Stenographer exits after starting


#1

This was a placeholder topic for Stenographer before re-organizing. Keeping topic to preserve discussion.


#2

We pulled down and installed the latest rocknsm-2.0.5-1705.iso. Everything is enabled/running, followed the gitbook setup for Stenographer, but it continues to exit after starting.

Looks like there was reported issue #125 on this and was flagged as resolved in 2.0.2, so we’re wondering if maybe there is anything in 2.0.5 that re-introduced the issue or that we’re just not doing right. It starts and exits before any packets are captured. We have verified that packets are otherwise captured by Bro.

Any help would be appreciated. Below is some config and status/error messages related to this.

[rocknsm@simplerockbuild stenographer]$ systemctl status stenographer.service
â- stenographer.service - packet capture to disk
Loaded: loaded (/etc/systemd/system/stenographer.service; enabled; vendor preset: disabled)
Active: active (exited) since Wed 2018-01-31 23:13:03 UTC; 26min ago
Process: 5334 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 5334 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/stenographer.service

Jan 31 23:13:03 simplerockbuild.simplerock.lan systemd[1]: Starting packet capture to disk…
Jan 31 23:13:03 simplerockbuild.simplerock.lan systemd[1]: Started packet capture to disk.

Advanced Feature Selection

Don’t flip these unless you know what you’re doing

with_stenographer: True
with_bro: True
with_suricata: True
with_snort: False
with_pulledpork: True
with_logstash: True
with_elasticsearch: True
with_kibana: True
with_zookeeper: True
with_kafka: True
with_nginx: True
with_fsf: True

Specify if a service is enabled on startup

enable_stenographer: True
enable_bro: True
enable_suricata: True
enable_snort: False
enable_pulledpork: True
enable_logstash: True
enable_elasticsearch: True
enable_kibana: True
enable_zookeeper: True
enable_kafka: True
enable_nginx: True
enable_fsf: False

https://rocknsm.gitbooks.io/rocknsm-guide/content/

Google’s Stenographer is installed and configured in this build. However, it is disabled by default. There are a few reasons for this: First, it can be too much for Vagrant builds on meager hardware. Second, you really need to make sure you’ve mounted /data over sufficient storage before you start saving full packets. Once you’re ready to get nuts, enable and start the service with systemctl enable stenographer.service and then systemctl start stenographer.service. Stenographer is already stubbed into the /usr/local/bin/rock_{start,stop,status} scripts, you just need to uncomment it if you’re going to use it.+

Thanks,
Aaron W


#3

Aaron, thanks for posting! We tried something that isn’t exactly perfect with stenographer, and could probably be improved. Stenographer doesn’t support reading from multiple interfaces at the same time, so we use template service units. It’s possible stenographer is running, you just don’t see it.

To see each of the per-instance units, run the following:

systemctl status stenographer@*
● stenographer@ens4.service - packet capture to disk
   Loaded: loaded (/etc/systemd/system/stenographer@.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2018-02-01 02:52:34 UTC; 15min ago
 Main PID: 301 (stenographer)
   CGroup: /system.slice/system-stenographer.slice/stenographer@ens4.service
           ├─301 /usr/bin/stenographer -config /etc/stenographer/config.ens4
           └─336 /usr/bin/stenotype -v --threads=1 --iface=ens4 --dir=/tmp/stenographer938449468

The template services are called stenographer@<interface>.service. When you start or stop stenographer, that command should propagate to the template commands. I think there are some additional tweaks we can do here to make this more intuitive.

If you actually don’t have any stenographer instances running…well…that’s something else we’ll have to dig into.

Lemme know if that helps! and thanks again for posting.


#4

I think that may have done it: we had to manually enable/start for our specific interface, as the templated propogation may not be working so well on our box. We’re going to do some additional testing and will confirm afterward.


#5

Just wanted to follow up. That did resolve the issue with Stenographer. Thanks.


#6