Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    cmatera
    @cmatera
    here's the tcpdump
    image.png
    doesn't look like the suricata
    Andrew
    @a3ilson
    No issue with utilizing the same port but you could send to port 5040 and see if that yields anything...followed up by a tcpdump on port 5040.
    Not sure how often you get suricata events...did you have any docs count within the suricata index?
    cmatera
    @cmatera
    Thanks @a3ilson it was so foolishly simple my port wasn't set properly in the conf file - when I did that I am seeing suricata logs
    5 replies
    I am seeing some _grokparsefailure in the suricata stream, wondering if you had some general advice on how to troubleshoot
    here is an example of an parse failure: <141>Jan 11 16:49:35 suricata[8800]: {"timestamp": "2021-01-11T16:49:35.533775-0500", "flow_id": 898428908309609, "in_iface": "em0", "event_type": "tls", "src_ip": "x.x.x.x", "src_port": 34873, "dest_ip": "52.96.35.2", "dest_port": 443, "proto": "TCP", "tls": {"subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com", "issuerdn": "C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1", "serial": "05:21:63:2A:C1:76:DF:2A:DC:CF:AE:A4:AB:74:0A:21
    Andrew
    @a3ilson
    Screen Shot 2021-01-11 at 18.50.52.png
    Apex-Heavy
    @Apex-Heavy

    Hello. I am going to install pfelk on a Debian 10 machine that already has Librenms running on it. Will the pfelk install script conflict with Librenms in some way?

    I've looked through the pfelk manual install directions and it doesnt look like there will be any issues but not sure about the script..

    Librenms uses:
    nginx
    PHP 7.3
    MariaDB
    php-fpm

    Andrew
    @a3ilson
    I didn’t see any conflicts and it should install just fine. The script essentially accomplishing the same thing as the manual install. Additionally, you can review the script but again I’m confident you will not have any conflicts.
    Apex-Heavy
    @Apex-Heavy
    Ok ran the script and looks like the install went fine. Librenms seems to be fine as well.
    Issue is that there is nothin gbeing ingested from pfsense. All the dashboards say "no results found"
    Additionally I cannot access the dashboards from another machine, only the local host
    Apex-Heavy
    @Apex-Heavy
    (Yes I configured pfsense to send the logs)
    Apex-Heavy
    @Apex-Heavy
    Ok got it working. Firewall issue ;)
    Andrew
    @a3ilson
    Excellent!
    Apex-Heavy
    @Apex-Heavy
    Is it possible to get pfBlockerNG logs sent to pfelk?
    39 replies
    Apex-Heavy
    @Apex-Heavy
    Great! Let me know if I can do anything to help..
    Andrew
    @a3ilson
    pfblocker-ng.pdf
    Apex-Heavy
    @Apex-Heavy
    Ok I have the .tcp file for you. Let me know how to get it to you (dont really want to upload here).
    Apex-Heavy
    @Apex-Heavy
    ?
    Andrew
    @a3ilson
    You can send it to support@pfelk.com
    Apex-Heavy
    @Apex-Heavy
    Hey Andrew, did you receive that file?
    Andrew
    @a3ilson
    I haven't received any emails with TCP attachments :(
    Apex-Heavy
    @Apex-Heavy
    Sent again
    Apex-Heavy
    @Apex-Heavy

    @a3ilson I noticed in this section of the wiki there is an error, the files to edit don't match:

    https://github.com/pfelk/pfelk/wiki/How-To:-Performance#logstash-memory

    "This is configured within the jvm.options file located /etc/logstash/jvm.options"
    "Amend nano /etc/logstash/options.jvm"

    Andrew
    @a3ilson
    Thanks/Updated
    killmasta93
    @killmasta93
    hi there, quick question as i have a 3 firewalls and two of them the same network interface not sure how to filter that part?
    1 reply
    killmasta93
    @killmasta93
    @a3ilson thanks for the reply, here is inputs https://pastebin.com/F7e9VPna https://pastebin.com/QMPV081X https://pastebin.com/w2zEPZwF
    2 replies
    E ypsilon
    @Eypsilon_gitlab
    hey i got this odd behaviour
    image.png
    everything here is empty but i got data from my opensense in elk
    and i used the whole install script for elk
    image.png
    image.png
    E ypsilon
    @Eypsilon_gitlab
    i am troubleshooting for hours now...
    Andrew
    @a3ilson

    i am troubleshooting for hours now...

    I would recommend running the error-data.sh script and provide the log. Unable to discern, based on the provided images.

    E ypsilon
    @Eypsilon_gitlab
    where can i find that script
    E ypsilon
    @Eypsilon_gitlab
    nvm got it
    E ypsilon
    @Eypsilon_gitlab
    error.pfelk.log
    Andrew
    @a3ilson
    Thanks! Are you using pfsense or opnsense? And what version?
    E ypsilon
    @Eypsilon_gitlab
    opnsense
    20.1.9_1
    Andrew
    @a3ilson
    Do you have remote logging configured?
    E ypsilon
    @Eypsilon_gitlab
    no i dont think so
    oh yes i have
    System > Settings > UDP(4) to the ELK IP
    E ypsilon
    @Eypsilon_gitlab
    as you can see in my first screenshot packets are coming from opnsense
    Andrew
    @a3ilson
    Navigate to Kibana>>Discover and select the pfelk-firewall index pattern. Next expand one of the events and provide the contents of the event.original field.