Wierd data in source.ip - Dashboards failing 500 #13718
Replies: 5 comments 4 replies
-
Did you perform the steps in this blog post? |
Beta Was this translation helpful? Give feedback.
-
It might be that the 2 for loops are not working propperly. Or it seems to timeout ? [root@soc ~]# for i in logs-system.application-default logs-system.security-default logs-system.system-default; do
so-elasticsearch-query $i/_rollover -XPOST
done
{
"acknowledged": true,
"shards_acknowledged": true,
"old_index": ".ds-logs-system.application-default-2024.09.26-000001",
"new_index": " .ds-logs-system.application-default-2024.09.26-000002",
"rolled_over": true,
"dry_run": false,
"lazy": false,
"conditions": {}
}
{
"acknowle dged": true,
"shards_acknowledged": true,
"old_index": ".ds-logs-system.security-default-2024.09.26-000001",
"new_index": ".ds-logs-syst em.security-default-2024.09.26-000002",
"rolled_over": true,
"dry_run": false,
"lazy": false,
"conditions": {}
}
{
"error": {
"root_cause": [
{
" type": "process_cluster_event_timeout_exception",
"reason": "failed to process cluster event (rollover_index source [.ds-logs-system .system-default-2024.09.26-000002] to target [.ds-logs-system.system-default-2024.09.26-000002]) within 30s"
}
],
"type": "process_cl uster_event_timeout_exception",
"reason": "failed to process cluster event (rollover_index source [.ds-logs-system.system-default-2 024.09.26-000002] to target [.ds-logs-system.system-default-2024.09.26-000002]) within 30s"
},
"status": 503
}
[root@soc ~]# for i in logs-system.application-default logs-system.security-default logs-system.system-default; do
INDEX_TO_DELETE=$(so-elasticsearch-query $i | jq -r 'keys[]' | tail -2 | head -1); so-elasticsearch-query $INDEX_TO_DELETE -XDELETE
done
{
"acknowledged": true
}
{
"error": {
"root_cause": [
{
"type": "process_cluster_event_timeout_exception",
"reason": "failed to process cluster event (delete-index [[.ds-logs-system.security-default-2024.09.26-000001/rE5JUHwzT62 ZRyyaImOccQ]]) within 30s"
}
],
"type": "process_cluster_event_timeout_exception",
"reason": "failed to process cluster event (delete-index [[.ds-logs-system.security-default-2024.09.26-000001/rE5JUHwzT62ZRyy aImOccQ]]) within 30s"
},
"status": 503
}
{
"error": {
"root_cause": [
{
"type": "illegal_argument_exception",
"reason": "index [.ds-logs-system.system-default-2024.09.26-000001] is the write index for data stream [logs-system.syste m-default] and cannot be deleted"
}
],
"type": "illegal_argument_exception",
"reason": "index [.ds-logs-system.system-default-2024.09.26-000001] is the write index for data stream [logs-system.system-de fault] and cannot be deleted"
},
"status": 400
}
Please note i have formatted the json output via jq. |
Beta Was this translation helpful? Give feedback.
-
I wanted to make sure that the script where run propperly. So i edited a file on the server and made a shell script propperly with the lines. [root@soc ~]# ./fix.sh
{
"acknowledged": true,
"shards_acknowledged": true,
"old_index": ".ds-logs-system.application-default-2024.09.26-000002",
"new_index": ".ds-logs-system.application-default-2024.09.26-000004",
"rolled_over": true,
"dry_run": false,
"lazy": false,
"conditions": {}
}
{
"acknowledged": true,
"shards_acknowledged": true,
"old_index": ".ds-logs-system.security-default-2024.09.26-000002",
"new_index": ".ds-logs-system.security-default-2024.09.26-000003",
"rolled_over": true,
"dry_run": false,
"lazy": false,
"conditions": {}
}
{
"acknowledged": true,
"shards_acknowledged": true,
"old_index": ".ds-logs-system.system-default-2024.09.26-000001",
"new_index": ".ds-logs-system.system-default-2024.09.26-000002",
"rolled_over": true,
"dry_run": false,
"lazy": false,
"conditions": {}
}
{
"acknowledged": true
}
{
"acknowledged": true
}
{
"acknowledged": true
} |
Beta Was this translation helpful? Give feedback.
-
I am however now able to load up the dashboards that previously would generate a 500 error. EDIT: Nope, after a while i was no longer able to load etc DNS or Sysmon dashboard anymore and it gave a 500 the main dashboard still shows source.ip with wierd data. |
Beta Was this translation helpful? Give feedback.
-
Seems like you might have something that is sending strange data into the system. Are you collecting logs from endpoints via Elastic Agent? Are you collecting logs via syslog? Are you collecting some other kind of data like netflow? If you filter one of these dashboards to show ONLY Zeek data, do the source IP addresses look correct? |
Beta Was this translation helpful? Give feedback.
-
Version
2.4.100
Installation Method
Security Onion ISO image
Description
installation
Installation Type
Standalone
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
RAM
Storage for /
Storage for /nsm
Network Traffic Collection
tap
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
Yes, there are salt failures (please provide detail below)
Logs
Yes, there are additional clues in /opt/so/log/ (please provide detail below)
Detail
UTF8/Wierd data in "type": "ip" field for source.ip
Hi, if i look at the "Overview" dashboard in SO and scroll down to source.ip i can see something like the following:
You can clearly see that something is wrong, as it's showing what should be IP addresses as wierd characters.
Also when i then try to use a dashboard like sysmon/dns or anything with source.ip then i get a
500 notification
:But if i remove
groupby source.ip | groupby -sankey source.ip destination.ip
from the part of the dashboard query then it works as expected. So clearly it's effected by those wierd source.ip fields is my guess.To dig further this is the log from elasticsearch:
I have no idea how to debug this further ??
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions