Change the hostname on a Splunk Indexer

January 8, 2016 nicholas Leave a comment

Recently I set about to change the hostname on a Splunk indexer. It should be pretty easy, right? Beware. It can be pretty nasty! Below is my experience.

I started with the basics.

hostname command
```
hostname <newhostname>
```
Modify /etc/system/network to make it persistent (CentOS specific)
```
sed -i 's/<old hostname>/<new hostname>/g' /etc/system/network
```

Inform Splunk of the hostname change

sed -i 's/<old hostname>/<new hostname>/g' $SPLUNK_HOME/etc/system/local/server.conf

Restart Splunk

Sadly, that wasn’t the end of it. I noticed right away Splunk complained of a few things:

TcpOutputProc - Forwarding to indexer group default-autolb-group blocked for 300 seconds.

WARN TcpOutputFd - Connect to 10.0.0.10:9997 failed. Connection refused

Running

netstat -an | grep LISTEN

revealed that the server was not even listening on 9997 like it should be. I found this answer indicating it could be an issue with DNS tripping up on that server. I edited $SPLUNK_HOME/etc/system/local/inputs.conf with the following:

[splunktcp://9997]
connection_host = none

but I also noticed that after I ran the command a short time later it was no longer listening on 9997. Attempting to telnet from the forwarder to the indexer in question revealed the same results – works at first, then quit working. Meanwhile no events are getting stored on that indexer.

I was pulling my hair out trying to figure out what was happening. Finally I discovered this gem on Splunk Answers:

Are you using the deployment server in your environment? Is it possible your forwarders’ outputs.conf got deployed to your indexer?

On the indexer:
./splunk cmd btool outputs list –debug

Sure enough! after running

./splunk cmd btool outputs list --debug

I discovered this little gem of a stanza:

/opt/splunk/etc/apps/APP_Forwarders/default/outputs.conf [tcpout]

That shouldn’t’ have been there! Digging into my deployment server I discovered that I had a server class with a blacklist, that is, it included all deployment clients except some that I had listed. The blacklist had the old hostname, which meant when I changed the indexer’s hostname it no longer matched the blacklist and thus was deployed a forwarder’s configuration, causing a forwarding loop. My indexer was forwarding back to the forwarder everything it was getting from the forwarder, causing Splunk to shut down port 9997 on the offending indexer completely.

After getting all that set up I noticed Splunk was only returning searches from the indexers whose hostnames I had not changed. Everything looked good in the distributed search arena – status was OK on all indexers; yet I still was not getting any results from the indexer whose name I had changed, even though it was receiving events! This was turning into a problem. It was creating a blind spot.

Connections great, search status great, deployment status good.. I didn’t know what else to do. I finally thought to reload Splunk on the search head that had been talking to the server whose name I changed. Success! Something in the search head must have made it blind to the indexer once its name had changed. Simply restarting Splunk on the search head fixed it.

In short, if you’re crazy enough to change the name of one of your indexers in a distributed Splunk environment, make sure you do the following:

Change hostname on the OS
Change ServerName in Splunk config files
- Add connection_host = none in inputs.conf (optional?)
Clean up your deployment server
- Delete old hostname from clients phoning home
- MAKE SURE the new hostname won’t be sucked up into an unwanted server class
Clean up your search head
- Delete old hostname search peer
- Add new hostname search peer
- Restart search head
Profit

Web

Fix Plex SSL behind Reverse Proxy

December 25, 2015 nicholas 2 Comments

Recently I updated to the latest version of Plex. I run Plex behind a Reverse Proxy server. When I initially set it up it was to provide HTTPS before Plex supported it. Now that Plex supports it I still use it to have my custom domain name attached to it.

This latest Plex update seemed to have broken SSL connectivity completely.. I couldn’t get SSL to work no matter what I tried. After pulling much hair out I found out there is a new option under advanced server settings:

Settings / Server / Show Advanced / Network

Scroll downs until you see

Custom server access URLs

It is here that you need to supply your own domain name and port. I struggled this for a while. If you type https://<domain name>, but don’t specify a port, it defaults to 32400, not 443. I finally got SSL to work with plex again by entering https://mydomain.name:443 in that field.

Plex works with SSL once more. All is right with the world again.

CLI, OS

Configure VMWare View Smartcard in Ubuntu

December 14, 2015 nicholas Leave a comment

Recently I’ve been required to use a smart card to log into some servers I manage. Configuring my Linux Mint 17.2 machine to pass my smartcard through to those machines via VMWare View has not been straightforward. This guide will walk you through how to get Smartcard redirection to work with VMWare View in Ubuntu 14.04 Trusty Tahr, which Linux Mint 17.2 is based off of. Enjoy.

Procedure

Install the latest version of the VMWare View client (distro versions are often quite out of date) from here

chmod +x VMware-Horizon-Client-3.5.0-2999900.x64.bundle 
sudo ./VMware-Horizon-Client-3.5.0-2999900.x64.bundle

Install necessary packages for CommonAccessCard (thanks to this helpful ubuntu writeup)
```
sudo apt-get install libpcsclite1 pcscd pcsc-tools
```
(re)Start the pcscd daemon
```
sudo /etc/init.d/pcscd restart
```
Ensure your smartcard reader is properly identified by running this command:
```
pcsc_scan
```
If that command is stuck on “Waiting for the first reader…” then you need to install your smartcard drivers. If it sees your smartcard, skip this next step and proceed to step 6.
Install your smartcard driver. This process is different for each card. For the card reader I have (the Identive SCR3500 A Contact Reader), I was able to obtain the drivers after much difficulty from here. The link to the drivers itself are here (alternate link). In my case I was able to untar and run the install script, which worked beautifully.

Install 32 bit compatibility libraries (only applicable for 64 bit installations) thanks to this site for the answer and this one for clarification

sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install -y libxml2:i386 libssl1.0.0:i386 libXtst6:i386 libudev1:i386 libpcsclite1:i386 libtheora0:i386 libv4l-0:i386 libpulse0:i386
sudo ln -sf /lib/i386-linux-gnu/libudev.so.1 /lib/i386-linux-gnu/libudev.so.0
sudo ln -sf /lib/i386-linux-gnu/libssl.so.1.0.0 /lib/i386-linux-gnu/libssl.so.1.0.1
sudo ln -sf /lib/i386-linux-gnu/libcrypto.so.1.0.0 /lib/i386-linux-gnu/libcrypto.so.1 
sudo ln -sf /lib/$(arch)-linux-gnu/libudev.so.1 /lib/$(arch)-linux-gnu/libudev.so.0

(re)Start the vmware-USBArbitrator and vmware-view-USBD services
```
sudo /etc/init.d/vmware-USBArbitrator start
sudo /etc/init.d/vmware-view-USBD start
```
For some reason after I did all of this the vmware-view binary was nowhere to be found. It was quite strange. I fixed this issue by removing and re-installing the view client:
```
sudo ./VMware-Horizon-Client-3.5.0-2999900.x64.bundle -u vmware-horizon-client
sudo ./VMware-Horizon-Client-3.5.0-2999900.x64.bundle
```
After doing this the binary was there as expected.
Create a config file to instruct the view client to redirect your smartcard reader.
```
echo 'viewusb.IncludeFamily = "smart-card"' >> /etc/vmware/config
echo 'viewusb.AllowSmartcard = "true"' >> /etc/vmware/config
```
There is no graphical option to pass devices through like there is in the Windows client. I spent more time than I’d like to admit on this step. It turns out the name of the file is important – it has to simply be called “config.” Place this config file in ~/.vmware (it can also be placed in /etc/vmware/config and/or /usr/lib/vmware/config)
Start vmware-view and enjoy your new smartcard capabilities
```
vmware-view
```

Troubleshooting

If it’s not working, make sure that these services are started

pcscd
vmware-USBArbitrator
vmware-view-USBD

One of these services have been known to crash if you attempt to connect while your smartcard is plugged in. The dance to get around this is to unplug your card reader, re-launch the above services, launch vmware-view, connect to your view server, and then only after you’ve logged in, plug in your card reader.

Update 2/25/2016: Here is the script I use to make my chromebook work beautifully for remoting into work:

sudo /etc/init.d/pcscd restart
sudo /etc/init.d/vmware-USBArbitrator restart
sudo /etc/init.d/vmware-view-USBD restart
setres 1600 1024
vmware-view
setres 2560 1700

Mobile, OS

Manually update firmware on Nexus devices

December 9, 2015 nicholas Leave a comment

The release of Android 6.0.1 had me excited because it enables LTE band 12 for my phone, the Nexus 5X, which currently uses T-mobile. Band 12 is in the 700mhz range which should greatly increase speed and coverage. I’m too impatient to wait for the OTA!

This tutorial will walk you through how to manually backup, unlock, flash, re-lock, and restore a Google Nexus 5X, but the procedure is pretty much the same for any Nexus device.

First, obtain two necessary Android development tools: adb and fastboot. Do not use your distribution’s versions of these tools – they are likely out of date. Instead, download the Android SDK directly from Google by going here and scrolling to the bottom of the page. Java is required for the sdk to install – install it if you haven’t already. Thanks to this site for explaining how to only obtain platform-tools.

sudo apt-get install openjdk-7-jre
tar zxvf android-sdk_r24.4.1-linux.tgz
android-sdk-linux/tools/android update sdk --no-ui --filter 1,platform-tools

Once you have platform-tools you need to add them to your PATH to make scripts run adb successfully (thanks to this site for the information). When you run the command below make sure to update /path/to/… to the folder where you extracted the android-sdk.

echo "export PATH=$PATH{}:/path/to/android-sdk/tools:/path/to/android/platform-tools" >> ~/.bashrc
source ~/.bashrc

Next, obtain the latest firmware for your device from the google developers site. Extract it somewhere you will remember for later.

Now, enable USB debugging on your phone if you haven’t already (thanks to this site for the info.) To do this, go to Settings / About phone, scroll to the bottom and press on the build number 7 times. Press back and go to developer options, and enable USB debugging and enable OEM unlocking. Then plug in your phone to the computer with adb installed and run this command (thanks to xda for the information)

adb backup -apk -shared -all -f <backup_filename>

Confirm the on-screen prompt on your phone. Make sure you specify a password for encryption. The above command should backup everything, but in my case it did not backup files in the flash partition (downloads, pictures, etc). Make sure you manually copy any important files from your phone before you proceed.

My first attempt at the above command didn’t work for me. I received the error message:

adb: unable to connect for backup

When I ran adb devices it showed this:

List of devices attached 
00c739918fbf4e2a offline

It turns out I had an old version of adb installed. Make sure you download Google’s official SDK instead of relying on your distribution’s version.

Once the backup is complete, you then need to reboot your phone into fastboot mode:

adb reboot bootloader

Wait for the reboot, then run the following command. Warning: this command will wipe your device. Make sure you have a reliable backup and confirm the message on your phone screen.

fastboot oem unlock

Now, navigate to the directory where you extracted your latest firmware and execute the flash-all script:

cd bullhead-mmb29k
./flash-all.sh

After some time your phone will reboot into your shiny new updated OS. Skip everything setup-wise. Re-enable developer mode and android debugging, and then re-lock your bootloader:

adb reboot bootloader
fastboot oem lock

Lastly, we need to restore everything from the backup we made and re-lock the bootloader for security. Once again skip everything setup-wise on the phone, re-enable developer mode and android debugging, and then restore your stuff:

adb restore <filename>

Don’t forget to manually copy back any flash files you manually backed up earlier.

The very last (optional) step is to go into developer options settings and disable OEM unlocking.

Success!

OS, Virtualization

Fix No USB devices connected in Virtualbox

December 7, 2015 nicholas Leave a comment

Recently on my Linux Mint 13.2 system I was playing with Virtualbox. I wanted to pass through a USB device to a virtualbox VM but despite installing the appropriate extension pack, I was greeted with this lovely message in the USB menu:

No USB devices connected

I discovered here that you need to be a member of the vboxusers group. One quick command solved this:

sudo usermod -a -G vboxusers <username>

Once I did that I logged out and logged back in. Voila! USB passthrough worked.

Networking, OS

Fix POP/SMTP not working in Sophos UTM

November 20, 2015 nicholas Leave a comment

It all started with an innocent enough e-mail:

Data Disk is filling up - please check. Current usage: 100%

I couldn’t find any clear information about what to do about this on Sophos’ forums. My data disk was full. What to do?

I can tell you what not to do – delete random files. I thought my solution would be to log into the UTM’s console and run a du -hsx /* to see where the space was. I found a large folder inside /var/storage – /var/storage/cores/httpd.16438. I removed it, because why not?

It turns out that did some weird things to my UTM. After removing that folder I kept getting spammed with these e-mails, once every hour:

Pop3 proxy not running - restarted

It took me a while to realize, but this also meant all e-mails relayed to the UTM were not being delivered. The entire POP/SMTP subsystem of the Sophos UTM was hosed. I could not find anything on the Sophos forums. After scratching my head I decided to have a deeper look at the logs. From the command line I issued

ls -ltr /var/log

and began reading the most recent logs.

pop3.log let me know what the problem was:

pop3proxy[9270]: Can't connect to database, retrying in 10 seconds: could not connect to server: Connection refused

I could not find any useful fixes for this error. I kept digging.

selfmon.log wasn’t much help other than to confirm that pop3 was having some serious issues. It was an endless abyss of repeated error messages:

selfmonng[3818]: W NOTIFYEVENT Name=pop3proxy_running Level=INFO Id=117 suppressed
...
selfmonng[3818]: W actionCmd(+): '/var/mdw/scripts/pop3 restart'

system.log put me on the right track:

ulogd[5107]: pg1: connect: could not connect to server: No such file or directory

Finally, we’re getting somewhere! After some searching I learned that pg1 is the postgresql database Sophos uses. I found a way to rebuild from this forum post.

One simple command did the trick:

/etc/init.d/postgresql92 rebuild

This rebuilt the postgresql database that I apparently corrupted when I removed files with reckless abandon. My e-mails work again!

CLI, Web

Install Guacamole 0.9.8 in CentOS 7

November 19, 2015 nicholas Leave a comment

Lately I’ve embarked in installing the latest version of Guacamole, 0.9.8, in a fresh installation of CentOS 7. Kudos go to the excellent guide I found from here. Derek’s guide is for 0.9.7 but it also works for 0.9.8. I ran into a few hangups but after I figured them out it worked beautifully.

First, fetch the needed binaries:

rpm -Uvh http://mirror.metrocast.net/fedora/epel/7/x86_64/e/epel-release-7-5.noarch.rpm   # EPEL Repo
yum -y install wget   # wget
wget http://download.opensuse.org/repositories/home:/felfert/Fedora_19/home:felfert.repo && mv home\:felfert.repo /etc/yum.repos.d/   # Felfert Repo
yum -y install tomcat libvncserver freerdp libvorbis libguac libguac-client-vnc libguac-client-rdp libguac-client-ssh
yum -y install cairo-devel pango-devel libvorbis-devel openssl-devel gcc pulseaudio-libs-devel libvncserver-devel terminus-fonts \
freerdp-devel uuid-devel libssh2-devel libtelnet libtelnet-devel tomcat-webapps tomcat-admin-webapps java-1.7.0-openjdk.x86_64

Next, install guac server (the latest as of this writing is 0.9.8)

mkdir ~/guacamole && cd ~/
wget http://sourceforge.net/projects/guacamole/files/current/source/guacamole-server-0.9.8.tar.gz
tar -xzf guacamole-server-0.9.8.tar.gz && cd guacamole-server-0.9.8
./configure --with-init-dir=/etc/init.d
make
make install
ldconfig

I received an error while running ./configure :

checking for jpeg_start_compress in -ljpeg... no
configure: error: "libjpeg is required for writing jpeg messages"

It means I didn’t have libjpeg dev libraries installed. Easily fixed:

yum install libjpeg-turbo-devel

Next, install the guacamole war files

mkdir -p /var/lib/guacamole && cd /var/lib/guacamole/
 wget http://sourceforge.net/projects/guacamole/files/current/binary/guacamole-0.9.8.war -O guacamole.war
 ln -s /var/lib/guacamole/guacamole.war /var/lib/tomcat/webapps/
 rm -rf /usr/lib64/freerdp/guacdr.so
 ln -s /usr/local/lib/freerdp/guacdr.so /usr/lib64/freerdp/

Next comes configuring the database

#Install database and connector
yum -y install mariadb mariadb-server
 mkdir -p ~/guacamole/sqlauth && cd ~/guacamole/sqlauth
 wget http://sourceforge.net/projects/guacamole/files/current/extensions/guacamole-auth-jdbc-0.9.8.tar.gz
 tar -zxf guacamole-auth-jdbc-0.9.8.tar.gz
 wget http://dev.mysql.com/get/Downloads/Connector/j/mysql-connector-java-5.1.32.tar.gz
 tar -zxf mysql-connector-java-5.1.32.tar.gz
 mkdir -p /usr/share/tomcat/.guacamole/{extensions,lib}
 mv guacamole-auth-jdbc-0.9.8/mysql/guacamole-auth-jdbc-mysql-0.9.8.jar /usr/share/tomcat/.guacamole/extensions/
 mv mysql-connector-java-5.1.32/mysql-connector-java-5.1.32-bin.jar /usr/share/tomcat/.guacamole/lib/
 systemctl restart mariadb.service

#Configure database
mysqladmin -u root password MySQLRootPass
mysql -u root -p   # Enter above password
create database guacdb;
create user 'guacuser'@'localhost' identified by 'guacDBpass';
grant select,insert,update,delete on guacdb.* to 'guacuser'@'localhost';
flush privileges;
quit
cd ~/guacamole/sqlauth/guacamole-auth-jdbc-0.9.8/mysql/schema/
cat ./*.sql | mysql -u root -p guacdb   # Enter SQL root password set above

Now we need to configure guacamole to use our new database.

mkdir -p /etc/guacamole/ && vi /etc/guacamole/guacamole.properties

# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacdb
mysql-username: guacuser
mysql-password: guacDBpass

# Additional settings
mysql-disallow-duplicate-connections: false

Link the file you just made to the tomcat configuration directory

ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat/.guacamole/

Cleanup temporary files and enable necessary services on boot

cd ~ && rm -rf guacamole*
systemctl enable tomcat.service && systemctl enable mariadb.service && chkconfig guacd on
systemctl reboot

Lastly, open the firewall up for port 8080 (thanks stack overflow)

firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --reload

Navigate to guacamole in your browser: http://<IP address>/guacamole:8080. You should see the guacamole login screen.

Additional hiccup

This new version of guacamole has a different user interface. It took me longer than I’d like to admit to realize how to get out of a guacamole session once it’s started. Sessions are now full screen with no obvious way to exit.

The way to exit the full screen guacamole session is to press the magic key combination of ctrl, alt, and shift. It will reveal a menu from the side. This is all clearly defined in the user documentation, but my lack of willingness to read it caused me to waste much time. Lesson learned!

Web

Get free SSL certificates from startssl

November 18, 2015 nicholas Leave a comment

SSL certificates can be a pain, especially if you have to pay for them. It turs out you can get free SSL certificates from startssl.com, though, so at least your wallet doesn’t have to suffer!

In order to create an account with them, head over to https://www.startssl.com/ Their account creation process is a little strange. Follow their instructions for generating a certificate for authentication (they don’t use passwords.)

Note: if you are getting frustrated because you follow their certificate login process only to have your browser tell you there is no cert it’s likely due to some caching of the certificate error page in your browser. Clear cache and cookies (or open a browser in incognito / privacy mode) and try again to log in.

First, validate your domain using their validation wizard. Once your domain is validated, head over to the Certificates wizard to generate a certificate.

I don’t trust any website that generates private SSL keys for you, so I recommend you create your own with the openssl command (steps copied from my sophos SSL certificate tutorial) and skip the creation step on their website.

Generate a Certificate Signing Request (CSR) by creating a key and using it to generate the CSR

openssl genrsa -aes256 -out <keyname>.key 2048
openssl req -new -key keyname.key -out csrname.csr

2. Copy the content of the csr file into the CSR form box and click Next

3. If you’re lucky, you’ll be provided the key files immediately. Sometimes it takes a few hours for them to approve the certificate creation first.

4. Once the certificate is created, head over to Toolbox / Retrieve certificate. After selecting the appropriate certificate, copy everything in the box and paste it into a crt file.

5. Obtain Startcom’s intermediate and root CA files by going to Toolbox / Startcom CA Certificates. Download the “Server Certificate Bundle with CRLs” file.

6. Combine the generated certificate and Startcom certificate bundle into a single file:

cat ca-bundle.pem generated_crt_file.crt  > combined.crt

Sometimes you will need to wait 6-12 hours after getting key before installing it. This allows for OCSP to propagate as explained here. If you get certificate errors after installing, this may be the cause.

7. Profit.

OS, Virtualization

Install Virtualbox on a Chromebook

November 12, 2015 nicholas 18 Comments

I am really enjoying my Chromebook Pixel 2015. Recently I needed to spin up a few VMs on this box. I tried to install virtualbox but it turns out that the kernel for the chromebook does not include virtualbox headers. Fortunately it’s fairly easy to add them, thanks to divx118’s scripts.

First, enable the necessary chromebook kernel flags. Run these commands in a crosh shell (not in a chroot)

cd ~/Downloads
wget https://raw.githubusercontent.com/divx118/crouton-packages/master/change-kernel-flags
sudo sh ~/Downloads/change-kernel-flags

Note: You will need to repeat the above steps after each chromeos update.

Next, open up a chroot shell and do the following:

cd ~
wget https://raw.githubusercontent.com/divx118/crouton-packages/master/setup-headers.sh
sudo sh setup-headers.sh

Lastly, reboot the chromebook. Once you’re back up, enter your chrooted environment and install Virtualbox from their Oracle’s download page. Don’t use the virtualbox repositories – they don’t work.

Install the downloaded deb file with dpkg

dpkg -i virtualbox-5.0_5.0.10-104061~Ubuntu~trusty_amd64.deb

You might get this error:

dpkg: dependency problems prevent configuration of virtualbox-5.0:
 virtualbox-5.0 depends on libqt4-opengl (>= 4:4.7.2); however:
  Package libqt4-opengl is not installed.

The fix to that error is to run the following command to install missing dependencies:

apt-get -f install

If you get weird errors about VT-X not being enabled in the BIOS, try running the script and rebooting again.

Success!

CLI

Randomize files in a folder

October 6, 2015 nicholas Leave a comment

I wanted to make a simple slideshow for a cheap Kindle turned photo frame in my office. Windows Movie Maker (free, already installed program) does not have a randomize function when importing photos. I had a lot of photos I wanted imported and I wanted them randomized. Movie Maker doesn’t include subfolders for some dumb reason, so I also needed a way to grab pictures from various directories and put them in a single directory.

My solution (not movie-maker specific) was to use bash combined with find, ln, and mv to get the files exactly how I want them. The process goes as follows:

Create a temporary folder
Use the find command to find files you want
1. Use -type f argument to find only files (don’t replicate directory structure)
2. Use the -exec argument to call the ln command to create links to each file found
3. Use the -s argument of ln to create symbolic links
4. Use the -b argument of ln to ensure duplicate filenames are not overwritten
Invoke a one line bash command to randomize the filenames of those symbolic links

It worked beautifully. The commands I ended up using were as follows:

mkdir temp
cd temp
find /Pictures/2013/ -type f -exec ln -s -b {} . \;
#repeat for each subfolder as needed, unless you want all folders in which case you can just specify the directory beneath it.
find /Pictures/2014/ -type f -exec ln -s -b {} . \;
find /Pictures/2015/ -type f -exec ln -s -b {} . \;

for i in *.JPG; do mv "$i" "$RANDOM.jpg"; done
#repeat for all permutations. The -b argument of ln creates files with tildes in the extension - don't forget about them.
for i in *.jpg; do mv "$i" "$RANDOM.jpg"; done
for i in *.JPG~; do mv "$i" "$RANDOM.jpg"; done
for i in *.jpg~; do mv "$i" "$RANDOM.jpg"; done

The end result was a directory full of pictures with random filenames, ready to be dropped into any crappy slideshow making software of your choosing 🙂

Technicus