unable to access kibana from remote box

[ilivessevili]

per the read me here

If you wish to remotely (from a different PC on your network) access the dashboards you could do that as follows (in your browser):

https://your.selks.IP.here/rules/ - Scirius ruleset management
*https://your.selks.IP.here/log/ *- Kibana and click the folder icon for a list of dashboards
You need to authenticate to access to the web interface. The default user/password is the same as for local access: selks-user/selks-user. Don't forget to change credentials at first login. You can do that by going to Account settings in the top left dropdown menu of Scirius.

We tried the bold section to access kibana from remote box, but it failed with

Page not found (404)
Request Method: GET
Request URL:    https://10.65.104.182/log
Using the URLconf defined in scirius.urls, Django tried these URL patterns, in this order:
^admin/
^rules/
^accounts/
^suricata/
^$
^(?P<path>app/kibana.*)$
^(?P<path>timelion/.*)$
^(?P<path>bundles/.*)$
^kibana/(?P<path>.*)$
^elasticsearch/(?P<path>.*)$
^evebox/(?P<path>.*)$
The current URL, log, didn't match any of these.

We have authenticate with the default credential what else we missed?

Thanks!

[pevma]

What SELKS version are you referring to? (2.1 or 3.0RC1)
If you are trying out 3.0RC1 make sure you do:

apt-get update && apt-get dist-upgrade

and restart the Nginx, Kibana and Scirius services.

[ilivessevili]

@pevma thanks for the response. I have followed your instruction, however elasticsearch failed to start with the following error
...
root@SELKS:/opt/selks/Scripts/Setup# tail /var/log/elasticsearch/elasticsearch.log
java.lang.IllegalArgumentException: Plugin [delete-by-query] is incompatible with Elasticsearch [2.3.2]. Was designed for version [2.3.1]

...

is that mean we need to upgrade and install some of the plugins? And what is the solution then?

Thanks!

[ilivessevili]

oops, we have figured it out!
reinstall the delete-by-query plugin
...
root@SELKS:/usr/share/elasticsearch/bin# ./plugin install delete-by-query
-> Installing delete-by-query...
Trying https://download.elastic.co/elasticsearch/release/org/elasticsearch/plugin/delete-by-query/2.3.2/delete-by-query-2.3.2.zip ...
Downloading ..DONE
Verifying https://download.elastic.co/elasticsearch/release/org/elasticsearch/plugin/delete-by-query/2.3.2/delete-by-query-2.3.2.zip checksums if available ...
Downloading .DONE
Installed delete-by-query into /usr/share/elasticsearch/plugins/delete-by-query
...

Thanks!

[ilivessevili]

@pevma unfortunately, the original issue not resolved, we still cannot access the kibana from remote ip , where is the authentication and authorization defined? how to know which SELKS version we are using?

Thanks!

[pevma]

If your ES is version 2.3.2 - it is SELKS 3.0RC1.

What browser are you using? It seems it might be related to -
elastic/kibana#6719 (comment)
Can you please confirm the following steps fix the issue:

Edit /etc/elasticsearch/elasticsearch.yaml config
and comment the line "http.cors.enabled: true" (bottom of the config) like so -

#Enable Kibana logging
#http.cors.enabled: true

Restart the services

root@SELKS:# systemctl restart elasticsearch.service
root@SELKS:# systemctl restart nginx.service
root@SELKS:~# systemctl restart kibana.service

Clear the browsing history and try again with any browser.

Kibana dashboards are accessed through Scirius (drop down menu upper left corner) -

https://your.selks.IP.here/rules/

[ilivessevili]

@pevma it really works! Thanks for you kind help! :-)

[ilivessevili]

verified by pevma's comments above, this issue has been resolved,closing.

[oryt]

Hi
I have the same issue and this fix doesn't work for me. I am running SELKS-3.0rc1-nodesktop.iso.
Scirius Home is working and I have updated #http.cors.enabled: true in /etc/elasticsearch /elasticsearch.yml ,restarted the services, cleared my browser and I still get the Django 404
please advise

[pevma]

Reopening - since it seems it is a problem for @oryt.
Can you please:
1 - paste the err output?
2 - try doing a complete - apt-get update && apt-get dist-upgrade

Thanks

[oryt]

Page not found (404)
Request Method: GET
Request URL: https://MYIP/log/

Using the URLconf defined in scirius.urls, Django tried these URL patterns, in this order:

^admin/
^rules/
^accounts/
^suricata/
^$
^(?P<path>app/kibana.*)$
^(?P<path>timelion/.*)$
^(?P<path>bundles/.*)$
^kibana/(?P<path>.*)$
^elasticsearch/(?P<path>.*)$
^evebox/(?P<path>.*)$

The current URL, log/, didn't match any of these.

You're seeing this error because you have DEBUG = True in your Django settings file. Change that to False, and Django will display a standard 404 page.

apt-get update && apt-get dist-upgrade:

Errors were encountered while processing:
/var/cache/apt/archives/kibana_4.5.1_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

Did a apt-get install --fix-missing and said yes to the database choice

Temporary failure resolving package.elastic.co

No network, had to revert back to def settings in interfaces

The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp

Prev settings
auto eth0
iface eth0 inet manual
pre-up ifconfig $IFACE up
post-down ifconfig $IFACE down
post-up /etc/network/if-up.d/idps-interface-tuneups_stamus

apt-get update && apt-get dist-upgrade

Preparing to unpack .../kibana_4.5.1_amd64.deb ...
Unpacking kibana (4.5.1) over (4.5.0) ...
userdel: user kibana is currently used by process 578
dpkg: warning: subprocess old post-removal script returned error exit status 8
dpkg: trying script from the new package instead ...
userdel: user kibana is currently used by process 578
dpkg: error processing archive /var/cache/apt/archives/kibana_4.5.1_amd64.deb (--unpack):
subprocess new post-removal script returned error exit status 8
userdel: user kibana is currently used by process 578
dpkg: error while cleaning up:
subprocess new post-removal script returned error exit status 8
Processing triggers for systemd (215-17+deb8u4) ...
Errors were encountered while processing:
/var/cache/apt/archives/kibana_4.5.1_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

On SELKS with desktop system

root@SELKS:/home/selks-user# service kibana status
● kibana.service - no description given
Loaded: loaded (/lib/systemd/system/kibana.service; enabled)
Active: failed (Result: start-limit) since Mon 2016-06-13 10:11:41 CEST; 5min ago
Process: 1458 ExecStart=/opt/kibana/bin/kibana (code=exited, status=1/FAILURE)
Main PID: 1458 (code=exited, status=1/FAILURE)

Jun 13 10:11:41 SELKS systemd[1]: Unit kibana.service entered failed state.
Jun 13 10:11:41 SELKS systemd[1]: kibana.service start request repeated too quickly, refusing to start.
Jun 13 10:11:41 SELKS systemd[1]: Failed to start no description given.
Jun 13 10:11:41 SELKS systemd[1]: Unit kibana.service entered failed state.
root@SELKS:/home/selks-user# ̈́

After dist-upgrade

root@SELKS:/home/selks-user# service kibana status
● kibana.service - no description given
Loaded: loaded (/lib/systemd/system/kibana.service; enabled)
Active: active (running) since Mon 2016-06-13 10:20:26 CEST; 800ms ago
Main PID: 1857 (node)
CGroup: /system.slice/kibana.service
└─1857 /opt/kibana/bin/../node/bin/node /opt/kibana/bin/../src/cli
root@SELKS:/home/selks-user#

root@SELKS:/etc/elasticsearch# service elasticsearch status
● elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled)
Active: active (running) since Mon 2016-06-13 10:14:56 CEST; 16min ago
Docs: http://www.elastic.co
Process: 1546 ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS)
Main PID: 1548 (java)
CGroup: /system.slice/elasticsearch.service
└─1548 /usr/bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpO...

root@SELKS:/etc/elasticsearch# service nginx status
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled)
Active: active (running) since Mon 2016-06-13 10:10:28 CEST; 22min ago
Process: 692 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 572 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 1826 (nginx)

Page not found (404)
Request Method: GET
Request URL: https://1MYIP/logs/

Using the URLconf defined in scirius.urls, Django tried these URL patterns, in this order:

^admin/
^rules/
^accounts/
^suricata/
^$
^(?P<path>app/kibana.*)$
^(?P<path>timelion/.*)$
^(?P<path>bundles/.*)$
^kibana/(?P<path>.*)$
^elasticsearch/(?P<path>.*)$
^evebox/(?P<path>.*)$

The current URL, logs/, didn't match any of these.

You're seeing this error because you have DEBUG = True in your Django settings file. Change that to False, and Django will display a standard 404 page.

[pevma]

I was able to reproduce an issue similar to what you have reported. Can you please try the following sequence below and let me know if ti works for you:

nano /etc/elasticsearch/elasticsearch.yml

Make sure you have commented out the line "http.cors.enabled: true" (bottom of the config) like so

#Enable Kibana logging
#http.cors.enabled: true

then:

service kibana stop
/usr/share/elasticsearch/bin/plugin remove delete-by-query
apt-get update && apt-get dist-upgrade
chown -R kibana /opt/kibana/optimize/
/usr/share/elasticsearch/bin/plugin install delete-by-query
systemctl restart elasticsearch.service
systemctl restart kibana.service
/etc/init.d/scirius restart

[oryt]

Followed the above instructions on SELKS-3.0rc1-desktop.iso but I still get the same 404 error page when trying to reach *https://your.selks.IP.here/log/

I checked and elasticsearch, Kibana and scirius all checks as running.

[pevma]

How about if you try to access -
https://your.selks.IP.here/evebox/
or
https://your.selks.IP.here/
?

[oryt]

Sorry for the delay. You can close this and if there is any more issues I will get back to you.