Key web interfaces
https://localhost - Kibana web interface - After deploy, the created creds are in the home directory of the user created upon install as
https://localhost:8443 - Docket - web interface for pulling PCAP from the sensor (must be enabled in config)
localhost = IP of the management interface of the box
After the initial build, the ES cluster will be yellow because the marvel index will think it's missing a replica. Run this to fix this issue. This job will run from cron just after midnight every day:
/usr/local/bin/es_cleanup.sh 2>&1 > /dev/null
Check to see that the ES cluster says it's green:
curl -s localhost:9200/_cluster/health | jq '.'
See how many documents are in the indexes. The count should be non-zero:
curl -s localhost:9200/_all/_count | jq '.'
You can fire some traffic across the sensor at this point to see if it's collecting. NOTE: This requires that you upload your own test PCAP to the box.
sudo tcpreplay -i [your monitor interface] /path/to/a/test.pcap
After replaying some traffic, or just waiting a bit, the count should be going up.
You should have plain text bro logs showing up in /data/bro/logsM/current/:
ls -ltr /data/bro/logs/current/
Start / Stop / Status
@todo Modify the
rock_* tasks to be
They're still there, for now, but
rockctl is the "One True Path":tm:.
These functions are accomplished with
NOTE: these may need to be prefaced with /usr/local/bin/ depending on your $PATH.