Expedition unable to process security rule for Rule Enrichment

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Expedition unable to process security rule for Rule Enrichment

L1 Bithead

Hi guys,

 

I'm working with a customer who has Expedition installed on their network on Ubuntu 16.04. Expedition is on the latest version (1.1.68).

 

I've setup a traffic log forwarder from one of their firewalls which connects to their Expedition just fine. I've added their Panorama device, pulled in the managed devices and running config. I've processed the logs in /home/expedition/logs.

 

I've created a new project, imported the config and created a log connector for the last 7 days. But whenever I try to run Rule Enrichment on a security rule and hit process it stalls and nothing happens. I've read through the quick start guide which has told me to use this command but it's saying it cannot create connection to the database server, does anyone know how to fix this error?

 

####@####:/tmp$ tail PAN_RuleEnrichment.log
2020-05-22 14:12:40 ERROR RuleAutoCompleter$:812 - Fininshed
2020-05-22 14:29:50 ERROR RuleAutoCompleter$:810 - Could not create connection to database server.
2020-05-22 14:29:50 ERROR RuleAutoCompleter$:811 - Log analysis could not be performed. java.lang.ArrayIndexOutOfBoundsException: 92
2020-05-22 14:29:50 ERROR RuleAutoCompleter$:812 - Fininshed
2020-05-22 14:45:43 ERROR RuleAutoCompleter$:810 - Could not create connection to database server.
2020-05-22 14:45:43 ERROR RuleAutoCompleter$:811 - Log analysis could not be performed. java.lang.ArrayIndexOutOfBoundsException: 92
2020-05-22 14:45:43 ERROR RuleAutoCompleter$:812 - Fininshed
2020-05-22 14:52:16 ERROR RuleAutoCompleter$:810 - Could not create connection to database server.
2020-05-22 14:52:16 ERROR RuleAutoCompleter$:811 - Log analysis could not be performed. java.lang.ArrayIndexOutOfBoundsException: 92
2020-05-22 14:52:16 ERROR RuleAutoCompleter$:812 - Fininshed

 

Thanks!

 

1 accepted solution

Accepted Solutions

Hi Jamesshelley,

 

Can you please follow the steps below to see if it helps

 

1. In ML. Setting, trying to set the Expedition IP to 127.0.0.1 , this will fall back to Expedition server IP and click “Save”. This step will re-initiate the database connections. (If Expedition is behind a different IP or NATed IP , you would need to put the real IP as ML IP not the NATed IP ) , check the IP using ifconfig.

 

Go to #more /home/userSpace/userDefinitions.php review the parameters in the files look like below:

define ('DBServer' , '127.0.0.1');

define ('DBUser',  'root');

define ('DBPass', 'paloalto');

define ('DBName' ,'project_schema');

define ('PARSER_max_execution_time','10000');

define ('PARSER_max_execution_memory','1G');

define ('DBSQL_LOG_BIN', 0);

 

3. Issue SQL commands to check which IPs were being allowed. 

#mysql -uroot -ppaloalto

 

expedition@expedition-documentation:~$ mysql -uroot -ppaloalto

 

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 319026

Server version: 10.1.44-MariaDB-1~xenial mariadb.org binary distribution

 

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

 

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

 

MariaDB [(none)]> select host,user from mysql.user;

+--------------------------+------------------+

| host                     | user             |

+--------------------------+------------------+

| 10.8.200.34              | root             |

| 127.0.0.1                | root             |

| ::1                      | root             |

| expedition-documentation | root             |

| localhost                | debian-sys-maint |

| localhost                | root             |

+--------------------------+------------------+

6 rows in set (0.00 sec)

 

Verified Expedition IP and User Root is showing up as above

 

4. Check that /etc/mysql/my.cnf is correctly setup not bind to 127.0.0.1. There is a health check in the dashboard that checks this as well. 

 

Make sure "bind-address = 127.0.0.1" is commented out:

 

# The following values assume you have at least 32M ram

/127.0.0.1

...skipping

# Instead of skip-networking the default is now to listen only on

# localhost which is more compatible and is not less secure.

#bind-address = 127.0.0.1

 

Please let me know if it helps. 

View solution in original post

3 REPLIES 3

L1 Bithead

Anyone please?

Hi Jamesshelley,

 

Can you please follow the steps below to see if it helps

 

1. In ML. Setting, trying to set the Expedition IP to 127.0.0.1 , this will fall back to Expedition server IP and click “Save”. This step will re-initiate the database connections. (If Expedition is behind a different IP or NATed IP , you would need to put the real IP as ML IP not the NATed IP ) , check the IP using ifconfig.

 

Go to #more /home/userSpace/userDefinitions.php review the parameters in the files look like below:

define ('DBServer' , '127.0.0.1');

define ('DBUser',  'root');

define ('DBPass', 'paloalto');

define ('DBName' ,'project_schema');

define ('PARSER_max_execution_time','10000');

define ('PARSER_max_execution_memory','1G');

define ('DBSQL_LOG_BIN', 0);

 

3. Issue SQL commands to check which IPs were being allowed. 

#mysql -uroot -ppaloalto

 

expedition@expedition-documentation:~$ mysql -uroot -ppaloalto

 

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 319026

Server version: 10.1.44-MariaDB-1~xenial mariadb.org binary distribution

 

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

 

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

 

MariaDB [(none)]> select host,user from mysql.user;

+--------------------------+------------------+

| host                     | user             |

+--------------------------+------------------+

| 10.8.200.34              | root             |

| 127.0.0.1                | root             |

| ::1                      | root             |

| expedition-documentation | root             |

| localhost                | debian-sys-maint |

| localhost                | root             |

+--------------------------+------------------+

6 rows in set (0.00 sec)

 

Verified Expedition IP and User Root is showing up as above

 

4. Check that /etc/mysql/my.cnf is correctly setup not bind to 127.0.0.1. There is a health check in the dashboard that checks this as well. 

 

Make sure "bind-address = 127.0.0.1" is commented out:

 

# The following values assume you have at least 32M ram

/127.0.0.1

...skipping

# Instead of skip-networking the default is now to listen only on

# localhost which is more compatible and is not less secure.

#bind-address = 127.0.0.1

 

Please let me know if it helps. 

It turned out to be the first step that fixed the issue, thanks for your help!

  • 1 accepted solution
  • 3850 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!