-elasticsearch command: -Des.network.bind_host=elasticsearch-master --cluster.name=bro --node.name=elasticsearch-master --discovery.zen.ping.multicast.enabled=false --network.host=elasticsearch-master hostname: elasticsearch-master volumes_from:

• "elastic-data-master"

elasticsearch-node01: image: danielguerra/alpine-elasticsearch command: -Des.network.bind_host=elasticsearch-node01 --cluster.name=bro --node.name=elasticsearch-node01 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node01 hostname: elasticsearch-node01 links:

• "elasticsearch-master:master" volumes_from:
  • "elastic-data-node01"

elasticsearch-node02: image: danielguerra/alpine-elasticsearch command: -Des.network.bind_host=elasticsearch-node02 --cluster.name=bro --node.name=elasticsearch-node02 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node02 hostname: elasticsearch-node02 links:

• "elasticsearch-master:master" volumes_from:
  • "elastic-data-node02"

KIBANA

kibana: image: kibana:4.6 hostname: kibana ports:

• "5601:5601" links:
• "nginx:elasticsearch"

BRO

bro-xinitd: image: danielguerra/bro-debian-elasticsearch command: /role/xinetd-elasticsearch hostname: bro-xinetd links:

• "nginx:elasticsearch" ports:
• "1969:1969"

mapping

bro-mapping: image: danielguerra/bro-debian-elasticsearch command: /scripts/bro-mapping.sh links:

• "nginx:elasticsearch"

kibana config

kibana-config: image: danielguerra/bro-kibana-config links:

• "elasticsearch-master:elasticsearch"

I run docker-compose pull/up dockers are up and running. I see kibana on ip:5601 and i start tcpdump -i eth0 -w - | nc ip 1969 or tcpdump -i eth0 -w - /dev/stdout | nc ip 1969. Inside bro-xinetd container i see tcpdump packets arriving and periodically bro -r service running but nothing on kibana. Thanks again for your help

[danielguerra69]

Give me the output of docker ps -a and docker-compose logs

btw i see your nc is wrong its nc

On 24 Nov 2016, at 19:35, alxbob notifications@github.com wrote:

My mistake let me describe it as complete as possible: As far as i understand for live traffic capture i need 3 elk containers 1 kibana and 1 bro-xinetd so I modified the docker-compose.yml to this 👍

VOLUMES

elastic-data-master: image: tianon/true volumes:

• /usr/share/elasticsearch/data

elastic-data-node01: image: tianon/true volumes:

• /usr/share/elasticsearch/data

elastic-data-node02: image: tianon/true volumes:

• /usr/share/elasticsearch/data

nginx

nginx: image: danielguerra/bro-elasticsearch-nginx hostname: nginx links:

"elasticsearch-master:master" "elasticsearch-node01:node01" "elasticsearch-node02:node02" ports: "9200:9200" "9300:9300" ELASTICSEARCH

elasticsearch-master: image: danielguerra/alpine-elasticsearch command: -Des.network.bind_host=elasticsearch-master --cluster.name=bro --node.name=elasticsearch-master --discovery.zen.ping.multicast.enabled=false --network.host=elasticsearch-master hostname: elasticsearch-master volumes_from:

"elastic-data-master" elasticsearch-node01: image: danielguerra/alpine-elasticsearch command: -Des.network.bind_host=elasticsearch-node01 --cluster.name=bro --node.name=elasticsearch-node01 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node01 hostname: elasticsearch-node01 links:

"elasticsearch-master:master" volumes_from: "elastic-data-node01" elasticsearch-node02: image: danielguerra/alpine-elasticsearch command: -Des.network.bind_host=elasticsearch-node02 --cluster.name=bro --node.name=elasticsearch-node02 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node02 hostname: elasticsearch-node02 links:

"elasticsearch-master:master" volumes_from: "elastic-data-node02" KIBANA

kibana: image: kibana:4.6 hostname: kibana ports:

"5601:5601" links: "nginx:elasticsearch" BRO

bro-xinitd: image: danielguerra/bro-debian-elasticsearch command: /role/xinetd-elasticsearch hostname: bro-xinetd links:

"nginx:elasticsearch" ports: "1969:1969" mapping

bro-mapping: image: danielguerra/bro-debian-elasticsearch command: /scripts/bro-mapping.sh links:

"nginx:elasticsearch" kibana config

kibana-config: image: danielguerra/bro-kibana-config links:

"elasticsearch-master:elasticsearch" I run docker-compose pull/up dockers are up and running. I see kibana on ip:5601 and i start tcpdump -i eth0 -w - | nc 1969 or tcpdump -i eth0 -w - /dev/stdout | nc 1969. Inside bro-xinetd container i see tcpdump packets arriving and periodically bro -r service running but nothing on kibana. Thanks again for your help

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/danielguerra69/bro-debian-elasticsearch/issues/9#issuecomment-262830014, or mute the thread https://github.com/notifications/unsubscribe-auth/ALzmMldYY65eBVlULoYaarVrzfVh8bPiks5rBdjigaJpZM4K70wP.

[alxbob]

My nc is tcpdump -i eth1 -s 0 -w /dev/stdout | nc 10.0.0.27 1969 also tried tcpdump -i eth1 -s 0 -w - | nc 10.0.0.27 1969

docker ps -a

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 6e7ca01b5e4e danielguerra/bro-debian-elasticsearch "/role/xinetd-elastic" 39 seconds ago Up 30 seconds 22/tcp, 47761-47762/tcp, 0.0.0.0:1969->1969/tcp anakata_bro-xinitd_1 fbda57c2c830 danielguerra/bro-debian-elasticsearch "/scripts/bro-mapping" 39 seconds ago Exited (0) 29 seconds ago anakata_bro-mapping_1 1a2c2b0a5b8c kibana:4.6 "/docker-entrypoint.s" 39 seconds ago Up 31 seconds 0.0.0.0:5601->5601/tcp anakata_kibana_1 c4dd6ae4214f danielguerra/bro-elasticsearch-nginx "nginx -g 'daemon off" About a minute ago Up 40 seconds 80/tcp, 0.0.0.0:9200->9200/tcp, 443/tcp, 0.0.0.0:9300->9300/tcp anakata_nginx_1 87b9b0af6948 danielguerra/alpine-elasticsearch "docker-entrypoint.sh" 2 minutes ago Up 2 minutes 9200/tcp, 9300/tcp anakata_elasticsearch-node02_1 066fae96562b danielguerra/alpine-elasticsearch "docker-entrypoint.sh" 2 minutes ago Up About a minute 9200/tcp, 9300/tcp anakata_elasticsearch-node01_1 a5d49aeb446e danielguerra/bro-kibana-config "/start.sh" 2 minutes ago Exited (0) 21 seconds ago anakata_kibana-config_1 527f0121e7ce danielguerra/alpine-elasticsearch "docker-entrypoint.sh" 3 minutes ago Up 2 minutes 9200/tcp, 9300/tcp anakata_elasticsearch-master_1 588cec1fa970 tianon/true "/true" 5 minutes ago Exited (0) 5 minutes ago anakata_elastic-data-node01_1 edcac2019405 tianon/true "/true" 5 minutes ago Exited (0) 5 minutes ago anakata_elastic-data-node02_1 d07a2365c7dd tianon/true "/true" 5 minutes ago Exited (0) 5 minutes ago anakata_elastic-data-master_1

docker-compose logs

Attaching to anakata_bro-xinitd_1, anakata_bro-mapping_1, anakata_kibana_1, anakata_nginx_1, anakata_elasticsearch-node02_1, anakata_elasticsearch-node01_1, anakata_kibana-config_1, anakata_elasticsearch-master_1, anakata_elastic-data-node01_1, anakata_elastic-data-node02_1, anakata_elastic-data-master_1 kibana_1 | {"type":"log","@timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:kibana@1.0.0","info"],"pid":11,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"} kibana_1 | {"type":"log","@timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:elasticsearch@1.0.0","info"],"pid":11,"state":"yellow","message":"Status changed from uninitialized to yellow - Waiting for Elasticsearch","prevState":"uninitialized","prevMsg":"uninitialized"} kibana_1 | {"type":"log","@timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:kbn_vislib_vis_types@1.0.0","info"],"pid":11,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"} kibana_1 | {"type":"log","@timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:markdown_vis@1.0.0","info"],"pid":11,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"} kibana_1 | {"type":"log","@timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:metric_vis@1.0.0","info"],"pid":11,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"} kibana_1 | {"type":"log","@timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:spyModes@1.0.0","info"],"pid":11,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"} kibana_1 | {"type":"log","@timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:statusPage@1.0.0","info"],"pid":11,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"} kibana_1 | {"type":"log","@timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:table_vis@1.0.0","info"],"pid":11,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"} kibana_1 | {"type":"log","@timestamp":"2016-11-24T18:54:55Z","tags":["listening","info"],"pid":11,"message":"Server running at http://0.0.0.0:5601"} kibana_1 | {"type":"log","@timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:elasticsearch@1.0.0","info"],"pid":11,"state":"green","message":"Status changed from yellow to green - Kibana index ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"} kibana_1 | {"type":"response","@timestamp":"2016-11-24T18:55:05Z","tags":[],"pid":11,"method":"get","statusCode":200,"req":{"url":"/","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","connection":"keep-alive","pragma":"no-cache","cache-control":"no-cache"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2"},"res":{"statusCode":200,"responseTime":70,"contentLength":9},"message":"GET / 200 70ms - 9.0B"} bro-mapping_1 | % Total % Received % Xferd Average Speed Time Time Time Current bro-mapping_1 | Dload Upload Total Spent Left Speed kibana_1 | {"type":"response","@timestamp":"2016-11-24T18:55:06Z","tags":[],"pid":11,"method":"get","statusCode":200,"req":{"url":"/","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","connection":"keep-alive"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2"},"res":{"statusCode":200,"responseTime":4,"contentLength":9},"message":"GET / 200 4ms - 9.0B"} 100 364 100 364 0 0 50117 0 --:--:-- --:--:-- --:--:-- 52000 bro-mapping_1 | { kibana_1 | {"type":"response","@timestamp":"2016-11-24T18:55:07Z","tags":[],"pid":11,"method":"get","statusCode":200,"req":{"url":"/app/kibana","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://10.0.0.27:5601/","connection":"keep-alive"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/"},"res":{"statusCode":200,"responseTime":17,"contentLength":9},"message":"GET /app/kibana 200 17ms - 9.0B"} elasticsearch-node02_1 | [2016-11-24 18:53:40,076][INFO ][node ] [elasticsearch-node02] version[2.4.1], pid[10], build[c67dc32/2016-09-27T18:57:55Z] kibana_1 | {"type":"response","@timestamp":"2016-11-24T18:55:07Z","tags":[],"pid":11,"method":"get","statusCode":304,"req":{"url":"/bundles/commons.style.css?v=10154","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"text/css,/;q=0.1","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://10.0.0.27:5601/app/kibana","connection":"keep-alive","if-modified-since":"Fri, 04 Nov 2016 15:24:00 GMT"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":304,"responseTime":9,"contentLength":9},"message":"GET /bundles/commons.style.css?v=10154 304 9ms - 9.0B"} elasticsearch-node02_1 | [2016-11-24 18:53:40,076][INFO ][node ] [elasticsearch-node02] initializing ... elasticsearch-node02_1 | [2016-11-24 18:53:40,615][INFO ][plugins ] [elasticsearch-node02] modules [reindex, lang-expression, lang-groovy], plugins [], sites [] kibana_1 | {"type":"response","@timestamp":"2016-11-24T18:55:07Z","tags":[],"pid":11,"method":"get","statusCode":304,"req":{"url":"/bundles/kibana.style.css?v=10154","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"text/css,/;q=0.1","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://10.0.0.27:5601/app/kibana","connection":"keep-alive","if-modified-since":"Fri, 04 Nov 2016 15:24:00 GMT"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":304,"responseTime":7,"contentLength":9},"message":"GET /bundles/kibana.style.css?v=10154 304 7ms - 9.0B"} elasticsearch-node02_1 | [2016-11-24 18:53:40,637][INFO ][env ] [elasticsearch-node02] using [1] data paths, mounts [[/usr/share/elasticsearch/data (/dev/dm-0)]], net usable_space [25.1gb], net total_space [29.8gb], spins? [possibly], types [ext4] elasticsearch-node02_1 | [2016-11-24 18:53:40,637][INFO ][env ] [elasticsearch-node02] heap size [990.7mb], compressed ordinary object pointers [true] kibana_1 | {"type":"response","@timestamp":"2016-11-24T18:55:07Z","tags":[],"pid":11,"method":"get","statusCode":304,"req":{"url":"/bundles/commons.bundle.js?v=10154","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"/","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://10.0.0.27:5601/app/kibana","connection":"keep-alive","if-modified-since":"Fri, 04 Nov 2016 15:24:00 GMT"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":304,"responseTime":8,"contentLength":9},"message":"GET /bundles/commons.bundle.js?v=10154 304 8ms - 9.0B"} elasticsearch-node02_1 | [2016-11-24 18:53:44,430][INFO ][node ] [elasticsearch-node02] initialized elasticsearch-node02_1 | [2016-11-24 18:53:44,431][INFO ][node ] [elasticsearch-node02] starting ... elasticsearch-node02_1 | [2016-11-24 18:53:44,575][INFO ][transport ] [elasticsearch-node02] publish_address {172.17.0.5:9300}, bound_addresses {172.17.0.5:9300} bro-mapping_1 | "name" : "elasticsearch-master", kibana_1 | {"type":"response","@timestamp":"2016-11-24T18:55:07Z","tags":[],"pid":11,"method":"get","statusCode":304,"req":{"url":"/bundles/kibana.bundle.js?v=10154","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"/","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://10.0.0.27:5601/app/kibana","connection":"keep-alive","if-modified-since":"Fri, 04 Nov 2016 15:24:00 GMT"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":304,"responseTime":3,"contentLength":9},"message":"GET /bundles/kibana.bundle.js?v=10154 304 3ms - 9.0B"} bro-mapping_1 | "cluster_name" : "bro", bro-mapping_1 | "cluster_uuid" : "UpuV9kudS9K390SPADJ75g", kibana_1 | {"type":"response","@timestamp":"2016-11-24T18:55:08Z","tags":[],"pid":11,"method":"get","statusCode":304,"req":{"url":"/bundles/src/ui/public/images/kibana.svg","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"image/png,image/;q=0.8,/;q=0.5","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://10.0.0.27:5601/app/kibana","connection":"keep-alive","if-modified-since":"Fri, 04 Nov 2016 15:24:00 GMT"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":304,"responseTime":2,"contentLength":9},"message":"GET /bundles/src/ui/public/images/kibana.svg 304 2ms - 9.0B"} bro-mapping_1 | "version" : { bro-mapping_1 | "number" : "2.4.1", nginx_1 | 172.17.0.8 - - [24/Nov/2016:18:54:53 +0000] "GET / HTTP/1.1" 200 364 "-" "curl/7.38.0" elasticsearch-node02_1 | [2016-11-24 18:53:44,580][INFO ][discovery ] [elasticsearch-node02] bro/k-B7bvykSYS1e3BB_01rZA kibana_1 | {"type":"response","@timestamp":"2016-11-24T18:55:08Z","tags":[],"pid":11,"method":"post","statusCode":200,"req":{"url":"/elasticsearch/_mget?timeout=0&ignore_unavailable=true&preference=1480013677113","method":"post","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"application/json, text/plain, /","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","content-type":"application/json;charset=utf-8","kbn-version":"4.6.3","referer":"http://10.0.0.27:5601/app/kibana","content-length":"62","connection":"keep-alive"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":200,"responseTime":38,"contentLength":9},"message":"POST /elasticsearch/_mget?timeout=0&ignore_unavailable=true&preference=1480013677113 200 38ms - 9.0B"} nginx_1 | 172.17.0.8 - - [24/Nov/2016:18:54:54 +0000] "PUT /_template/fixstrings_bro HTTP/1.1" 200 46 "-" "curl/7.38.0" elasticsearch-node02_1 | [2016-11-24 18:54:14,584][WARN ][discovery ] [elasticsearch-node02] waited for 30s and no initial state was set by the discovery elasticsearch-node02_1 | [2016-11-24 18:54:14,593][INFO ][http ] [elasticsearch-node02] publish_address {172.17.0.5:9200}, bound_addresses {172.17.0.5:9200} kibana_1 | {"type":"response","@timestamp":"2016-11-24T18:55:09Z","tags":[],"pid":11,"method":"post","statusCode":200,"req":{"url":"/elasticsearch/.kibana/index-pattern/_search?fields=","method":"post","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"application/json, text/plain, /","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","content-type":"application/json;charset=utf-8","kbn-version":"4.6.3","referer":"http://10.0.0.27:5601/app/kibana","content-length":"39","connection":"keep-alive"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":200,"responseTime":61,"contentLength":9},"message":"POST /elasticsearch/.kibana/index-pattern/_search?fields= 200 61ms - 9.0B"} nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:54:55 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" elasticsearch-node02_1 | [2016-11-24 18:54:14,593][INFO ][node ] [elasticsearch-node02] started elasticsearch-node02_1 | [2016-11-24 18:54:31,209][INFO ][cluster.service ] [elasticsearch-node02] detected_master {elasticsearch-master}{rceCZ0J1SauMgZWI-7GXRg}{172.17.0.2}{172.17.0.2:9300}, added {{elasticsearch-master}{rceCZ0J1SauMgZWI-7GXRg}{172.17.0.2}{172.17.0.2:9300},{elasticsearch-node01}{_B_UE7R0TJeG-Vxih_UtZg}{172.17.0.4}{172.17.0.4:9300},}, reason: zen-disco-receive(from master [{elasticsearch-master}{rceCZ0J1SauMgZWI-7GXRg}{172.17.0.2}{172.17.0.2:9300}]) kibana_1 | {"type":"response","@timestamp":"2016-11-24T18:55:09Z","tags":[],"pid":11,"method":"get","statusCode":200,"req":{"url":"/elasticsearch/.kibana/_mapping//field/source?=1480013677958","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"application/json, text/plain, /","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","kbn-version":"4.6.3","referer":"http://10.0.0.27:5601/app/kibana","connection":"keep-alive"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":200,"responseTime":16,"contentLength":9},"message":"GET /elasticsearch/.kibana/_mapping//field/source?=1480013677958 200 16ms - 9.0B"} nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:54:55 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" bro-mapping_1 | "build_hash" : "c67dc32e24162035d18d6fe1e952c4cbcbe79d16", bro-mapping_1 | "build_timestamp" : "2016-09-27T18:57:55Z", kibana_1 | {"type":"response","@timestamp":"2016-11-24T18:55:09Z","tags":[],"pid":11,"method":"post","statusCode":200,"req":{"url":"/elasticsearch/_mget?timeout=0&ignore_unavailable=true&preference=1480013677113","method":"post","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"application/json, text/plain, /","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","content-type":"application/json;charset=utf-8","kbn-version":"4.6.3","referer":"http://10.0.0.27:5601/app/kibana","content-length":"69","connection":"keep-alive"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":200,"responseTime":16,"contentLength":9},"message":"POST /elasticsearch/_mget?timeout=0&ignore_unavailable=true&preference=1480013677113 200 16ms - 9.0B"} nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:54:55 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 384 "-" "-" bro-mapping_1 | "build_snapshot" : false, bro-mapping_1 | "lucene_version" : "5.5.2" kibana_1 | {"type":"response","@timestamp":"2016-11-24T18:55:10Z","tags":[],"pid":11,"method":"get","statusCode":304,"req":{"url":"/bundles/node_modules/font-awesome/fonts/fontawesome-webfont.woff2","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"application/font-woff2;q=1.0,application/font-woff;q=0.9,/;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"identity","referer":"http://10.0.0.27:5601/bundles/commons.style.css?v=10154","connection":"keep-alive","if-modified-since":"Fri, 04 Nov 2016 15:24:00 GMT","if-none-match":"\"574ea2698c03ae9477db2ea3baf460ee32f1a7ea\""},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/bundles/commons.style.css?v=10154"},"res":{"statusCode":304,"responseTime":3,"contentLength":9},"message":"GET /bundles/node_modules/font-awesome/fonts/fontawesome-webfont.woff2 304 3ms - 9.0B"} nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:54:55 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 254 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:02 +0000] "POST /.kibana/config/4.6.3?op_type=create HTTP/1.1" 201 127 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:05 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:05 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:05 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:05 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:07 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:07 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:08 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:08 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:08 +0000] "POST /_mget?timeout=0&ignore_unavailable=true&preference=1480013677113 HTTP/1.1" 200 140 "http://10.0.0.27:5601/app/kibana" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:09 +0000] "POST /.kibana/index-pattern/_search?fields= HTTP/1.1" 200 193 "http://10.0.0.27:5601/app/kibana" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:09 +0000] "GET /.kibana/_mapping//field/source?=1480013677958 HTTP/1.1" 200 333 "http://10.0.0.27:5601/app/kibana" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" kibana_1 | {"type":"response","@timestamp":"2016-11-24T18:55:10Z","tags":[],"pid":11,"method":"post","statusCode":200,"req":{"url":"/elasticsearch/bro-/_field_stats?level=indices","method":"post","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"application/json, text/plain, /","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","content-type":"application/json;charset=utf-8","kbn-version":"4.6.3","referer":"http://10.0.0.27:5601/app/kibana","content-length":"162","connection":"keep-alive"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":200,"responseTime":10,"contentLength":9},"message":"POST /elasticsearch/bro-/_field_stats?level=indices 200 10ms - 9.0B"} kibana_1 | {"type":"response","@timestamp":"2016-11-24T18:55:10Z","tags":[],"pid":11,"method":"post","statusCode":200,"req":{"url":"/elasticsearch/_msearch?timeout=0&ignore_unavailable=true&preference=1480013677113","method":"post","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"application/json, text/plain, /","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","content-type":"application/json;charset=utf-8","kbn-version":"4.6.3","referer":"http://10.0.0.27:5601/app/kibana","content-length":"798","connection":"keep-alive"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":200,"responseTime":13,"contentLength":9},"message":"POST /elasticsearch/_msearch?timeout=0&ignore_unavailable=true&preference=1480013677113 200 13ms - 9.0B"} bro-mapping_1 | }, bro-mapping_1 | "tagline" : "You Know, for Search" bro-mapping_1 | } bro-mapping_1 | Elasticsearch is up - executing command bro-mapping_1 | % Total % Received % Xferd Average Speed Time Time Time Current bro-mapping_1 | Dload Upload Total Spent Left Speed 100 2438 100 21 100 2417 20 2314 0:00:01 0:00:01 --:--:-- 2315 bro-mapping_1 | {"acknowledged":true} nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:09 +0000] "POST /_mget?timeout=0&ignore_unavailable=true&preference=1480013677113 HTTP/1.1" 200 28865 "http://10.0.0.27:5601/app/kibana" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:10 +0000] "POST /bro-*/_field_stats?level=indices HTTP/1.1" 200 62 "http://10.0.0.27:5601/app/kibana" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:10 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:10 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:10 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:10 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:10 +0000] "POST /_msearch?timeout=0&ignore_unavailable=true&preference=1480013677113 HTTP/1.1" 200 137 "http://10.0.0.27:5601/app/kibana" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:13 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:13 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:13 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:13 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:15 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:15 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:15 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:15 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 385 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:18 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:18 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:18 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:18 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:20 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:20 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:20 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:20 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:23 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" kibana-config_1 | % Total % Received % Xferd Average Speed Time Time Time Current elasticsearch-master_1 | [2016-11-24 18:52:46,113][INFO ][node ] [elasticsearch-master] version[2.4.1], pid[11], build[c67dc32/2016-09-27T18:57:55Z] elasticsearch-master_1 | [2016-11-24 18:52:46,113][INFO ][node ] [elasticsearch-master] initializing ... elasticsearch-master_1 | [2016-11-24 18:52:46,633][INFO ][plugins ] [elasticsearch-master] modules [reindex, lang-expression, lang-groovy], plugins [], sites [] elasticsearch-master_1 | [2016-11-24 18:52:46,831][INFO ][env ] [elasticsearch-master] using [1] data paths, mounts [[/usr/share/elasticsearch/data (/dev/dm-0)]], net usable_space [25.1gb], net total_space [29.8gb], spins? [possibly], types [ext4] kibana-config_1 | Dload Upload Total Spent Left Speed nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:23 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:23 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-master_1 | [2016-11-24 18:52:46,831][INFO ][env ] [elasticsearch-master] heap size [990.7mb], compressed ordinary object pointers [true] kibana-config_1 | { nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:23 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 385 "-" "-" elasticsearch-node01_1 | [2016-11-24 18:53:49,494][INFO ][node ] [elasticsearch-node01] version[2.4.1], pid[11], build[c67dc32/2016-09-27T18:57:55Z] elasticsearch-master_1 | [2016-11-24 18:52:48,726][INFO ][node ] [elasticsearch-master] initialized kibana-config_1 | "name" : "elasticsearch-master", nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:25 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" kibana-config_1 | "cluster_name" : "bro", elasticsearch-node01_1 | [2016-11-24 18:53:49,495][INFO ][node ] [elasticsearch-node01] initializing ... nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:25 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" elasticsearch-node01_1 | [2016-11-24 18:53:50,055][INFO ][plugins ] [elasticsearch-node01] modules [reindex, lang-expression, lang-groovy], plugins [], sites [] elasticsearch-master_1 | [2016-11-24 18:52:48,726][INFO ][node ] [elasticsearch-master] starting ... kibana-config_1 | "cluster_uuid" : "UpuV9kudS9K390SPADJ75g", nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:25 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-node01_1 | [2016-11-24 18:53:50,397][INFO ][env ] [elasticsearch-node01] using [1] data paths, mounts [[/usr/share/elasticsearch/data (/dev/dm-0)]], net usable_space [25.1gb], net total_space [29.8gb], spins? [possibly], types [ext4] elasticsearch-master_1 | [2016-11-24 18:52:48,888][INFO ][transport ] [elasticsearch-master] publish_address {172.17.0.2:9300}, bound_addresses {172.17.0.2:9300} nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:25 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" kibana-config_1 | "version" : { kibana-config_1 | "number" : "2.4.1", elasticsearch-master_1 | [2016-11-24 18:52:48,895][INFO ][discovery ] [elasticsearch-master] bro/rceCZ0J1SauMgZWI-7GXRg kibana-config_1 | "build_hash" : "c67dc32e24162035d18d6fe1e952c4cbcbe79d16", kibana-config_1 | "build_timestamp" : "2016-09-27T18:57:55Z", kibana-config_1 | "build_snapshot" : false, elasticsearch-master_1 | [2016-11-24 18:52:51,979][INFO ][cluster.service ] [elasticsearch-master] new_master {elasticsearch-master}{rceCZ0J1SauMgZWI-7GXRg}{172.17.0.2}{172.17.0.2:9300}, reason: zen-disco-join(elected_as_master, [0] joins received) elasticsearch-node01_1 | [2016-11-24 18:53:50,401][INFO ][env ] [elasticsearch-node01] heap size [990.7mb], compressed ordinary object pointers [true] elasticsearch-master_1 | [2016-11-24 18:52:52,007][INFO ][http ] [elasticsearch-master] publish_address {172.17.0.2:9200}, bound_addresses {172.17.0.2:9200} kibana-config_1 | "lucene_version" : "5.5.2" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:28 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" elasticsearch-master_1 | [2016-11-24 18:52:52,008][INFO ][node ] [elasticsearch-master] started kibana-config_1 | }, kibana-config_1 | "tagline" : "You Know, for Search" elasticsearch-master_1 | [2016-11-24 18:52:55,080][INFO ][gateway ] [elasticsearch-master] recovered [0] indices into cluster_state kibana-config_1 | } 100 364 100 364 0 0 8202 0 --:--:-- --:--:-- --:--:-- 8272 elasticsearch-master_1 | [2016-11-24 18:53:22,443][INFO ][cluster.metadata ] [elasticsearch-master] [.kibana] creating index, cause [auto(index api)], templates [], shards [5]/[1], mappings [] kibana-config_1 | Elasticsearch is up - executing command kibana-config_1 | Thu, 24 Nov 2016 18:53:22 GMT | starting dump nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:28 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" elasticsearch-master_1 | [2016-11-24 18:54:19,574][DEBUG][action.admin.indices.mapping.put] [elasticsearch-master] failed to put mappings on indices [[.kibana]], type [visualization] kibana-config_1 | Thu, 24 Nov 2016 18:53:22 GMT | got 78 objects from source file (offset: 0) kibana-config_1 | Thu, 24 Nov 2016 18:55:02 GMT | sent 78 objects to destination elasticsearch, wrote 74 nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:28 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-master_1 | ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] kibana-config_1 | Thu, 24 Nov 2016 18:55:02 GMT | got 0 objects from source file (offset: 78) kibana-config_1 | Thu, 24 Nov 2016 18:55:02 GMT | Total Writes: 74 nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:28 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 385 "-" "-" elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-node01_1 | [2016-11-24 18:53:52,620][INFO ][node ] [elasticsearch-node01] initialized elasticsearch-node01_1 | [2016-11-24 18:53:52,620][INFO ][node ] [elasticsearch-node01] starting ... elasticsearch-node01_1 | [2016-11-24 18:53:52,708][INFO ][transport ] [elasticsearch-node01] publish_address {172.17.0.4:9300}, bound_addresses {172.17.0.4:9300} elasticsearch-node01_1 | [2016-11-24 18:53:52,713][INFO ][discovery ] [elasticsearch-node01] bro/_B_UE7R0TJeG-Vxih_UtZg elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-node01_1 | [2016-11-24 18:54:22,715][WARN ][discovery ] [elasticsearch-node01] waited for 30s and no initial state was set by the discovery elasticsearch-node01_1 | [2016-11-24 18:54:24,652][INFO ][http ] [elasticsearch-node01] publish_address {172.17.0.4:9200}, bound_addresses {172.17.0.4:9200} elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:30 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" elasticsearch-node01_1 | [2016-11-24 18:54:24,652][INFO ][node ] [elasticsearch-node01] started elasticsearch-node01_1 | [2016-11-24 18:54:31,208][INFO ][cluster.service ] [elasticsearch-node01] detected_master {elasticsearch-master}{rceCZ0J1SauMgZWI-7GXRg}{172.17.0.2}{172.17.0.2:9300}, added {{elasticsearch-node02}{k-B7bvykSYS1e3BB_01rZA}{172.17.0.5}{172.17.0.5:9300},{elasticsearch-master}{rceCZ0J1SauMgZWI-7GXRg}{172.17.0.2}{172.17.0.2:9300},}, reason: zen-disco-receive(from master [{elasticsearch-master}{rceCZ0J1SauMgZWI-7GXRg}{172.17.0.2}{172.17.0.2:9300}]) elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:30 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" kibana-config_1 | Thu, 24 Nov 2016 18:55:02 GMT | dump complete elasticsearch-master_1 | [2016-11-24 18:54:19,576][DEBUG][action.admin.indices.mapping.put] [elasticsearch-master] failed to put mappings on indices [[.kibana]], type [visualization] elasticsearch-master_1 | ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:30 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:30 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 385 "-" "-" elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,576][DEBUG][action.index ] [elasticsearch-master] failed to execute [index {[.kibana][visualization][file-mime-type-table], source[{"title":"file mime type table","visState":"{\"title\":\"New Visualization\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"bucket\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mime_type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"files","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}]}] on [[.kibana][0]] elasticsearch-master_1 | ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:33 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,576][DEBUG][action.admin.indices.mapping.put] [elasticsearch-master] failed to put mappings on indices [[.kibana]], type [visualization] nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:33 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" elasticsearch-master_1 | ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:33 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:33 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,576][DEBUG][action.admin.indices.mapping.put] [elasticsearch-master] failed to put mappings on indices [[.kibana]], type [visualization] nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:35 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" elasticsearch-master_1 | ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:35 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:35 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:36 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 385 "-" "-" elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:38 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,578][DEBUG][action.index ] [elasticsearch-master] failed to execute [index {[.kibana][visualization][unknown-resp-host], source[{"title":"unknown resp host","visState":"{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"id_resp_h\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{},\"title\":\"unknown resp host\"}","uiStateJSON":"{}","description":"","savedSearchId":"undetected-connection","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}]}] on [[.kibana][0]] nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:38 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" elasticsearch-master_1 | ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,576][DEBUG][action.index ] [elasticsearch-master] failed to execute [index {[.kibana][visualization][notice-note], source[{"title":"notice note","visState":"{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"customInterval\":\"2h\",\"extended_bounds\":{},\"field\":\"ts\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"note\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"type\":\"area\",\"title\":\"notice note\"}","uiStateJSON":"{}","description":"","savedSearchId":"notice","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}]}] on [[.kibana][0]] elasticsearch-master_1 | ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,577][DEBUG][action.index ] [elasticsearch-master] failed to execute [index {[.kibana][visualization][file-source-count], source[{"title":"file source count","visState":"{\"title\":\"file mime type count\",\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"source\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"files","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}]}] on [[.kibana][0]] elasticsearch-master_1 | ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:38 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,580][WARN ][rest.suppressed ] path: /.kibana/visualization/notice-note, params: {index=.kibana, id=notice-note, type=visualization} elasticsearch-master_1 | RemoteTransportException[[elasticsearch-master][172.17.0.2:9300][indices:data/write/index[p]]]; nested: ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s]; elasticsearch-master_1 | Caused by: ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:38 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:41 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:41 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:41 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:41 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:43 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:43 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:43 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:43 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 385 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:46 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:46 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:46 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:46 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 385 "-" "-" elasticsearch-master_1 | [2016-11-24 18:54:19,580][WARN ][rest.suppressed ] path: /.kibana/visualization/unknown-resp-host, params: {index=.kibana, id=unknown-resp-host, type=visualization} elasticsearch-master_1 | RemoteTransportException[[elasticsearch-master][172.17.0.2:9300][indices:data/write/index[p]]]; nested: ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s]; elasticsearch-master_1 | Caused by: ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,581][WARN ][rest.suppressed ] path: /.kibana/visualization/file-mime-type-table, params: {index=.kibana, id=file-mime-type-table, type=visualization} elasticsearch-master_1 | RemoteTransportException[[elasticsearch-master][172.17.0.2:9300][indices:data/write/index[p]]]; nested: ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s]; elasticsearch-master_1 | Caused by: ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,580][WARN ][rest.suppressed ] path: /.kibana/visualization/file-source-count, params: {index=.kibana, id=file-source-count, type=visualization} elasticsearch-master_1 | RemoteTransportException[[elasticsearch-master][172.17.0.2:9300][indices:data/write/index[p]]]; nested: ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s]; elasticsearch-master_1 | Caused by: ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:26,502][WARN ][cluster.service ] [elasticsearch-master] cluster state update task [shard-started ([.kibana][3], node[rceCZ0J1SauMgZWI-7GXRg], [P], v[1], s[INITIALIZING], a[id=U2rhY-uwSZivBr9O1fdPDQ], unassigned_info[[reason=INDEX_CREATED], at[2016-11-24T18:53:22.445Z]]), reason [after recovery from store],shard-started ([.kibana][1], node[rceCZ0J1SauMgZWI-7GXRg], [P], v[1], s[INITIALIZING], a[id=cjQih32_QeOJB4iptcVLJQ], unassigned_info[[reason=INDEX_CREATED], at[2016-11-24T18:53:22.445Z]]), reason [after recovery from store],shard-started ([.kibana][2], node[rceCZ0J1SauMgZWI-7GXRg], [P], v[1], s[INITIALIZING], a[id=pnRlEjcsT_WvlQDWjQHD1g], unassigned_info[[reason=INDEX_CREATED], at[2016-11-24T18:53:22.445Z]]), reason [after recovery from store]] took 37s above the warn threshold of 30s elasticsearch-master_1 | [2016-11-24 18:54:26,504][INFO ][cluster.routing.allocation] [elasticsearch-master] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][4], [.kibana][4]] ...]). elasticsearch-master_1 | [2016-11-24 18:54:31,189][INFO ][cluster.service ] [elasticsearch-master] added {{elasticsearch-node02}{k-B7bvykSYS1e3BB_01rZA}{172.17.0.5}{172.17.0.5:9300},{elasticsearch-node01}{_B_UE7R0TJeG-Vxih_UtZg}{172.17.0.4}{172.17.0.4:9300},}, reason: zen-disco-join(join from node[{elasticsearch-node02}{k-B7bvykSYS1e3BB_01rZA}{172.17.0.5}{172.17.0.5:9300}]) elasticsearch-master_1 | [2016-11-24 18:54:34,705][INFO ][cluster.metadata ] [elasticsearch-master] [.kibana] create_mapping [visualization] elasticsearch-master_1 | [2016-11-24 18:54:49,115][INFO ][cluster.metadata ] [elasticsearch-master] [.kibana] create_mapping [config] elasticsearch-master_1 | [2016-11-24 18:54:49,120][INFO ][cluster.metadata ] [elasticsearch-master] [.kibana] create_mapping [search] elasticsearch-master_1 | [2016-11-24 18:54:52,814][INFO ][cluster.routing.allocation] [elasticsearch-master] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.kibana][4]] ...]). elasticsearch-master_1 | [2016-11-24 18:54:53,250][INFO ][cluster.metadata ] [elasticsearch-master] [.kibana] create_mapping [dashboard] elasticsearch-master_1 | [2016-11-24 18:54:54,538][INFO ][cluster.metadata ] [elasticsearch-master] [.kibana] create_mapping [index-pattern]

[danielguerra69]

First to know your network interfaces with the command

ifconfig

On a linux/docker normal is eth0

I would do a tcpdump without nc to see what is the output

tcpdump -i eth0 -vv

If any data comes into port 1969 its written in the bro container in /bro/pcap

After a while you should see elastic-master logs new index reports [conn] [ssl]

make sure you can ping 10.0.0.27 from where you are dong youre tcpdump.

maybe check telnet 10.0.0.27 1969 to check if its listening

On 24 Nov 2016, at 19:56, alxbob notifications@github.com wrote:

My nc is tcpdump -i eth1 -s 0 -w /dev/stdout | nc 10.0.0.27 1969 also tried tcpdump -i eth1 -s 0 -w - | nc 10.0.0.27 1969

docker ps -a

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 6e7ca01b5e4e danielguerra/bro-debian-elasticsearch "/role/xinetd-elastic" 39 seconds ago Up 30 seconds 22/tcp, 47761-47762/tcp, 0.0.0.0:1969->1969/tcp anakata_bro-xinitd_1 fbda57c2c830 danielguerra/bro-debian-elasticsearch "/scripts/bro-mapping" 39 seconds ago Exited (0) 29 seconds ago anakata_bro-mapping_1 1a2c2b0a5b8c kibana:4.6 "/docker-entrypoint.s" 39 seconds ago Up 31 seconds 0.0.0.0:5601->5601/tcp anakata_kibana_1 c4dd6ae4214f danielguerra/bro-elasticsearch-nginx "nginx -g 'daemon off" About a minute ago Up 40 seconds 80/tcp, 0.0.0.0:9200->9200/tcp, 443/tcp, 0.0.0.0:9300->9300/tcp anakata_nginx_1 87b9b0af6948 danielguerra/alpine-elasticsearch "docker-entrypoint.sh" 2 minutes ago Up 2 minutes 9200/tcp, 9300/tcp anakata_elasticsearch-node02_1 066fae96562b danielguerra/alpine-elasticsearch "docker-entrypoint.sh" 2 minutes ago Up About a minute 9200/tcp, 9300/tcp anakata_elasticsearch-node01_1 a5d49aeb446e danielguerra/bro-kibana-config "/start.sh" 2 minutes ago Exited (0) 21 seconds ago anakata_kibana-config_1 527f0121e7ce danielguerra/alpine-elasticsearch "docker-entrypoint.sh" 3 minutes ago Up 2 minutes 9200/tcp, 9300/tcp anakata_elasticsearch-master_1 588cec1fa970 tianon/true "/true" 5 minutes ago Exited (0) 5 minutes ago anakata_elastic-data-node01_1 edcac2019405 tianon/true "/true" 5 minutes ago Exited (0) 5 minutes ago anakata_elastic-data-node02_1 d07a2365c7dd tianon/true "/true" 5 minutes ago Exited (0) 5 minutes ago anakata_elastic-data-master_1

docker-compose logs

Attaching to anakata_bro-xinitd_1, anakata_bro-mapping_1, anakata_kibana_1, anakata_nginx_1, anakata_elasticsearch-node02_1, anakata_elasticsearch-node01_1, anakata_kibana-config_1, anakata_elasticsearch-master_1, anakata_elastic-data-node01_1, anakata_elastic-data-node02_1, anakata_elastic-data-master_1 kibana_1 | {"type":"log","@timestamp https://github.com/timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:kibana@1.0.0","info"],"pid":11,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"} kibana_1 | {"type":"log","@timestamp https://github.com/timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:elasticsearch@1.0.0","info"],"pid":11,"state":"yellow","message":"Status changed from uninitialized to yellow - Waiting for Elasticsearch","prevState":"uninitialized","prevMsg":"uninitialized"} kibana_1 | {"type":"log","@timestamp https://github.com/timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:kbn_vislib_vis_types@1.0.0","info"],"pid":11,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"} kibana_1 | {"type":"log","@timestamp https://github.com/timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:markdown_vis@1.0.0","info"],"pid":11,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"} kibana_1 | {"type":"log","@timestamp https://github.com/timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:metric_vis@1.0.0","info"],"pid":11,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"} kibana_1 | {"type":"log","@timestamp https://github.com/timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:spyModes@1.0.0","info"],"pid":11,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"} kibana_1 | {"type":"log","@timestamp https://github.com/timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:statusPage@1.0.0","info"],"pid":11,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"} kibana_1 | {"type":"log","@timestamp https://github.com/timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:table_vis@1.0.0","info"],"pid":11,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"} kibana_1 | {"type":"log","@timestamp https://github.com/timestamp":"2016-11-24T18:54:55Z","tags":["listening","info"],"pid":11,"message":"Server running at http://0.0.0.0:5601 http://0.0.0.0:5601/"} kibana_1 | {"type":"log","@timestamp https://github.com/timestamp":"2016-11-24T18:54:55Z","tags":["status","plugin:elasticsearch@1.0.0","info"],"pid":11,"state":"green","message":"Status changed from yellow to green - Kibana index ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"} kibana_1 | {"type":"response","@timestamp https://github.com/timestamp":"2016-11-24T18:55:05Z","tags":[],"pid":11,"method":"get","statusCode":200,"req":{"url":"/","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","connection":"keep-alive","pragma":"no-cache","cache-control":"no-cache"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2"},"res":{"statusCode":200,"responseTime":70,"contentLength":9},"message":"GET / 200 70ms - 9.0B"} bro-mapping_1 | % Total % Received % Xferd Average Speed Time Time Time Current bro-mapping_1 | Dload Upload Total Spent Left Speed kibana_1 | {"type":"response","@timestamp https://github.com/timestamp":"2016-11-24T18:55:06Z","tags":[],"pid":11,"method":"get","statusCode":200,"req":{"url":"/","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","connection":"keep-alive"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2"},"res":{"statusCode":200,"responseTime":4,"contentLength":9},"message":"GET / 200 4ms - 9.0B"} 100 364 100 364 0 0 50117 0 --:--:-- --:--:-- --:--:-- 52000 bro-mapping_1 | { kibana_1 | {"type":"response","@timestamp https://github.com/timestamp":"2016-11-24T18:55:07Z","tags":[],"pid":11,"method":"get","statusCode":200,"req":{"url":"/app/kibana","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://10.0.0.27:5601/","connection":"keep-alive"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/"},"res":{"statusCode":200,"responseTime":17,"contentLength":9},"message":"GET http://10.0.0.27:5601/%22,%22connection%22:%22keep-alive%22%7D,%22remoteAddress%22:%2210.8.0.2%22,%22userAgent%22:%2210.8.0.2%22,%22referer%22:%22http://10.0.0.27:5601/%22%7D,%22res%22:%7B%22statusCode%22:200,%22responseTime%22:17,%22contentLength%22:9%7D,%22message%22:%22GET /app/kibana 200 17ms - 9.0B"} elasticsearch-node02_1 | [2016-11-24 18:53:40,076][INFO ][node ] [elasticsearch-node02] version[2.4.1], pid[10], build[c67dc32/2016-09-27T18:57:55Z] kibana_1 | {"type":"response","@timestamp https://github.com/timestamp":"2016-11-24T18:55:07Z","tags":[],"pid":11,"method":"get","statusCode":304,"req":{"url":"/bundles/commons.style.css?v=10154","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"text/css,/;q=0.1","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://10.0.0.27:5601/app/kibana","connection":"keep-alive","if-modified-since":"Fri http://10.0.0.27:5601/app/kibana%22,%22connection%22:%22keep-alive%22,%22if-modified-since%22:%22Fri, 04 Nov 2016 15:24:00 GMT"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":304,"responseTime":9,"contentLength":9},"message":"GET http://10.0.0.27:5601/app/kibana%22%7D,%22res%22:%7B%22statusCode%22:304,%22responseTime%22:9,%22contentLength%22:9%7D,%22message%22:%22GET /bundles/commons.style.css?v=10154 304 9ms - 9.0B"} elasticsearch-node02_1 | [2016-11-24 18:53:40,076][INFO ][node ] [elasticsearch-node02] initializing ... elasticsearch-node02_1 | [2016-11-24 18:53:40,615][INFO ][plugins ] [elasticsearch-node02] modules [reindex, lang-expression, lang-groovy], plugins [], sites [] kibana_1 | {"type":"response","@timestamp https://github.com/timestamp":"2016-11-24T18:55:07Z","tags":[],"pid":11,"method":"get","statusCode":304,"req":{"url":"/bundles/kibana.style.css?v=10154","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"text/css,/;q=0.1","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://10.0.0.27:5601/app/kibana","connection":"keep-alive","if-modified-since":"Fri http://10.0.0.27:5601/app/kibana%22,%22connection%22:%22keep-alive%22,%22if-modified-since%22:%22Fri, 04 Nov 2016 15:24:00 GMT"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":304,"responseTime":7,"contentLength":9},"message":"GET http://10.0.0.27:5601/app/kibana%22%7D,%22res%22:%7B%22statusCode%22:304,%22responseTime%22:7,%22contentLength%22:9%7D,%22message%22:%22GET /bundles/kibana.style.css?v=10154 304 7ms - 9.0B"} elasticsearch-node02_1 | [2016-11-24 18:53:40,637][INFO ][env ] [elasticsearch-node02] using [1] data paths, mounts [[/usr/share/elasticsearch/data (/dev/dm-0)]], net usable_space [25.1gb], net total_space [29.8gb], spins? [possibly], types [ext4] elasticsearch-node02_1 | [2016-11-24 18:53:40,637][INFO ][env ] [elasticsearch-node02] heap size [990.7mb], compressed ordinary object pointers [true] kibana_1 | {"type":"response","@timestamp https://github.com/timestamp":"2016-11-24T18:55:07Z","tags":[],"pid":11,"method":"get","statusCode":304,"req":{"url":"/bundles/commons.bundle.js?v=10154","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"/","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://10.0.0.27:5601/app/kibana","connection":"keep-alive","if-modified-since":"Fri http://10.0.0.27:5601/app/kibana%22,%22connection%22:%22keep-alive%22,%22if-modified-since%22:%22Fri, 04 Nov 2016 15:24:00 GMT"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":304,"responseTime":8,"contentLength":9},"message":"GET http://10.0.0.27:5601/app/kibana%22%7D,%22res%22:%7B%22statusCode%22:304,%22responseTime%22:8,%22contentLength%22:9%7D,%22message%22:%22GET /bundles/commons.bundle.js?v=10154 304 8ms - 9.0B"} elasticsearch-node02_1 | [2016-11-24 18:53:44,430][INFO ][node ] [elasticsearch-node02] initialized elasticsearch-node02_1 | [2016-11-24 18:53:44,431][INFO ][node ] [elasticsearch-node02] starting ... elasticsearch-node02_1 | [2016-11-24 18:53:44,575][INFO ][transport ] [elasticsearch-node02] publish_address {172.17.0.5:9300}, bound_addresses {172.17.0.5:9300} bro-mapping_1 | "name" : "elasticsearch-master", kibana_1 | {"type":"response","@timestamp https://github.com/timestamp":"2016-11-24T18:55:07Z","tags":[],"pid":11,"method":"get","statusCode":304,"req":{"url":"/bundles/kibana.bundle.js?v=10154","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"/","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://10.0.0.27:5601/app/kibana","connection":"keep-alive","if-modified-since":"Fri http://10.0.0.27:5601/app/kibana%22,%22connection%22:%22keep-alive%22,%22if-modified-since%22:%22Fri, 04 Nov 2016 15:24:00 GMT"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":304,"responseTime":3,"contentLength":9},"message":"GET http://10.0.0.27:5601/app/kibana%22%7D,%22res%22:%7B%22statusCode%22:304,%22responseTime%22:3,%22contentLength%22:9%7D,%22message%22:%22GET /bundles/kibana.bundle.js?v=10154 304 3ms - 9.0B"} bro-mapping_1 | "cluster_name" : "bro", bro-mapping_1 | "cluster_uuid" : "UpuV9kudS9K390SPADJ75g", kibana_1 | {"type":"response","@timestamp https://github.com/timestamp":"2016-11-24T18:55:08Z","tags":[],"pid":11,"method":"get","statusCode":304,"req":{"url":"/bundles/src/ui/public/images/kibana.svg","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"image/png,image/;q=0.8,/;q=0.5","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://10.0.0.27:5601/app/kibana","connection":"keep-alive","if-modified-since":"Fri http://10.0.0.27:5601/app/kibana%22,%22connection%22:%22keep-alive%22,%22if-modified-since%22:%22Fri, 04 Nov 2016 15:24:00 GMT"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":304,"responseTime":2,"contentLength":9},"message":"GET http://10.0.0.27:5601/app/kibana%22%7D,%22res%22:%7B%22statusCode%22:304,%22responseTime%22:2,%22contentLength%22:9%7D,%22message%22:%22GET /bundles/src/ui/public/images/kibana.svg 304 2ms - 9.0B"} bro-mapping_1 | "version" : { bro-mapping_1 | "number" : "2.4.1", nginx_1 | 172.17.0.8 - - [24/Nov/2016:18:54:53 +0000] "GET / HTTP/1.1" 200 364 "-" "curl/7.38.0" elasticsearch-node02_1 | [2016-11-24 18:53:44,580][INFO ][discovery ] [elasticsearch-node02] bro/k-B7bvykSYS1e3BB_01rZA kibana_1 | {"type":"response","@timestamp https://github.com/timestamp":"2016-11-24T18:55:08Z","tags":[],"pid":11,"method":"post","statusCode":200,"req":{"url":"/elasticsearch/_mget?timeout=0&ignore_unavailable=true&preference=1480013677113","method":"post","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"application/json, text/plain, /","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","content-type":"application/json;charset=utf-8","kbn-version":"4.6.3","referer":"http://10.0.0.27:5601/app/kibana","content-length":"62","connection":"keep-alive"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":200,"responseTime":38,"contentLength":9},"message":"POST http://10.0.0.27:5601/app/kibana%22,%22content-length%22:%2262%22,%22connection%22:%22keep-alive%22%7D,%22remoteAddress%22:%2210.8.0.2%22,%22userAgent%22:%2210.8.0.2%22,%22referer%22:%22http://10.0.0.27:5601/app/kibana%22%7D,%22res%22:%7B%22statusCode%22:200,%22responseTime%22:38,%22contentLength%22:9%7D,%22message%22:%22POST /elasticsearch/_mget?timeout=0&ignore_unavailable=true&preference=1480013677113 200 38ms - 9.0B"} nginx_1 | 172.17.0.8 - - [24/Nov/2016:18:54:54 +0000] "PUT /_template/fixstrings_bro HTTP/1.1" 200 46 "-" "curl/7.38.0" elasticsearch-node02_1 | [2016-11-24 18:54:14,584][WARN ][discovery ] [elasticsearch-node02] waited for 30s and no initial state was set by the discovery elasticsearch-node02_1 | [2016-11-24 18:54:14,593][INFO ][http ] [elasticsearch-node02] publish_address {172.17.0.5:9200}, bound_addresses {172.17.0.5:9200} kibana_1 | {"type":"response","@timestamp https://github.com/timestamp":"2016-11-24T18:55:09Z","tags":[],"pid":11,"method":"post","statusCode":200,"req":{"url":"/elasticsearch/.kibana/index-pattern/_search?fields=","method":"post","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"application/json, text/plain, /","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","content-type":"application/json;charset=utf-8","kbn-version":"4.6.3","referer":"http://10.0.0.27:5601/app/kibana","content-length":"39","connection":"keep-alive"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":200,"responseTime":61,"contentLength":9},"message":"POST http://10.0.0.27:5601/app/kibana%22,%22content-length%22:%2239%22,%22connection%22:%22keep-alive%22%7D,%22remoteAddress%22:%2210.8.0.2%22,%22userAgent%22:%2210.8.0.2%22,%22referer%22:%22http://10.0.0.27:5601/app/kibana%22%7D,%22res%22:%7B%22statusCode%22:200,%22responseTime%22:61,%22contentLength%22:9%7D,%22message%22:%22POST /elasticsearch/.kibana/index-pattern/_search?fields= 200 61ms - 9.0B"} nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:54:55 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" elasticsearch-node02_1 | [2016-11-24 18:54:14,593][INFO ][node ] [elasticsearch-node02] started elasticsearch-node02_1 | [2016-11-24 18:54:31,209][INFO ][cluster.service ] [elasticsearch-node02] detected_master {elasticsearch-master}{rceCZ0J1SauMgZWI-7GXRg}{172.17.0.2}{172.17.0.2:9300}, added {{elasticsearch-master}{rceCZ0J1SauMgZWI-7GXRg}{172.17.0.2}{172.17.0.2:9300},{elasticsearch-node01}{_B_UE7R0TJeG-Vxih_UtZg}{172.17.0.4}{172.17.0.4:9300},}, reason: zen-disco-receive(from master [{elasticsearch-master}{rceCZ0J1SauMgZWI-7GXRg}{172.17.0.2}{172.17.0.2:9300}]) kibana_1 | {"type":"response","@timestamp https://github.com/timestamp":"2016-11-24T18:55:09Z","tags":[],"pid":11,"method":"get","statusCode":200,"req":{"url":"/elasticsearch/.kibana/_mapping//field/source?=1480013677958","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"application/json, text/plain, /","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","kbn-version":"4.6.3","referer":"http://10.0.0.27:5601/app/kibana","connection":"keep-alive"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":200,"responseTime":16,"contentLength":9},"message":"GET http://10.0.0.27:5601/app/kibana%22,%22connection%22:%22keep-alive%22%7D,%22remoteAddress%22:%2210.8.0.2%22,%22userAgent%22:%2210.8.0.2%22,%22referer%22:%22http://10.0.0.27:5601/app/kibana%22%7D,%22res%22:%7B%22statusCode%22:200,%22responseTime%22:16,%22contentLength%22:9%7D,%22message%22:%22GET /elasticsearch/.kibana/_mapping//field/source?=1480013677958 200 16ms - 9.0B"} nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:54:55 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" bro-mapping_1 | "build_hash" : "c67dc32e24162035d18d6fe1e952c4cbcbe79d16", bro-mapping_1 | "build_timestamp" : "2016-09-27T18:57:55Z", kibana_1 | {"type":"response","@timestamp https://github.com/timestamp":"2016-11-24T18:55:09Z","tags":[],"pid":11,"method":"post","statusCode":200,"req":{"url":"/elasticsearch/_mget?timeout=0&ignore_unavailable=true&preference=1480013677113","method":"post","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"application/json, text/plain, /","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","content-type":"application/json;charset=utf-8","kbn-version":"4.6.3","referer":"http://10.0.0.27:5601/app/kibana","content-length":"69","connection":"keep-alive"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":200,"responseTime":16,"contentLength":9},"message":"POST http://10.0.0.27:5601/app/kibana%22,%22content-length%22:%2269%22,%22connection%22:%22keep-alive%22%7D,%22remoteAddress%22:%2210.8.0.2%22,%22userAgent%22:%2210.8.0.2%22,%22referer%22:%22http://10.0.0.27:5601/app/kibana%22%7D,%22res%22:%7B%22statusCode%22:200,%22responseTime%22:16,%22contentLength%22:9%7D,%22message%22:%22POST /elasticsearch/_mget?timeout=0&ignore_unavailable=true&preference=1480013677113 200 16ms - 9.0B"} nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:54:55 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 384 "-" "-" bro-mapping_1 | "build_snapshot" : false, bro-mapping_1 | "lucene_version" : "5.5.2" kibana_1 | {"type":"response","@timestamp https://github.com/timestamp":"2016-11-24T18:55:10Z","tags":[],"pid":11,"method":"get","statusCode":304,"req":{"url":"/bundles/node_modules/font-awesome/fonts/fontawesome-webfont.woff2","method":"get","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"application/font-woff2;q=1.0,application/font-woff;q=0.9,/;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"identity","referer":"http://10.0.0.27:5601/bundles/commons.style.css?v=10154","connection":"keep-alive","if-modified-since":"Fri http://10.0.0.27:5601/bundles/commons.style.css?v=10154%22,%22connection%22:%22keep-alive%22,%22if-modified-since%22:%22Fri, 04 Nov 2016 15:24:00 GMT","if-none-match":""574ea2698c03ae9477db2ea3baf460ee32f1a7ea""},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/bundles/commons.style.css?v=10154"},"res":{"statusCode":304,"responseTime":3,"contentLength":9},"message":"GET http://10.0.0.27:5601/bundles/commons.style.css?v=10154%22%7D,%22res%22:%7B%22statusCode%22:304,%22responseTime%22:3,%22contentLength%22:9%7D,%22message%22:%22GET /bundles/node_modules/font-awesome/fonts/fontawesome-webfont.woff2 304 3ms - 9.0B"} nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:54:55 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 254 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:02 +0000] "POST /.kibana/config/4.6.3?op_type=create HTTP/1.1" 201 127 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:05 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:05 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:05 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:05 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:07 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:07 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:08 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:08 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:08 +0000] "POST /_mget?timeout=0&ignore_unavailable=true&preference=1480013677113 HTTP/1.1" 200 140 "http://10.0.0.27:5601/app/kibana http://10.0.0.27:5601/app/kibana" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:09 +0000] "POST /.kibana/index-pattern/_search?fields= HTTP/1.1" 200 193 "http://10.0.0.27:5601/app/kibana http://10.0.0.27:5601/app/kibana" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:09 +0000] "GET /.kibana/_mapping//field/source?=1480013677958 HTTP/1.1" 200 333 "http://10.0.0.27:5601/app/kibana http://10.0.0.27:5601/app/kibana" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" kibana_1 | {"type":"response","@timestamp https://github.com/timestamp":"2016-11-24T18:55:10Z","tags":[],"pid":11,"method":"post","statusCode":200,"req":{"url":"/elasticsearch/bro-/_field_stats?level=indices","method":"post","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"application/json, text/plain, /","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","content-type":"application/json;charset=utf-8","kbn-version":"4.6.3","referer":"http://10.0.0.27:5601/app/kibana","content-length":"162","connection":"keep-alive"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":200,"responseTime":10,"contentLength":9},"message":"POST http://10.0.0.27:5601/app/kibana%22,%22content-length%22:%22162%22,%22connection%22:%22keep-alive%22%7D,%22remoteAddress%22:%2210.8.0.2%22,%22userAgent%22:%2210.8.0.2%22,%22referer%22:%22http://10.0.0.27:5601/app/kibana%22%7D,%22res%22:%7B%22statusCode%22:200,%22responseTime%22:10,%22contentLength%22:9%7D,%22message%22:%22POST /elasticsearch/bro-/_field_stats?level=indices 200 10ms - 9.0B"} kibana_1 | {"type":"response","@timestamp https://github.com/timestamp":"2016-11-24T18:55:10Z","tags":[],"pid":11,"method":"post","statusCode":200,"req":{"url":"/elasticsearch/_msearch?timeout=0&ignore_unavailable=true&preference=1480013677113","method":"post","headers":{"host":"10.0.0.27:5601","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","accept":"application/json, text/plain, /","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","content-type":"application/json;charset=utf-8","kbn-version":"4.6.3","referer":"http://10.0.0.27:5601/app/kibana","content-length":"798","connection":"keep-alive"},"remoteAddress":"10.8.0.2","userAgent":"10.8.0.2","referer":"http://10.0.0.27:5601/app/kibana"},"res":{"statusCode":200,"responseTime":13,"contentLength":9},"message":"POST http://10.0.0.27:5601/app/kibana%22,%22content-length%22:%22798%22,%22connection%22:%22keep-alive%22%7D,%22remoteAddress%22:%2210.8.0.2%22,%22userAgent%22:%2210.8.0.2%22,%22referer%22:%22http://10.0.0.27:5601/app/kibana%22%7D,%22res%22:%7B%22statusCode%22:200,%22responseTime%22:13,%22contentLength%22:9%7D,%22message%22:%22POST /elasticsearch/_msearch?timeout=0&ignore_unavailable=true&preference=1480013677113 200 13ms - 9.0B"} bro-mapping_1 | }, bro-mapping_1 | "tagline" : "You Know, for Search" bro-mapping_1 | } bro-mapping_1 | Elasticsearch is up - executing command bro-mapping_1 | % Total % Received % Xferd Average Speed Time Time Time Current bro-mapping_1 | Dload Upload Total Spent Left Speed 100 2438 100 21 100 2417 20 2314 0:00:01 0:00:01 --:--:-- 2315 bro-mapping_1 | {"acknowledged":true} nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:09 +0000] "POST /_mget?timeout=0&ignore_unavailable=true&preference=1480013677113 HTTP/1.1" 200 28865 "http://10.0.0.27:5601/app/kibana http://10.0.0.27:5601/app/kibana" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:10 +0000] "POST /bro-*/_field_stats?level=indices HTTP/1.1" 200 62 "http://10.0.0.27:5601/app/kibana http://10.0.0.27:5601/app/kibana" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:10 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:10 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:10 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:10 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:10 +0000] "POST /_msearch?timeout=0&ignore_unavailable=true&preference=1480013677113 HTTP/1.1" 200 137 "http://10.0.0.27:5601/app/kibana http://10.0.0.27:5601/app/kibana" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:13 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:13 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:13 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:13 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:15 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:15 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:15 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:15 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 385 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:18 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:18 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:18 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:18 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:20 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:20 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:20 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:20 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:23 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" kibana-config_1 | % Total % Received % Xferd Average Speed Time Time Time Current elasticsearch-master_1 | [2016-11-24 18:52:46,113][INFO ][node ] [elasticsearch-master] version[2.4.1], pid[11], build[c67dc32/2016-09-27T18:57:55Z] elasticsearch-master_1 | [2016-11-24 18:52:46,113][INFO ][node ] [elasticsearch-master] initializing ... elasticsearch-master_1 | [2016-11-24 18:52:46,633][INFO ][plugins ] [elasticsearch-master] modules [reindex, lang-expression, lang-groovy], plugins [], sites [] elasticsearch-master_1 | [2016-11-24 18:52:46,831][INFO ][env ] [elasticsearch-master] using [1] data paths, mounts [[/usr/share/elasticsearch/data (/dev/dm-0)]], net usable_space [25.1gb], net total_space [29.8gb], spins? [possibly], types [ext4] kibana-config_1 | Dload Upload Total Spent Left Speed nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:23 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:23 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-master_1 | [2016-11-24 18:52:46,831][INFO ][env ] [elasticsearch-master] heap size [990.7mb], compressed ordinary object pointers [true] kibana-config_1 | { nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:23 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 385 "-" "-" elasticsearch-node01_1 | [2016-11-24 18:53:49,494][INFO ][node ] [elasticsearch-node01] version[2.4.1], pid[11], build[c67dc32/2016-09-27T18:57:55Z] elasticsearch-master_1 | [2016-11-24 18:52:48,726][INFO ][node ] [elasticsearch-master] initialized kibana-config_1 | "name" : "elasticsearch-master", nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:25 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" kibana-config_1 | "cluster_name" : "bro", elasticsearch-node01_1 | [2016-11-24 18:53:49,495][INFO ][node ] [elasticsearch-node01] initializing ... nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:25 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" elasticsearch-node01_1 | [2016-11-24 18:53:50,055][INFO ][plugins ] [elasticsearch-node01] modules [reindex, lang-expression, lang-groovy], plugins [], sites [] elasticsearch-master_1 | [2016-11-24 18:52:48,726][INFO ][node ] [elasticsearch-master] starting ... kibana-config_1 | "cluster_uuid" : "UpuV9kudS9K390SPADJ75g", nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:25 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-node01_1 | [2016-11-24 18:53:50,397][INFO ][env ] [elasticsearch-node01] using [1] data paths, mounts [[/usr/share/elasticsearch/data (/dev/dm-0)]], net usable_space [25.1gb], net total_space [29.8gb], spins? [possibly], types [ext4] elasticsearch-master_1 | [2016-11-24 18:52:48,888][INFO ][transport ] [elasticsearch-master] publish_address {172.17.0.2:9300}, bound_addresses {172.17.0.2:9300} nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:25 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" kibana-config_1 | "version" : { kibana-config_1 | "number" : "2.4.1", elasticsearch-master_1 | [2016-11-24 18:52:48,895][INFO ][discovery ] [elasticsearch-master] bro/rceCZ0J1SauMgZWI-7GXRg kibana-config_1 | "build_hash" : "c67dc32e24162035d18d6fe1e952c4cbcbe79d16", kibana-config_1 | "build_timestamp" : "2016-09-27T18:57:55Z", kibana-config_1 | "build_snapshot" : false, elasticsearch-master_1 | [2016-11-24 18:52:51,979][INFO ][cluster.service ] [elasticsearch-master] new_master {elasticsearch-master}{rceCZ0J1SauMgZWI-7GXRg}{172.17.0.2}{172.17.0.2:9300}, reason: zen-disco-join(elected_as_master, [0] joins received) elasticsearch-node01_1 | [2016-11-24 18:53:50,401][INFO ][env ] [elasticsearch-node01] heap size [990.7mb], compressed ordinary object pointers [true] elasticsearch-master_1 | [2016-11-24 18:52:52,007][INFO ][http ] [elasticsearch-master] publish_address {172.17.0.2:9200}, bound_addresses {172.17.0.2:9200} kibana-config_1 | "lucene_version" : "5.5.2" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:28 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" elasticsearch-master_1 | [2016-11-24 18:52:52,008][INFO ][node ] [elasticsearch-master] started kibana-config_1 | }, kibana-config_1 | "tagline" : "You Know, for Search" elasticsearch-master_1 | [2016-11-24 18:52:55,080][INFO ][gateway ] [elasticsearch-master] recovered [0] indices into cluster_state kibana-config_1 | } 100 364 100 364 0 0 8202 0 --:--:-- --:--:-- --:--:-- 8272 elasticsearch-master_1 | [2016-11-24 18:53:22,443][INFO ][cluster.metadata ] [elasticsearch-master] [.kibana] creating index, cause [auto(index api)], templates [], shards [5]/[1], mappings [] kibana-config_1 | Elasticsearch is up - executing command kibana-config_1 | Thu, 24 Nov 2016 18:53:22 GMT | starting dump nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:28 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" elasticsearch-master_1 | [2016-11-24 18:54:19,574][DEBUG][action.admin.indices.mapping.put] [elasticsearch-master] failed to put mappings on indices [[.kibana]], type [visualization] kibana-config_1 | Thu, 24 Nov 2016 18:53:22 GMT | got 78 objects from source file (offset: 0) kibana-config_1 | Thu, 24 Nov 2016 18:55:02 GMT | sent 78 objects to destination elasticsearch, wrote 74 nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:28 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-master_1 | ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] kibana-config_1 | Thu, 24 Nov 2016 18:55:02 GMT | got 0 objects from source file (offset: 78) kibana-config_1 | Thu, 24 Nov 2016 18:55:02 GMT | Total Writes: 74 nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:28 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 385 "-" "-" elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-node01_1 | [2016-11-24 18:53:52,620][INFO ][node ] [elasticsearch-node01] initialized elasticsearch-node01_1 | [2016-11-24 18:53:52,620][INFO ][node ] [elasticsearch-node01] starting ... elasticsearch-node01_1 | [2016-11-24 18:53:52,708][INFO ][transport ] [elasticsearch-node01] publish_address {172.17.0.4:9300}, bound_addresses {172.17.0.4:9300} elasticsearch-node01_1 | [2016-11-24 18:53:52,713][INFO ][discovery ] [elasticsearch-node01] bro/_B_UE7R0TJeG-Vxih_UtZg elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-node01_1 | [2016-11-24 18:54:22,715][WARN ][discovery ] [elasticsearch-node01] waited for 30s and no initial state was set by the discovery elasticsearch-node01_1 | [2016-11-24 18:54:24,652][INFO ][http ] [elasticsearch-node01] publish_address {172.17.0.4:9200}, bound_addresses {172.17.0.4:9200} elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:30 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" elasticsearch-node01_1 | [2016-11-24 18:54:24,652][INFO ][node ] [elasticsearch-node01] started elasticsearch-node01_1 | [2016-11-24 18:54:31,208][INFO ][cluster.service ] [elasticsearch-node01] detected_master {elasticsearch-master}{rceCZ0J1SauMgZWI-7GXRg}{172.17.0.2}{172.17.0.2:9300}, added {{elasticsearch-node02}{k-B7bvykSYS1e3BB_01rZA}{172.17.0.5}{172.17.0.5:9300},{elasticsearch-master}{rceCZ0J1SauMgZWI-7GXRg}{172.17.0.2}{172.17.0.2:9300},}, reason: zen-disco-receive(from master [{elasticsearch-master}{rceCZ0J1SauMgZWI-7GXRg}{172.17.0.2}{172.17.0.2:9300}]) elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:30 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" kibana-config_1 | Thu, 24 Nov 2016 18:55:02 GMT | dump complete elasticsearch-master_1 | [2016-11-24 18:54:19,576][DEBUG][action.admin.indices.mapping.put] [elasticsearch-master] failed to put mappings on indices [[.kibana]], type [visualization] elasticsearch-master_1 | ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:30 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:30 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 385 "-" "-" elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,576][DEBUG][action.index ] [elasticsearch-master] failed to execute [index {[.kibana][visualization][file-mime-type-table], source[{"title":"file mime type table","visState":"{"title":"New Visualization","type":"table","params":{"perPage":10,"showPartialRows":false,"showMeticsAtAllLevels":false},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}},{"id":"2","type":"date_histogram","schema":"bucket","params":{"field":"ts","interval":"auto","customInterval":"2h","min_doc_count":1,"extended_bounds":{}}},{"id":"3","type":"terms","schema":"bucket","params":{"field":"mime_type","size":5,"order":"desc","orderBy":"1"}}],"listeners":{}}","uiStateJSON":"{}","description":"","savedSearchId":"files","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{"filter":[]}"}}]}] on [[.kibana][0]] elasticsearch-master_1 | ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:33 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,576][DEBUG][action.admin.indices.mapping.put] [elasticsearch-master] failed to put mappings on indices [[.kibana]], type [visualization] nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:33 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" elasticsearch-master_1 | ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:33 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:33 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,576][DEBUG][action.admin.indices.mapping.put] [elasticsearch-master] failed to put mappings on indices [[.kibana]], type [visualization] nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:35 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" elasticsearch-master_1 | ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:35 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:35 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:36 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 385 "-" "-" elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:38 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,578][DEBUG][action.index ] [elasticsearch-master] failed to execute [index {[.kibana][visualization][unknown-resp-host], source[{"title":"unknown resp host","visState":"{"type":"table","params":{"perPage":10,"showPartialRows":false,"showMeticsAtAllLevels":false},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}},{"id":"2","type":"terms","schema":"bucket","params":{"field":"id_resp_h","size":20,"order":"desc","orderBy":"1"}}],"listeners":{},"title":"unknown resp host"}","uiStateJSON":"{}","description":"","savedSearchId":"undetected-connection","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{"filter":[]}"}}]}] on [[.kibana][0]] nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:38 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" elasticsearch-master_1 | ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,576][DEBUG][action.index ] [elasticsearch-master] failed to execute [index {[.kibana][visualization][notice-note], source[{"title":"notice note","visState":"{"aggs":[{"id":"1","params":{},"schema":"metric","type":"count"},{"id":"2","params":{"customInterval":"2h","extended_bounds":{},"field":"ts","interval":"auto","min_doc_count":1},"schema":"segment","type":"date_histogram"},{"id":"3","params":{"field":"note","order":"desc","orderBy":"1","size":5},"schema":"group","type":"terms"}],"listeners":{},"params":{"addLegend":true,"addTimeMarker":false,"addTooltip":true,"defaultYExtents":false,"interpolate":"linear","mode":"stacked","scale":"linear","setYExtents":false,"shareYAxis":true,"smoothLines":true,"times":[],"yAxis":{}},"type":"area","title":"notice note"}","uiStateJSON":"{}","description":"","savedSearchId":"notice","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{"filter":[]}"}}]}] on [[.kibana][0]] elasticsearch-master_1 | ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,577][DEBUG][action.index ] [elasticsearch-master] failed to execute [index {[.kibana][visualization][file-source-count], source[{"title":"file source count","visState":"{"title":"file mime type count","type":"area","params":{"shareYAxis":true,"addTooltip":true,"addLegend":true,"smoothLines":true,"scale":"linear","interpolate":"linear","mode":"stacked","times":[],"addTimeMarker":false,"defaultYExtents":false,"setYExtents":false,"yAxis":{}},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}},{"id":"2","type":"date_histogram","schema":"segment","params":{"field":"ts","interval":"auto","customInterval":"2h","min_doc_count":1,"extended_bounds":{}}},{"id":"3","type":"terms","schema":"group","params":{"field":"source","size":5,"order":"desc","orderBy":"1"}}],"listeners":{}}","uiStateJSON":"{}","description":"","savedSearchId":"files","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{"filter":[]}"}}]}] on [[.kibana][0]] elasticsearch-master_1 | ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:38 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,580][WARN ][rest.suppressed ] path: /.kibana/visualization/notice-note, params: {index=.kibana, id=notice-note, type=visualization} elasticsearch-master_1 | RemoteTransportException[[elasticsearch-master][172.17.0.2:9300][indices:data/write/index[p]]]; nested: ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s]; elasticsearch-master_1 | Caused by: ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:38 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:41 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:41 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:41 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:41 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 386 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:43 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:43 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:43 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:43 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 385 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:46 +0000] "HEAD / HTTP/1.1" 200 0 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:46 +0000] "GET /_nodes HTTP/1.1" 200 10137 "-" "-" nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:46 +0000] "GET /_cluster/health/.kibana?timeout=5s HTTP/1.1" 200 380 "-" "-" elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) nginx_1 | 172.17.0.7 - - [24/Nov/2016:18:55:46 +0000] "POST /.kibana/config/_search HTTP/1.1" 200 385 "-" "-" elasticsearch-master_1 | [2016-11-24 18:54:19,580][WARN ][rest.suppressed ] path: /.kibana/visualization/unknown-resp-host, params: {index=.kibana, id=unknown-resp-host, type=visualization} elasticsearch-master_1 | RemoteTransportException[[elasticsearch-master][172.17.0.2:9300][indices:data/write/index[p]]]; nested: ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s]; elasticsearch-master_1 | Caused by: ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,581][WARN ][rest.suppressed ] path: /.kibana/visualization/file-mime-type-table, params: {index=.kibana, id=file-mime-type-table, type=visualization} elasticsearch-master_1 | RemoteTransportException[[elasticsearch-master][172.17.0.2:9300][indices:data/write/index[p]]]; nested: ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s]; elasticsearch-master_1 | Caused by: ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:19,580][WARN ][rest.suppressed ] path: /.kibana/visualization/file-source-count, params: {index=.kibana, id=file-source-count, type=visualization} elasticsearch-master_1 | RemoteTransportException[[elasticsearch-master][172.17.0.2:9300][indices:data/write/index[p]]]; nested: ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s]; elasticsearch-master_1 | Caused by: ProcessClusterEventTimeoutException[failed to process cluster event (put-mapping [visualization]) within 30s] elasticsearch-master_1 | at org.elasticsearch.cluster.service.InternalClusterService$2$1.run(InternalClusterService.java:349) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) elasticsearch-master_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) elasticsearch-master_1 | at java.lang.Thread.run(Thread.java:745) elasticsearch-master_1 | [2016-11-24 18:54:26,502][WARN ][cluster.service ] [elasticsearch-master] cluster state update task [shard-started ([.kibana][3], node[rceCZ0J1SauMgZWI-7GXRg], [P], v[1], s[INITIALIZING], a[id=U2rhY-uwSZivBr9O1fdPDQ], unassigned_info[[reason=INDEX_CREATED], at[2016-11-24T18:53:22.445Z]]), reason [after recovery from store],shard-started ([.kibana][1], node[rceCZ0J1SauMgZWI-7GXRg], [P], v[1], s[INITIALIZING], a[id=cjQih32_QeOJB4iptcVLJQ], unassigned_info[[reason=INDEX_CREATED], at[2016-11-24T18:53:22.445Z]]), reason [after recovery from store],shard-started ([.kibana][2], node[rceCZ0J1SauMgZWI-7GXRg], [P], v[1], s[INITIALIZING], a[id=pnRlEjcsT_WvlQDWjQHD1g], unassigned_info[[reason=INDEX_CREATED], at[2016-11-24T18:53:22.445Z]]), reason [after recovery from store]] took 37s above the warn threshold of 30s elasticsearch-master_1 | [2016-11-24 18:54:26,504][INFO ][cluster.routing.allocation] [elasticsearch-master] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][4], [.kibana][4]] ...]). elasticsearch-master_1 | [2016-11-24 18:54:31,189][INFO ][cluster.service ] [elasticsearch-master] added {{elasticsearch-node02}{k-B7bvykSYS1e3BB_01rZA}{172.17.0.5}{172.17.0.5:9300},{elasticsearch-node01}{_B_UE7R0TJeG-Vxih_UtZg}{172.17.0.4}{172.17.0.4:9300},}, reason: zen-disco-join(join from node[{elasticsearch-node02}{k-B7bvykSYS1e3BB_01rZA}{172.17.0.5}{172.17.0.5:9300}]) elasticsearch-master_1 | [2016-11-24 18:54:34,705][INFO ][cluster.metadata ] [elasticsearch-master] [.kibana] create_mapping [visualization] elasticsearch-master_1 | [2016-11-24 18:54:49,115][INFO ][cluster.metadata ] [elasticsearch-master] [.kibana] create_mapping [config] elasticsearch-master_1 | [2016-11-24 18:54:49,120][INFO ][cluster.metadata ] [elasticsearch-master] [.kibana] create_mapping [search] elasticsearch-master_1 | [2016-11-24 18:54:52,814][INFO ][cluster.routing.allocation] [elasticsearch-master] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.kibana][4]] ...]). elasticsearch-master_1 | [2016-11-24 18:54:53,250][INFO ][cluster.metadata ] [elasticsearch-master] [.kibana] create_mapping [dashboard] elasticsearch-master_1 | [2016-11-24 18:54:54,538][INFO ][cluster.metadata ] [elasticsearch-master] [.kibana] create_mapping [index-pattern]

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/danielguerra69/bro-debian-elasticsearch/issues/9#issuecomment-262832204, or mute the thread https://github.com/notifications/unsubscribe-auth/ALzmMlXS4EuuEJDLzT8SMXfaC7uXaA3iks5rBd3ggaJpZM4K70wP.

[alxbob]

Eth1 interface is a monitor interface on the host. I have access from remote server nc 10.0.0.27 1969 is open and telnet working (also tried localhost) Inside bro-xinitd tcpdump -i eth0 -vv receives packets from remote host. No logs in /bro/pcap

[alxbob]

I also tried to send a simulated get request using netcat but bro container seems to read nothing :( Its like bro service isn't running

root@bro-xinetd-elasticsearch:/tmp# ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 20076 2896 ? Ss 19:40 0:00 /bin/bash /role/xinetd-elasticsearch root 11 0.0 0.0 20216 2196 ? S 19:40 0:00 /usr/sbin/xinetd -dontfork root 12 0.0 0.0 20248 3032 ? Ss 19:41 0:00 /bin/bash root 18 0.0 0.0 17500 1960 ? R+ 19:41 0:00 ps -aux

Sould i run anything extra on bro container or it should read incoming traffic from netcat? Is the role xinetd-elasticsearch correct? I can find anything else wrong...Thanks again for your help

[danielguerra69]

I see you removed the DOCKERHOST from your yml… why ?

Just started it on carina (rackspace) and everything works fine. I don’t know what your problem is. What i can tell you is how to do it proper … Asuming your dockerhost is reachable on 10.0.0.1

export DOCKERHOST=10.0.0.1:8080

docker-compose pull docker-compose up

If you want to play with an empty working one use

172.99.77.37 1969 to send pcap

and

http://172.99.77.37:5601 http://172.99.77.37:5601/ for kibana

Compose Bro-debian-elasicsearch cluster

set DOCKERHOST with export DOCKERHOST=192.168.1.2:8080

#

VOLUMES

elastic-data-master: image: tianon/true volumes:

• /usr/share/elasticsearch/data

elastic-data-node01: image: tianon/true volumes:

• /usr/share/elasticsearch/data

elastic-data-node02: image: tianon/true volumes:

• /usr/share/elasticsearch/data

nginx

nginx: image: danielguerra/bro-elasticsearch-nginx hostname: nginx links:

• "elasticsearch-master:master"
• "elasticsearch-node01:node01"
• "elasticsearch-node02:node02" ports:
  • "9200:9200"
  • "9300:9300"

ELASTICSEARCH

elasticsearch-master: image: danielguerra/alpine-elasticsearch command: -Des.network.bind_host=elasticsearch-master --cluster.name=bro --node.name=elasticsearch-master --discovery.zen.ping.multicast.enabled=false --network.host=elasticsearch-master hostname: elasticsearch-master volumes_from:

• "elastic-data-master"

elasticsearch-node01: image: danielguerra/alpine-elasticsearch command: -Des.network.bind_host=elasticsearch-node01 --cluster.name=bro --node.name=elasticsearch-node01 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node01 hostname: elasticsearch-node01 links:

• "elasticsearch-master:master" volumes_from:
  • "elastic-data-node01"

elasticsearch-node02: image: danielguerra/alpine-elasticsearch command: -Des.network.bind_host=elasticsearch-node02 --cluster.name=bro --node.name=elasticsearch-node02 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node02 hostname: elasticsearch-node02 links:

• "elasticsearch-master:master" volumes_from:
  • "elastic-data-node02"

KIBANA

kibana: image: kibana:4.6 hostname: kibana ports:

• "5601:5601" links:
• "nginx:elasticsearch"

BRO

bro-xinitd-forensic: image: danielguerra/bro-debian-elasticsearch command: /role/xinetd-forensic $DOCKERHOST hostname: bro-xinetd-forensic links:

• "nginx:elasticsearch" ports:
• "1969:1969"
• "8080:80"

mapping

bro-mapping: image: danielguerra/bro-debian-elasticsearch command: /scripts/bro-mapping.sh links:

• "nginx:elasticsearch"

kibana config

kibana-config: image: danielguerra/bro-kibana-config links:

• "elasticsearch-master:elasticsearch"

On 24 Nov 2016, at 20:38, alxbob notifications@github.com wrote:

I also tried to send to similate a get request using netcat but bro container seems to read nothing :(

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/danielguerra69/bro-debian-elasticsearch/issues/9#issuecomment-262836260, or mute the thread https://github.com/notifications/unsubscribe-auth/ALzmMjClXnDN-QbIzLRivoBeGO5CU-Biks5rBeejgaJpZM4K70wP.

[alxbob]

I only modified yml and changed bro-xinitd-forensic with:

BRO

bro-xinitd: image: danielguerra/bro-debian-elasticsearch command: /role/xinetd-elasticsearch hostname: bro-xinetd links:

"nginx:elasticsearch"
ports:
"1969:1969"

For live traffic capture and not pcap! Everything else in the config is the same. So i send traffic with sudo tcpdump -i eth0 -s 0 -w - | nc IP 1969 or sudo tcpdump -i eth0 -s 0 -w /dev/stdout | nc IP 1969

[alxbob]

I want to send live traffic from anywhere to bro and check it on kibana...Is my config false? Maybe i figure it out wrong..

Finally i also tried your default docker-compose but when i tried to send a pcap file to a forensic bro i get this :

nc 10.0.0.27 1969 < mycap.pcap /scripts/bro-forensic.sh: line 18: 134 Illegal instruction (core dumped) bro -r - -w ${PCAPFILE}

[danielguerra69]

Yes your config is wrong. Wrong use of xinetd-forensic. Use my guide.

On 25 Nov 2016, at 14:32, alxbob notifications@github.com wrote:

I want to send live traffic from anywhere to bro and check it on kibana...Is my config false? Maybe i figure it out wrong..

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/danielguerra69/bro-debian-elasticsearch/issues/9#issuecomment-262957913, or mute the thread https://github.com/notifications/unsubscribe-auth/ALzmMvyaWMoCrsGlcqHzRuBH2pIUoNWPks5rBuN2gaJpZM4K70wP.

[alxbob]

I used your guide and i cant figured what i am doing wrong can you pls provide 2 examples on how to run:

1 xinetd-elasticsearch for live packtet capture

I use your docker-compose diff:

BRO

bro-xinitd: image: danielguerra/bro-debian-elasticsearch command: /role/xinetd-elasticsearch hostname: bro-xinetd links:

"nginx:elasticsearch" ports: "1969:1969"

sudo tcpdump -i eth0 -s 0 -w - | nc IP 1969

2. xinetd-forensic with your default docker-compose command nc IP 1969 < mycap.pcap (with a captured pcap file)

Thanks again for everything

[danielguerra69]

Use

command: /role/xinetd-elasticsearch ip:port

On 25 Nov 2016, at 15:16, alxbob notifications@github.com wrote:

I used your guide and i cant figured what i am doing wrong can you pls provide 2 examples on how to run:

1 xinetd-elasticsearch for live packtet capture

I use your docker-compose diff:

BRO

bro-xinitd: image: danielguerra/bro-debian-elasticsearch command: /role/xinetd-elasticsearch hostname: bro-xinetd links:

"nginx:elasticsearch" ports: "1969:1969"

sudo tcpdump -i eth0 -s 0 -w - | nc IP 1969

xinetd-forensic with your default docker-compose command nc IP 1969 < mycap.pcap (with a captured pcap file) Thanks again for everything

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/danielguerra69/bro-debian-elasticsearch/issues/9#issuecomment-262965083, or mute the thread https://github.com/notifications/unsubscribe-auth/ALzmMtPVPH17lWxtEaz7u21hI6HsTT2qks5rBu3ZgaJpZM4K70wP.

[alxbob]

:( stil nothing

[danielguerra69]

I cant help you

Did you try the host on internet ?

On 25 Nov 2016, at 15:56, alxbob notifications@github.com wrote:

:( stil nothing

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/danielguerra69/bro-debian-elasticsearch/issues/9#issuecomment-262972587, or mute the thread https://github.com/notifications/unsubscribe-auth/ALzmMuke3k_29gV6T--njw4gDc7GZSjbks5rBvc2gaJpZM4K70wP.

[alxbob]

No i tried it on centos7 and on Debian jessie still nothing..Any os suggestion ? thanks again for your help

[alxbob]

Maybe the problem is networking after all, from container i see with tcpdump only

172.17.0.1.59424 > bro-xinetd.bro: Flags [.], cksum 0x584d (incorrect -> 0x50fc), seq 1, ack 1, win 229, options [nop,nop,TS val 34317 ecr 34317], length 0 21:55:56.366651 IP (tos 0x0, ttl 64, id 40952, offset 0, flags [DF], proto TCP (6), length 52) bro-xinetd.bro > 172.17.0.1.59424: Flags [F.], cksum 0x584d (incorrect -> 0x50fa), seq 1, ack 1, win 227, options [nop,nop,TS val 34320 ecr 34317], length 0 21:55:56.366790 IP (tos 0x0, ttl 64, id 19101, offset 0, flags [DF], proto TCP (6), length 52) 172.17.0.1.59424 > bro-xinetd.bro: Flags [F.], cksum 0x584d (incorrect -> 0x50f4), seq 1, ack 2, win 229, options [nop,nop,TS val 34320 ecr 34320], length 0 21:55:56.366804 IP (tos 0x0, ttl 64, id 40953, offset 0, flags [DF], proto TCP (6), length 52) bro-xinetd.bro > 172.17.0.1.59424: Flags [.], cksum 0x584d (incorrect -> 0x50f6), seq 2, ack 2, win 227, options [nop,nop,TS val 34320 ecr 34320], length 0

[danielguerra69]

Aha use the role xinetd-forensic-crc instead of xinetd-forensic

This role will use bro -C to avoid crc checks.

But if you want to dump a container properly … do this

docker run --rm --net=container: crccheck/tcpdump -i eth0 -w - | nc 1969

On 25 Nov 2016, at 22:56, alxbob notifications@github.com wrote:

Maybe the problem is networking after all, from container i see with tcpdump only

172.17.0.1.59424 > bro-xinetd.bro: Flags [.], cksum 0x584d (incorrect -> 0x50fc), seq 1, ack 1, win 229, options [nop,nop,TS val 34317 ecr 34317], length 0 21:55:56.366651 IP (tos 0x0, ttl 64, id 40952, offset 0, flags [DF], proto TCP (6), length 52) bro-xinetd.bro > 172.17.0.1.59424: Flags [F.], cksum 0x584d (incorrect -> 0x50fa), seq 1, ack 1, win 227, options [nop,nop,TS val 34320 ecr 34317], length 0 21:55:56.366790 IP (tos 0x0, ttl 64, id 19101, offset 0, flags [DF], proto TCP (6), length 52) 172.17.0.1.59424 > bro-xinetd.bro: Flags [F.], cksum 0x584d (incorrect -> 0x50f4), seq 1, ack 2, win 229, options [nop,nop,TS val 34320 ecr 34320], length 0 21:55:56.366804 IP (tos 0x0, ttl 64, id 40953, offset 0, flags [DF], proto TCP (6), length 52) bro-xinetd.bro > 172.17.0.1.59424: Flags [.], cksum 0x584d (incorrect -> 0x50f6), seq 2, ack 2, win 227, options [nop,nop,TS val 34320 ecr 34320], length 0

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/danielguerra69/bro-debian-elasticsearch/issues/9#issuecomment-263026327, or mute the thread https://github.com/notifications/unsubscribe-auth/ALzmMuJEuoaRHSOYSKaRhNJuIagT8Bfyks5rB1mfgaJpZM4K70wP.

[alxbob]

For reference the problem exists with docker and kvm machine with networking there is a bug of some short offloading with ethtool offloading doesn't change anything.

[danielguerra69]

Try https://app.getcarina.com/app/signup https://app.getcarina.com/app/signup

You can get an account on a propper docker environment for free

On 28 Nov 2016, at 16:08, alxbob notifications@github.com wrote:

For reference the problem exists with docker and kvm machine with networking there is a bug of some short offloading with ethtool offloading doesn't change anything.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/danielguerra69/bro-debian-elasticsearch/issues/9#issuecomment-263294841, or mute the thread https://github.com/notifications/unsubscribe-auth/ALzmMspvBAi9jsVDAZclfMdqLr_cFFGeks5rCu5agaJpZM4K70wP.