unable to so-start-soc after reboot
t-0-m-1-3 opened this issue · 2 comments
t-0-m-1-3 commented
THANK YOU this has made getting people interesting in SO a lot of fun.
I ran into this with my home build, tore things down and rebuilt the lab. the socconfig file is having a jinja parsing error, i originally thought it was from me yanking and pasting the velociraptor json in the file, but am not as sure now after starting from scratch.
- The output from
so-soc-restart
ID: socconfig
Function: file.managed
Name: /opt/so/conf/soc/soc.json
Result: False
Comment: Unable to manage file: Jinja syntax error: Unable to load json from ,{ "name": "Velociraptor", "description": "Velociraptor Client Pivot", "icon": "fa-external-link-alt", "target": "_blank","links": ["/velociraptor/app/index.html?#/search/{:client.id}"]}]; line 1
---
{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} <======================
{%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') %}
{%- set THEHIVEKEY = salt['pillar.get']('global:hivekey', '') %}
{%- set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
{%- set THEHIVE = salt['pillar.get']('manager:thehive', '0') %}
{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
[...]
---
Started: 02:51:19.582218
Duration: 809.165 ms
Changes: The larger python traceback
Starting soc...
This could take a while if another Salt job is running.
Run this command with --force to stop all Salt jobs before proceeding.
=========================================================================
[ERROR ] Rendering exception occurred
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/salt/utils/jinja.py", line 1042, in load_json
return salt.utils.json.loads(value)
File "/usr/lib/python3.6/site-packages/salt/utils/json.py", line 89, in loads
return json_module.loads(s, **kwargs)
File "/usr/lib64/python3.6/json/__init__.py", line 354, in loads
return _default_decoder.decode(s)
File "/usr/lib64/python3.6/json/decoder.py", line 339, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib64/python3.6/json/decoder.py", line 357, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/salt/utils/templates.py", line 502, in render_jinja_tmpl
output = template.render(**decoded_context)
File "/usr/lib/python3.6/site-packages/jinja2/environment.py", line 1090, in render
self.environment.handle_exception()
File "/usr/lib/python3.6/site-packages/jinja2/environment.py", line 832, in handle_exception
reraise(*rewrite_traceback_stack(source=source))
File "/usr/lib/python3.6/site-packages/jinja2/_compat.py", line 28, in reraise
raise value.with_traceback(tb)
File "<template>", line 1, in top-level template code
File "/usr/lib/python3.6/site-packages/salt/utils/jinja.py", line 1044, in load_json
raise TemplateRuntimeError("Unable to load json from {}".format(value))
jinja2.exceptions.TemplateRuntimeError: Unable to load json from ,{ "name": "Velociraptor", "description": "Velociraptor Client Pivot", "icon": "fa-external-link-alt", "target": "_blank","links": ["/velociraptor/app/index.html?#/search/{:client.id}"]}]
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/salt/utils/templates.py", line 261, in render_tmpl
output = render_str(tmplstr, context, tmplpath)
File "/usr/lib/python3.6/site-packages/salt/utils/templates.py", line 520, in render_jinja_tmpl
"Jinja syntax error: {}{}".format(exc, out), line, tmplstr
salt.exceptions.SaltRenderError: Jinja syntax error: Unable to load json from ,{ "name": "Velociraptor", "description": "Velociraptor Client Pivot", "icon": "fa-external-link-alt", "target": "_blank","links": ["/velociraptor/app/index.html?#/search/{:client.id}"]}]; line 1
---
{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} <======================
{%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') %}
{%- set THEHIVEKEY = salt['pillar.get']('global:hivekey', '') %}
{%- set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
{%- set THEHIVE = salt['pillar.get']('manager:thehive', '0') %}
{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
[...]
---
[ERROR ] Unable to manage file: Jinja syntax error: Unable to load json from ,{ "name": "Velociraptor", "description": "Velociraptor Client Pivot", "icon": "fa-external-link-alt", "target": "_blank","links": ["/velociraptor/app/index.html?#/search/{:client.id}"]}]; line 1
---
{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} <======================
{%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') %}
{%- set THEHIVEKEY = salt['pillar.get']('global:hivekey', '') %}
{%- set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
{%- set THEHIVE = salt['pillar.get']('manager:thehive', '0') %}
{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
[...]
---
local:
- output from
salt-call state.highstatemight have a type in it as well with veloiraptor
[root@seconionone t0m]# sudo salt-call state.highstate
local:
Data failed to compile:
----------
No matching sls found for 'veloiraptor' in env 'base'Any help is much appreciated
weslambert commented
Hi! Thanks for your interest! I'll look into this. We've recently made some changes, and I have not had a chance to test against the latest version of Security Onion. It does look like the top file is also referencing veloiraptor vs velociraptor, thank you for pointing that out. Somehow, I had not noticed previously. I'll work on getting this sorted out, however, I will say that we are actually not going to be using TheHive in future versions of Security Onion, but rather our own native Cases module. We don't yet have an equivalent to webhook notifications, so I will likely alter the lab to work similarly. I will make these updates soon. Thanks again for testing and your feedback!