Closed s-shubh closed 5 years ago
Due to Format error, feed is not shown in python indent. So please consider that format error.
That's weird. Could you provide a sample of you feed's format?
Can you check the logs' output? There might be some useful information there.
Due to Format error, feed is not shown in python indent. So please consider that format error.
For the record, you can use backticks (``) to format code blocks on GitHub (click on
edit` to see the changes I've made to your original post.
Thank you for your information. Which logs do you want from me ? standard linux or mongodb ?
Try this journalctl -u yeti_feeds.service
and systemctl status yeti_feeds.service
Find the attached output of the command "journalctl -u yeti_feeds.service"
● yeti_feeds.service - Yeti workers - Feeds Loaded: loaded (/usr/lib/systemd/system/yeti_feeds.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2019-02-20 06:44:42 EST; 1 weeks 1 days ago Main PID: 25846 (celery) CGroup: /system.slice/yeti_feeds.service ├─25846 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge ├─25853 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge ├─25858 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge ├─25861 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge ├─25866 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge ├─25872 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge ├─25875 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge ├─25880 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge └─25885 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge
Also find latest output of yeti_feeds.service
● yeti_feeds.service - Yeti workers - Feeds Loaded: loaded (/usr/lib/systemd/system/yeti_feeds.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2019-02-20 06:44:42 EST; 1 weeks 1 days ago Main PID: 25846 (celery) CGroup: /system.slice/yeti_feeds.service ├─25846 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge ├─25853 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge ├─25858 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge ├─25861 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge ├─25866 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge ├─25872 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge ├─25875 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge ├─25880 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge └─25885 /usr/bin/python2 /usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge
Feb 28 10:19:00 threatintel1 celery[25846]: [2019-02-28 10:19:00,470: WARNING/ForkPoolWorker-2] BruteForcer 6.70.8.9 Feb 28 10:19:00 threatintel1 celery[25846]: [2019-02-28 10:19:00,470: WARNING/ForkPoolWorker-2] Tornode 5.7.8.90 Feb 28 10:19:00 threatintel1 celery[25846]: [2019-02-28 10:19:00,470: WARNING/ForkPoolWorker-2] BruteForcer 6.7.80.9 Feb 28 10:19:00 threatintel1 celery[25846]: [2019-02-28 10:19:00,470: WARNING/ForkPoolWorker-2] Tornode 5.70.8.9 Feb 28 10:19:00 threatintel1 celery[25846]: [2019-02-28 10:19:00,470: WARNING/ForkPoolWorker-2] BruteForcer 16.7.8.9 Feb 28 10:19:00 threatintel1 celery[25846]: [2019-02-28 10:19:00,470: WARNING/ForkPoolWorker-2] Tornode 15.7.8.9 Feb 28 10:19:00 threatintel1 celery[25846]: [2019-02-28 10:19:00,470: WARNING/ForkPoolWorker-2] BruteForcer 16.7.8.9 Feb 28 10:19:00 threatintel1 celery[25846]: [2019-02-28 10:19:00,470: WARNING/ForkPoolWorker-2] Tor 4.5.6.7 Feb 28 10:19:06 threatintel1 celery[25846]: [2019-02-28 10:19:06,818: WARNING/ForkPoolWorker-7] aujastmvehxqmlbb.com,217.20.116.140,dns1.registrar-servers.com|dns2.registrar-servers.com,216.87.152.33|216.87.155.33,Master Indicator Feed for ramnit non-sinkholed domains,http://osint.bambenekconsulting.com/manual/ramnit.txt Feb 28 10:19:11 threatintel1 celery[25846]: [2019-02-28 10:19:11,121: WARNING/ForkPoolWorker-7] avpsjncogss.com,46.165.221.144,dns1.registrar-servers.com|dns2.registrar-servers.com,216.87.152.33|216.87.155.33,Master Indicator Feed for ramnit non-sinkholed domains,http://osint.bambenekconsulting.com/manual/ramnit.txt
Can you share the format of the feed you're trying to ingest? There's most likely a problem with that.
I have already given you a format in my query.
Format is; "Threat Category" "IP Address"
Example Feed is; CNC 5.6.7.8 Tornode 5.7.8.9 BruteForcer 6.7.8.9 & so on....
OK. At this point I would recommend this:
stop the yeti_beat and feeds services:
systemctl stop yeti_beat.service
systemctl stop yeti_feeds.service
start a yeti_feeds celery worker in a separate shell
/usr/local/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge
"refresh" the feed from the web UI as usual
And provide the output of the celery worker
Hey, Thank you for your prompt suggestions. I have gone through steps those you recommended. But while starting celery worker , I got the below output with error.
You need to be in the /opt/yeti
directory for the command to work
Thank you for this help...Please find the output...
/usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge /usr/lib/python2.7/site-packages/celery/platforms.py:796: RuntimeWarning: You're running the worker with superuser privileges: this is absolutely not recommended!
Please specify a different user using the --uid option.
User information: uid=0 euid=0 gid=0 egid=0
uid=uid, euid=euid, gid=gid, egid=egid,
-------------- celery@feeds v4.2.1 (windowlicker) ---- * ----- --- * -- Linux-3.10.0-862.9.1.el7.x86_64-x86_64-with-centos-7.5.1804-Core 2019-02-28 11:49:31 -- - **** ---
[2019-02-28 11:49:42,338: WARNING/ForkPoolWorker-7] CNC 5.6.7.8 [2019-02-28 11:49:42,338: WARNING/ForkPoolWorker-7] Tornode 5.7.8.9 [2019-02-28 11:49:42,339: WARNING/ForkPoolWorker-7] BruteForcer 6.7.8.9 [2019-02-28 11:49:42,339: WARNING/ForkPoolWorker-7] CNC 5.6.7.8 [2019-02-28 11:49:42,339: WARNING/ForkPoolWorker-7] CNC 5.6.7.9 [2019-02-28 11:49:42,339: WARNING/ForkPoolWorker-7] CNC 5.6.7.10 [2019-02-28 11:49:42,339: WARNING/ForkPoolWorker-7] CNC 5.6.7.11 [2019-02-28 11:49:42,339: WARNING/ForkPoolWorker-7] CNC 5.6.7.12 [2019-02-28 11:49:42,339: WARNING/ForkPoolWorker-7] Tornode 5.7.8.10 [2019-02-28 11:49:42,339: WARNING/ForkPoolWorker-7] BruteForcer 6.7.8.10 [2019-02-28 11:49:42,339: WARNING/ForkPoolWorker-7] Tornode 5.7.80.9 [2019-02-28 11:49:42,339: WARNING/ForkPoolWorker-7] BruteForcer 6.70.8.9 [2019-02-28 11:49:42,339: WARNING/ForkPoolWorker-7] Tornode 5.7.8.90 [2019-02-28 11:49:42,339: WARNING/ForkPoolWorker-7] BruteForcer 6.7.80.9 [2019-02-28 11:49:42,340: WARNING/ForkPoolWorker-7] Tornode 5.70.8.9 [2019-02-28 11:49:42,340: WARNING/ForkPoolWorker-7] BruteForcer 16.7.8.9 [2019-02-28 11:49:42,340: WARNING/ForkPoolWorker-7] Tornode 15.7.8.9 [2019-02-28 11:49:42,340: WARNING/ForkPoolWorker-7] BruteForcer 16.7.8.9 [2019-02-28 11:49:42,340: WARNING/ForkPoolWorker-7] Tor 4.5.6.7
Hm looks like your split isn't working as intended.
Can you print context
and print fields
before the try / except
block and relaunch the celery workers?
I have added print context
and 'print fields' before try and run the celery workers but got the same output.
So what's happening is that an error in your code is likely preventing the observables from being stored. Try removing the try / except statements and see if that changes anything?
Do you want me to remove full block of try/except statements ? I have removed all their block but still could not get printed observable.
something like this
context['ThreatCategory'] = fields[0]
context['description'] = "Emerging Threat IP List: %s (%s)" % (context['name'], ip)
context['source'] = self.name
print context
print fields
ip = Ip.get_or_create(value=fields[1])
ip.add_context(context)
ip.add_source("feed")
ip.tag(['ET'])
Also make sure to remove any generated pyc
files in your workspace.
$ find . -name "*.pyc" -exec rm {} \;
Thank you for your continuous help... I have tried all these but it still shows the same output while initiating workers.
Can we make any other changes to get this worked ?
Ugh, I think I found your bug. There's an indentation problem in the update function:
def update(self):
for line in self.update_lines():
print(line)
self.analyze(line)
You should call analyze
for every line, and in this case you're calling it from outside the loop.
So we need to run 'update()' function like this:
def update(self):
for line in self.update_lines():
print(line)
self.analyze(line)
Am I correct ?
Yes. You can also remove the print
statement
I got this working but found some error related to 'name'.
/usr/bin/celery -A core.config.celeryctl.celery_app worker -Ofair -c 8 -Q feeds -n feeds --purge
/usr/lib/python2.7/site-packages/celery/platforms.py:796: RuntimeWarning: You're running the worker with superuser privileges: this is
absolutely not recommended!
Please specify a different user using the --uid option.
User information: uid=0 euid=0 gid=0 egid=0
uid=uid, euid=euid, gid=gid, egid=egid,
-------------- celery@feeds v4.2.1 (windowlicker)
---- **** -----
--- * *** * -- Linux-3.10.0-862.9.1.el7.x86_64-x86_64-with-centos-7.5.1804-Core 2019-02-28 12:37:53
-- * - **** ---
- ** ---------- [config]
- ** ---------- .> app: yeti:0x7fc8c37d7e90
- ** ---------- .> transport: redis://127.0.0.1:6379/0
- ** ---------- .> results: disabled://
- *** --- * --- .> concurrency: 8 (prefork)
-- ******* ---- .> task events: OFF (enable -E to monitor tasks in this worker)
--- ***** -----
-------------- [queues]
.> feeds exchange=feeds(direct) key=feeds
[2019-02-28 12:38:00,081: WARNING/ForkPoolWorker-7] CNC 5.6.7.8
[2019-02-28 12:38:00,081: ERROR/ForkPoolWorker-7] Traceback (most recent call last):
File "/opt/yeti/core/feed.py", line 42, in update_feed
f.update()
File "/opt/yeti/plugins/feeds/public/ET_blocklist.py", line 20, in update
self.analyze(line)
File "/opt/yeti/plugins/feeds/public/ET_blocklist.py", line 30, in analyze
context['description'] = "Emerging Threat IP List: %s (%s)" % (context['name'], ip)
KeyError: 'name'
[2019-02-28 12:38:00,081: ERROR/ForkPoolWorker-7] ERROR updating feed: 'name'
Looks like context['name']
is not set.
I'm closing this issue out, make sure you've ironed out remaining bugs and if things are still not working feel free to reopen.
Thank you for the continuous help... Just little guidance. I just changed context name to context description but still got the same output. Let me know if you can help in this.
```
fields = line.split()
context = {}
ip = fields[1]
context['ThreatCategory'] = fields[0]
context['description'] = "Emerging Threat IP List: %s (%s)" % (context['ThreatCategory'], ip)
context['source'] = self.name
ip = Ip.get_or_create(value=fields[1])
ip.add_context(context)
ip.add_source("feed")
ip.tag(['ET'])
Got the same output.
Thank you for your help... I appreciate constant output. It's get worked...
Environment
Hi Team,
I am having custom feed imput which is stored in my web server and I generally query that document for the feed input. Find the input file example ;
CNC 5.6.7.8 Tornode 5.7.8.9 BruteForcer 6.7.8.9 & so on....
To process this type of data; I have created custom feed in Yeti and put in under plugins/feeds/public/ directory. Kindly find this feed.
Output(Custom Feed Name ET_Bocklist) is shown on Yeti Dataflows interface as shown in the below screenshot but while searching for an IP address such as 5.6.7.8 then it shows null output. find both the screenshots.
Please help...!!
~Shubham