Installed DNIF, now what?

Hello,

First off, let me introduce myself :slight_smile:

My name is Jan,

I’ve recently joined a small, Dutch company in cyber security. At the moment we are looking into launching a “reporting service” to help SMB company’s to up their security posture. We have found that the number one reason why SMB’s do not do this is money. Its simply too expensive. So we set out to change that.

We looked into using OSCTRL with OSQuery. This turned out to be a sad story since we’re no programmers, and this tooling needs lots of work still.

Then we looked into Wazuh. Well… this sucks! Its free, but its also too big, too hard, too everything!

Then i came into DNIF, which looks good. I managed to easily install it, configure a winlogbeat… and then i got stuck…

Now what??

okay… i looked into the logs of the winlogbeat, and it says the following:
2021-04-23T21:39:51.503+0200 ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://136.144.251.219:9500)): Connection marked as failed because the onConnect callback failed: invalid license found, requires a basic or a valid trial license and received Open source
2021-04-23T21:39:51.503+0200 INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://136.144.251.219:9500)) with 2 reconnect attempt(s)
2021-04-23T21:39:51.503+0200 INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2021-04-23T21:39:51.503+0200 INFO [publisher] pipeline/retry.go:223 done
2021-04-23T21:39:51.651+0200 INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version
2021-04-23T21:39:51.651+0200 ERROR [esclientleg] eslegclient/connection.go:417 Invalid version from Elasticsearch:
2021-04-23T21:39:51.738+0200 INFO [license] licenser/check.go:35 License is active for Basic

i assume this is why its not working?

tried the OSS version, but this is not working either :frowning:

I got a bit further…

Collectionstatus shows two hosts, this is correct. It should be one windows host and one linux hosts, for both it says “linux-beats” but hey, if it works then whats in a name?

Under streams i also see data, its about 150MB after 12 hours.

And… thats all i see… nowhere else do i see anything that indicates data?

Hi Jan,

Its a pleasure to have you around, thank you for giving us a try.

Hopefully the CE will be able to close out your requirements, also if you need something that does not exist - please let us know we will be happy to take down issues for the roadmap.

On where you are - looks like you have managed to integrate the windows and linux devices. This is how I would prioritise further from here -

Since the steams are showing an uptick in volume, you are likely ingesting these event streams. Below are some steps to figure.

Please check which stream is showing data and for those streams run a search by following these steps:
a. Go to search interface (find icon)
b. In the Stream filter, select a stream that you picked up on the streams page
c. Adjust the timeframe ( You can use Presets or Date range), click on Apply
d. Click on search (magnifying glass) which will fetch you search results for the selected streams.
e. Repeat the above steps to search the logs of every stream.

If you can see events - means you are ingesting data correctly, if things didn’t go to plan then you probably need to relook at your winlogbeat-oss configuration.

There is a possibility you are using auditbeat-oss instead of winlogbeat-oss that currently shows up on DNIF as linux-beats (that needs to change).

If you visit the MITRE ATT&CK page you should see some blocks with a green border - which means you have active workbooks running on these streams.

Let us know if you see other issues.

Suman

1 Like

Hallo Suman,

Thanks for responding!
When i do what you suggested, i get an error saying “Something went wrong” as per image :frowning:

I am using both auditbeat and winlogbeat, would you advise to use only winlogbeat?

Also, It would be nice to have support for OSQuery! DNIF is the first security software i actually manage to install and configure, but we lack the ability to create reports that show if the firewall is enabled, the virusscanner is up to date, etc. (or maybe i dont know how). Compliance reporting :slight_smile: Basicly this is what Wazuh can do, but its a mess to install/maintain :frowning:

Also: i indeed have green workbooks, but what can i do with those? :slight_smile: and how do i get reporting out of them? I try to add widgets to the dashboards and all, but i always end up with “something went wrong” or something along those lines :frowning:

Hi Jan,

Seems like something at the services layer is broken. Considering the fact that you can see steams and green workbooks.

Take a look at this document - it has some troubleshooting steps to get services a go.
https://docs.dnif.it/docs/logs-not-displayed-on-console

You should see results in the signals section, that is if you have events that tigger off a workbook.

Let me know what you see - can help going forward from there.

Suman

1 Like

Jan - missed out on the OS Query integration bit, absolutely yes will be happy to integrate. Although we could do it ourselves - it would be great if you participate in taking this product forward.

Our development cycles are available online - you can create a issue / feature request here - > Issues · dnif/roadmap · GitHub

Thanks a ton :slight_smile:

Thank you, i tried most of those things allready. i even rebooted the machine :slight_smile:
This is what the manage components page shows:

The connectors area:

Our specs are a bit limited, but with only 2 endpoints connected this shouldnt be the problem yet?

Hi Jan,
It appears your datanode component is not connected to the cluster.
Would request you to review the getting started and minimum requirements guides.

Thanks,
Nikhil

1 Like

Hello Nikhil, thank you for responding so quickly :slight_smile:

I think i did everything the setup video/page said to do, but i will check again!
Do i need to start anew, or can i connect it on the allready running system?

Hi Jan,
I think you might have accidentally set up all three components on the same system instead of three nodes as outlined in our minimum requirements. In that case, you might need to start afresh.

Thanks,
Nikhil

1 Like

not accidentally :wink:

i’m trying to achieve some form of multi tenancy to see if we can offer cheap security services. this works better if the whole environment is on one host, less management :wink:

Hi Jan -

if you have the base requirements, you should be able to service a large number of customers from the same setup. We work with MSS partners that have three host setup and have onboarded a large number of customers on the same cluster / infra.

Agree with you - more hosts more management. !

Suman

1 Like