Universal Forwarder Configuration failed #29
Comments
|
Did you stop the splunk process before running this script? It indicated splunkd was already running: "-- Migration information is being logged to '/opt/splunkforwarder/var/log/splunk/migration.log.201 |
|
the splunkd on the actual splunk server or on the honeypot? |
|
that did it - install completed successfully. However, now i'm not seeing any logs from my sensors. My sensors show up but the Tango app isnt pulling logs in. I even tried uploading the .json file directly into splunk to see if that would populate the charts but that didnt work either. |
|
When you go to Search, are you able to manually see the logs? |
|
If I seach for index=* yes Sent from my T-Mobile 4G LTE Device -------- Original message -------- When you go to Search, are you able to manually see the logs? — |
|
What if you search specifically in the tango index? Also, could you paste the contents of inputs.conf from the Tango directory on your honeypot? |
|
i get what 1 event. Looks like the event that is generated after the UF installation. inputs.conf = #!/bin/sh |
|
Please post the contents of the inputs.conf file from the honeypot |
|
[monitor:///opt/cowrie/log/cowrie.json*] [script://./bin/input.sh] |
|
Posted Sent from my T-Mobile 4G LTE Device -------- Original message -------- Please post the contents of the inputs.conf file from the honeypot — |
|
If you didn't enable the hoenypot index to be able to be searched by default, you'll need to enable that. You'll need to allow users to search the 'honeypot' index by default. To do this, go into “Settings”, then “Access Controls”, then “Roles”, “Admin”, then scroll all the way down to “Indexes Searched by Default”, then add honeypot to the right-hand column. Let me know if that works out for you! |
|
I did that, still nothing. But I did notice the splunklogger index is disabled. Sent from my T-Mobile 4G LTE Device -------- Original message -------- If you didn't enable the hoenypot index to be able to be searched by default, you'll need to enable that. You'll need to allow users to search the 'honeypot' index by default. To do this, go into “Settings”, then “Access Controls”, then “Roles”, “Admin”, then scroll all the way down to “Indexes Searched by Default”, then add honeypot to the right-hand column. Let me know if that works out for you! — |
|
UPDATE - I reinstalled splunk, however, the tango app still does not load any values. I have ensured the Admin role can search the honeypot index. I can confirm that if i manually load a cowrie.json file to the honeypot index NOTHING shows up in the tango app. However, you can search specifically for the index and i get results. I can confirm that the honeypots are sending traffic through tcpdump and that the splunk server is receiving that traffic. The issue still is that the tango app does not process the data. |
|
Turns out the user being used to read the logs did not have permission to do so. Updated permissions and everything is working fine...except the virustotal hash submit. But that's another issue... |
|
Specifically, the Tango sensor.sh script sets up users 'cowrie' and 'splunk' on the system. When cowrie is launched using it's own 'start.sh' script with the 'cowrie' user, it sets a umask of 0077 which prevents the 'splunk' user from reading the generated log files. This can be resolved by modifying cowrie's 'start.sh' script and changing the umask to 0027 then adding the 'splunk' user to the 'cowrie' group. |
When installing through the .sensor.sh or .uf_only.sh script I get the error: Universal Forwarder Configuration failed. Please check /var/log/tango_install.log for more details. I have attached the log file
UF Error Log.txt
This has happened when trying to use the .sensor.sh script on a brand new Ubuntu 14.04.4 LTS server as well.
The text was updated successfully, but these errors were encountered: