-
Notifications
You must be signed in to change notification settings - Fork 37
Troubleshooting
- TheHive: StreamSrv 504 Gateway
- MISP: exec user process caused "no such file or directory"
- TheHive and Cortex: Missing connectors/analyzers/responders
- TheHive and Cortex: Services started before Elasticsearch is ready
TheHive relies on a long polling stream API. Nginx config must include proxy timeout setting. See more. You can find the recommended config here
server {
listen 443 ssl;
server_name thehive.example.com;
ssl_certificate ssl / thehive_cert.pem;
ssl_certificate_key ssl / thehive_key.pem;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
client_max_body_size 2 G;
proxy_buffering off;
client_header_buffer_size 8 k;
location / {
add_header Strict - Transport - Security "max-age=31536000; includeSubDomains";
proxy_pass http: //127.0.0.1:9000/;
proxy_http_version 1.1;
proxy_set_header Connection "";# cf.https: //github.com/akka/akka/issues/19542
}
}
This would be happened due to format of run.sh on pe3zx/misp-docker is incorrect. Make sure EOL of run.sh file is Unix-style. You can change EOL on the file with dos2unix like this:
dos2unix run.sh
On hardened environment, permissions of mounted volumes are strictly controlled, for example by option like noexec. This control may cause issues on connectors/analyzers/responders loading. New permissions must be assigned to make the loading process works.
One of issues discovered on TheHive causes connectors.misp.MispConnect failed to load and no errors are provided:
thehive_1 | [info] o.r.Reflections - Reflections took 200 ms to scan 5 urls, producing 123 keys and 1346 values
thehive_1 | [info] module - Loading model class models.AlertModel
thehive_1 | [info] module - Loading model class models.CaseModel
thehive_1 | [info] module - Loading model class connectors.cortex.models.JobModel
thehive_1 | [info] module - Loading model class connectors.cortex.models.ReportTemplateModel
thehive_1 | [info] module - Loading model class models.UserModel
thehive_1 | [info] module - Loading model class models.ArtifactModel
thehive_1 | [info] module - Loading model class org.elastic4play.services.AttachmentModel
thehive_1 | [info] module - Loading model class connectors.cortex.models.ActionModel
thehive_1 | [info] module - Loading model class models.TaskModel
thehive_1 | [info] module - Loading model class models.DashboardModel
thehive_1 | [info] module - Loading model class org.elastic4play.services.DBListModel
thehive_1 | [info] module - Loading model class models.CaseTemplateModel
thehive_1 | [info] module - Loading model class models.AuditModel
thehive_1 | [info] module - Loading model class models.LogModel
thehive_1 | [info] a.e.s.Slf4jLogger - Slf4jLogger started
thehive_1 | [info] a.r.Remoting - Starting remoting
thehive_1 | [info] a.r.Remoting - Remoting started; listening on addresses :[akka.tcp://application@172.16.0.12:2552]
thehive_1 | [info] a.r.Remoting - Remoting now listens on addresses: [akka.tcp://application@172.16.0.12:2552]
thehive_1 | [info] a.c.Cluster(akka://application) - Cluster Node [akka.tcp://application@172.16.0.12:2552] - Starting up, Akka version [2.5.19] ...
thehive_1 | [info] a.c.Cluster(akka://application) - Cluster Node [akka.tcp://application@172.16.0.12:2552] - Registered cluster JMX MBean [akka:type=Cluster]
thehive_1 | [info] a.c.Cluster(akka://application) - Cluster Node [akka.tcp://application@172.16.0.12:2552] - Started up successfully
thehive_1 | [info] a.c.Cluster(akka://application) - Cluster Node [akka.tcp://application@172.16.0.12:2552] - No seed-nodes configured, manual cluster join required
thehive_1 | [info] o.e.p.PluginsService - no modules loaded
thehive_1 | [info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.index.reindex.ReindexPlugin]
thehive_1 | [info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.join.ParentJoinPlugin]
thehive_1 | [info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.percolator.PercolatorPlugin]
thehive_1 | [info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.script.mustache.MustachePlugin]
thehive_1 | [info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.transport.Netty3Plugin]
thehive_1 | [info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.transport.Netty4Plugin]
In this situation, verify that the permission of /etc/thehive/application.conf and make sure that the file is configured to be read by anyone.
chmod +r application.conf
Another issue discovered on Cortex causes the platform failed to load contents on /opt/Cortex-Analyzers/. In this situation, I fix by remounting the partition with exec and assign 777 permission to ./apps/Cortex-Analyzers/ recursively.
cortex_1 | [info] a.e.s.Slf4jLogger - Slf4jLogger started
cortex_1 | [info] o.e.p.PluginsService - no modules loaded
cortex_1 | [info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.index.reindex.ReindexPlugin]
cortex_1 | [info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.join.ParentJoinPlugin]
cortex_1 | [info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.percolator.PercolatorPlugin]
cortex_1 | [info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.script.mustache.MustachePlugin]
cortex_1 | [info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.transport.Netty3Plugin]
cortex_1 | [info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.transport.Netty4Plugin]
cortex_1 | [info] i.n.u.i.PlatformDependent - Your platform does not provide complete low-level API for accessing direct buffers reliably. Unless explicitly requested, heap buffer will always be preferred to avoid potential syste
m instability.
cortex_1 | [warn] o.t.c.s.WorkerSrv - Worker directory (/opt/Cortex-Analyzers/analyzers) is not found
cortex_1 | [warn] o.t.c.s.WorkerSrv - Worker directory (/opt/Cortex-Analyzers/responders) is not found
cortex_1 | [info] o.t.c.s.WorkerSrv - New worker list:
In some case, the Elasticsearch service may not ready yet which resulting as errors on TheHive and Cortex service:
cortex_1 | [info] o.t.c.s.ErrorHandler - GET /api/user/current returned 520
cortex_1 | org.elasticsearch.transport.RemoteTransportException: [KBrQQVH][172.16.0.9:9300][indices:data/read/search]
cortex_1 | Caused by: org.elasticsearch.index.IndexNotFoundException: no such index
You can try examining logs from the Elasticsearch service to see if the service is ready or not. If the Elasticsearch service is ready, try restarting both TheHive and Cortex service would resolve the connection issues.