search

misje / opencti-wazuh-connector

OpenCTI–Wazuh connector looking for indicators in Wazuh and creating sightings
https://misje.github.io/opencti-wazuh-connector/
Apache License 2.0
15 stars 1 forks source link

DATABASE_ERROR - Find direct ids fail #59

Closed dracon80 closed 5 months ago

dracon80 commented 5 months ago

I've attempted to implement the connector but the container keeps erroring and restarting. My Environment is Wazuh 4.8.0 running 3 indexers as a cluster on virtual machines (e.g. not docker containers)

The docker container versions for opencti are;

OPENCTI_VERSION=6.1.11
REDIS_VERSION=7.2.5
RABBITMQ_VERSION=3.13-management
OPENSEARCH_VERSION=2.14.0
WAZUH_CONNECTOR_VERSION=0.3.0

The ENV for the connector container (with hostnames and passwords changed)

TZ=UTC
USE_TZ=true
OPENCTI_URL=http://opencti:8080
OPENCTI_TOKEN=---------
CONNECTOR_ID=---------
CONNECTOR_NAME=Wazuh
CONNECTOR_SCOPE=Artifact,Directory,Domain-Name,Email-Addr,Hostname,IPv4-Addr,IPv6-Addr,Mac-Addr,Network-Traffic,Process,StixFile,Url,User-Account,User-Agent,Windows-Registry-Key,Windows-Registry-Value-Type,Vulnerability,Indicator
CONNECTOR_AUTO=true
CONNECTOR_LOG_LEVEL=warning
CONNECTOR_EXPOSE_METRICS=true
WAZUH_APP_URL=---------
WAZUH_MAX_TLP=TLP:RED
WAZUH_TLPS=TLP:AMBER+STRICT
WAZUH_OPENSEARCH_PASSWORD=---------
WAZUH_OPENSEARCH_URL=---------
WAZUH_OPENSEARCH_USERNAME=opencti_connector
WAZUH_OPENSEARCH_VERIFY_TLS=false

The connector can communicate with both wazuh and opensearch, but I just can't get it to work. A sample of the log file is attached, I'm just not sure if the error is caused by the opensearch instance opencti is using, or the wazuh indexer cluster. wazuh.log

misje commented 5 months ago

This appears to be an OpenCTI issue, originating from a ping module within the OpenCTI SDK. I haven't seen it before, and I can't find any details about it on my initial search. What are you doing to produce these errors? Nothing, just starting the connector?

misje commented 5 months ago

Perhaps you could try this setting for elastic/opensearch in OpenCTI: thread_pool.search.queue_size: 5000

dracon80 commented 5 months ago

Thank you for the quick response. Yes you were spot on, I had not set this environment variable. As soon as I did the connector started without issue. Just waiting for it to populate some data.

misje commented 5 months ago

That's nice to hear!

If you want to run it manually on existing entities, you can run enrichment manually.