Project

General

Profile

Install issue - Hangs trying to register Correlator (Manager Side)

Added by Tony Su over 2 years ago

Following SUSE/openSUSE instructions on an openSUSE 42.2
https://www.prelude-siem.org/projects/prelude/wiki/InstallingPackageOpenSuSE#InstallingPackageOpenSuSE

Working my way down the page, all has been successful until...

Registering Correlator (prelude manager side) hangs with the following stdout

  1. prelude-admin registration-server prelude-manager
    The "k6l4mpt6" password will be requested by "prelude-admin register"
    in order to connect. Please remove the quotes before using it.

Generating 1024 bits Diffie-Hellman key for anonymous authentication...
Waiting for peers install request on 0.0.0.0:5553...
Waiting for peers install request on :::5553...


Replies (7)

RE: Install issue - Hangs trying to register Correlator (Manager Side) - Added by Thomas ANDREJAK over 2 years ago

Hello

Yes, it is normal. You have to do the next step on an other termial to do the registration.
You have to read this : InstallingAgentRegistration

Regards

RE: Install issue - Hangs trying to register Correlator (Manager Side) - Added by Tony Su over 2 years ago

I think I finally figured out what is needed but still results in an error...

This is an attempt to register the LML Prelude Agent to the Prelude Manager running on the same machine
The firewall has been dropped, so it's not blocking.
OpenSSL is installed, here are the installed packages

# zypper se -i openssl
Loading repository data...
Reading installed packages...

S | Name                  | Summary                                    | Type   
--+-----------------------+--------------------------------------------+--------
i | libopenssl1_0_0       | Secure Sockets and Transport Layer Secur-> | package
i | libopenssl1_0_0-32bit | Secure Sockets and Transport Layer Secur-> | package
i | openssl               | Secure Sockets and Transport Layer Secur-> | package
i | python-pyOpenSSL      | Python wrapper module around the OpenSSL-> | package

First, the following in one console, which is left hanging...

 prelude-admin registration-server prelude-manager
The "r1a6m48u" password will be requested by "prelude-admin register" 
in order to connect. Please remove the quotes before using it.

Generating 1024 bits Diffie-Hellman key for anonymous authentication...
Waiting for peers install request on 0.0.0.0:5553...
Waiting for peers install request on :::5553...

Then, I opened up a new console and attempted to register the Prelude LML agent using the example in the documentation(and using the one shot password in displayed by the still hanging prelude manager in the first console) but results in the following error. There is a verified /etc/hosts entry that resolves localhost to 127.0.0.1.

# prelude-admin register prelude-lml "idmef:w admin:r" localhost

You now need to start "prelude-admin" registration-server on localhost:
example: "prelude-admin registration-server prelude-manager" 

Enter the one-shot password provided on localhost: 
Confirm the one-shot password provided on localhost: 

Connecting to registration server (localhost:5553)... 
GnuTLS handshake failed: Bad record MAC.

The first console now displays as follows

# prelude-admin registration-server prelude-manager
The "r1a6m48u" password will be requested by "prelude-admin register" 
in order to connect. Please remove the quotes before using it.

Generating 1024 bits Diffie-Hellman key for anonymous authentication...
Waiting for peers install request on 0.0.0.0:5553...
Waiting for peers install request on :::5553...

Connection from ::1:56416...
GnuTLS handshake failed: Decryption has failed..

On the chance that somehow prelude-manager is bound to the external network interface, I tried to register the Agent using that IP address, but that results in the same error.

RE: Install issue - Hangs trying to register Correlator (Manager Side) - Added by Thomas ANDREJAK over 2 years ago

Do you use the packaged version or you compiled yourself your version ?

RE: Install issue - Hangs trying to register Correlator (Manager Side) - Added by Tony Su over 2 years ago

For clarification,
Everything in this Forums thread can be reproduced by reading from the first post,

So, this is in a brand new, openSUSE 42.2.
I then installed the LAMP pattern and wsgi packages as described in this other Forum post (no packages required for building from source)
https://www.prelude-siem.org/boards/1/topics/97?r=106#message-106

Then, brand new installed Prelude packages as described in the first post (link posted again here)
https://www.prelude-siem.org/projects/prelude/wiki/InstallingPackageOpenSuSE#InstallingPackageOpenSuSE

Following the directions in the above link is where I reached the point where I didn't understand why I was seeing a hanging console and posted for the first time in this thread. After your response, I did exactly what you see in my above post which throws the encryption/decryption error.

If you set up your development/testbed machine differently,
I am willing to try setting up a machine that way.

RE: Install issue - Hangs trying to register Correlator (Manager Side) - Added by Thomas ANDREJAK over 2 years ago

Which version of gnutls do you have ?
Do you have some special hardening on your OpenSuse?
Do you have selinux enable ? If yes, try to put it in permissive
Maybe try to reset your profile registration (rm -rf /etc/prelude)

Regards

RE: Install issue - Hangs trying to register Correlator (Manager Side) - Added by Tony Su over 2 years ago

That was the issue, gnutls was not installed.

After installation, registration succeeded.
Something new to add to the dependency list...

Thx!

RE: Install issue - Hangs trying to register Correlator (Manager Side) - Added by Tony Su over 2 years ago

Next problem on this same box...

After the above which successfully registers the Prelude Agent with LML sensors with the Prelude Manager,

Unfortunately when starting up the Prelude Correlator service, it throws the following error.
Googling the error returns only an issue which was silently resolved 4 years ago(was fixed by patch, not by User configuration)

https://www.prelude-siem.org/issues/404

systemctl status prelude-correlator
● prelude-correlator.service - Prelude-Correlator service
   Loaded: loaded (/usr/lib/systemd/system/prelude-correlator.service; disabled; vendor preset: disabled)
   Active: activating (start) since Wed 2016-12-21 10:49:11 PST; 726ms ago
 Main PID: 27297 (code=exited, status=1/FAILURE);         : 27300 (prelude-correla)
    Tasks: 1 (limit: 512)
   CGroup: /system.slice/prelude-correlator.service
           └─27300 /usr/bin/python /usr/bin/prelude-correlator -d -P /run/prelude-correlator/prelude-correlator.pid

Dec 21 10:49:11 PRELUDE systemd[1]: prelude-correlator.service: Service hold-off time over, scheduling restart.
Dec 21 10:49:11 PRELUDE systemd[1]: Stopped Prelude-Correlator service.
Dec 21 10:49:11 PRELUDE systemd[1]: Starting Prelude-Correlator service...
Dec 21 10:49:12 PRELUDE prelude-correlator[27300]: 21 Dec 10:49:12 preludecorrelator.pluginmanager (pid:27300) INFO: [BusinessHourPlugin]: disabled on user request
Dec 21 10:49:12 PRELUDE preludecorrelator.pluginmanager[27300]: INFO: [BusinessHourPlugin]: disabled on user request
Dec 21 10:49:12 PRELUDE prelude-correlator[27300]: 21 Dec 10:49:12 preludecorrelator.pluginmanager (pid:27300) INFO: [FirewallPlugin]: disabled on user request
Dec 21 10:49:12 PRELUDE preludecorrelator.pluginmanager[27300]: INFO: [FirewallPlugin]: disabled on user request
    (1-7/7)