New to ROCKNSM-Can't see/add Windows domain devices

Hi everyone,

I’ve been tasked with implementing a monitoring system for our network and after much discussion among our IT department (for a medical group handling over 500 devices), we decided to Give Rock a try after high recommendation from a few professors at the local university. We (3 of us that make up our department) are all somewhat familiar with the tools that are available on Rock. However, we have never gone through and actually implemented any of the tools from scratch.

Just an idea with what we’re working with and what the end goal is:

We’ve set up RockNSM on a virtual machine (VMware VSphere). After several attempts and failures we were finally able to successfully get it to install with the latest release of 2.5.0-2002.

We successfully joined it to the Windows domain, and running a packet capture shows us traffic from different locations on the domain (using sudo tcpdump -c 20 -i ens224).

Our end goal is to be able to see logs for suspicious traffic, RDP connections, Windows failed login attempts, and auditing file access.

The part we’re stuck at is getting anything to load and visualize within Kibana.

We can successfully sign in to Kibana (from the local host and other network devices) but nothing is loading from any of the tools.

We are looking to keep it locally hosted instead of loading it to the cloud.

Additionally, if we try to establish an SMB connection from Windows network to and from the Rock server, it fails to authenticate (not sure if that would play a role in the visualization issue).

Is there a .yml file that we are just not configuring to be able to see and start recording logs to visualize?

Any tips would be greatly appreciated!

Thanks in advanced!

VictorQ and the Genesis IT Team.

We know we are getting traffic via tcpdump so that is good news.

Is there anything under Discover (if empty points to empty or no existent index)? If this is so then we need to see where things are not working.

What are the statuses for each of the other components? You can find this out with sudo systemctl status -l <NAMEofSERVICE>. Let me know what you find. Is this a single or multi-node setup. It sounds like a single, but I want to be sure.

This is likely due to the SELinux protections that are in place. This could be of use but I have not verified it: https://wiki.centos.org/HowTos/SetUpSamba

Hi thank you for the quick response,

It is indeed a single node setup. Under the Kibana Discover tab the result is “No results match your search criteria”

The services (for example: Zeek, Elasticsearch,Suricata) all indicate active when running the sudo systemctl status -l <NAMEofSERVICE> command.

if the data pipeline appears to be functional i would suggest looking at time settings on your sensor and your workstation that you are accessing Kibana with to make sure they are the same.

We can confirm that the time is set on both the sensor and devices accessing Kibana to MST(UTC-7).

sudo watch -n1 sudo ls -l /data/zeek/logs/current/

show growing logs??

Yes, the Zeek logs do indicate they are growing in size.

running a standalone install now. ive only done the multinode deployments for 2.5 so far.


seems okay on my end. maybe something in your environment??

This is what we get back when checking the services. Kafka fails.

Is there anything in var/log/kafka/server.log or /var/log/zookeeper/zookeeper.log that you can see or that you can post here?

We also get this when visiting https://(host IP Address)/app/docket

https://(host IP Address)/app/docket/ <–may have to add trailing slash

var/log/kakfa/ is empty…

Zookeper log:

Try stopping kafka and zookeeper using sudo systemctl stop kafka and then the same thing for zookeeper. Then start zookeeper first using sudo systemctl start zookeeper and then do the same for kafka.

Ran as suggested, Kafka fails to start.

Also thanks for catching that missing slash at the end of docket address.

what does ip a and cat /etc/hosts yield?

ip a :

Hosts:

Ok, everything there looks good. share you zookeeper and kafka config files? They should be under /etc/zookeeper and /etc/kafka/.

There isn’t a Kafka config file there. I’ll add the info for the “server.properties” file.