Check if you can connect to Kebina Step 4. bind [127.0.0.1]:8080: Address already in use -

[indian-summers]

Ubuntu Server is the only OS in this server, I gave up on trying to get LME to run on a VM.

Distributor ID: Ubuntu
Description: Ubuntu 24.04.1 LTS
Release: 24.04
Codename: noble

The server has two Intel Xeon 12 core processors, 40GB RAM, and 546GB HDD.

The lme-environment.env is set to: IPVAR=127.0.0.1

sudo -i podman ps --format "{{.Names}} {{.Status}}"

lme-elasticsearch Up 5 hours (healthy)
lme-elastalert2 Up 5 hours
lme-wazuh-manager Up 5 hours (healthy)
lme-kibana Up 5 hours (healthy)
lme-fleet-server Up 5 hours

I am stuck on the following steps.

Check if you can connect to Kebina Step 4
script - ssh -L 8080:localhost:5601 LME

Output:
bind [127.0.0.1]:8080: Address already in use
channel_setup_fwd_listener_tcpip: cannot listen to port: 8080
Could not request local forwarding.

System information as of Thu Jan 16 02:32:33 PM PST 2025

System load: 0.86
Usage of /: 49.4% of 65.74GB
Memory usage: 60%
Swap usage: 0%
Temperature: 41.0 C
Processes: 374
Users logged in: 1
IPv4 address for enp4s0f1: 192.xxx.xxx.xxx (The LME has a properly formatted IP address.)
IPv6 address for enp4s0f1:

I am sure the following will work once the above issue is resolved.

https://localhost:8080 and/or https://localhost:5601 from a browser:

Message:

Unable to connect

An error occurred during a connection to localhost:8080.

[cbaxley]

Try an

netstat -tpan

to see what is using 8080. Maybe node server was installed or something.
Post the results here if you can't tell what it is.

[indian-summers]

Looks like my SSH connection to the server.

I don't have a GUI installed on the computer, I use SSH because it allows me to cut and paste the scripts.
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 421927/ssh
tcp6 0 0 ::1:8080 :::* LISTEN 421927/ssh

Any suggestions on mitigating this?

[cbaxley]

If you are connecting via ssh on port 22, you can edit /etc/ssh/sshd_conf Look for Port 8080 Port 22 You can comment out the port 8080 line by putting a # at the beginning of the line, or change it to something else. You can have multiple entries for ports, so you can add another one for 8081 if you want. Port 8081 Port 22 You can save the file, and then restart sshd. To check sshd sudo systemctl status sshd To restart it sudo systemctl restart sshd Do not disconnect your ssh session, open a new window and make a new connection on the port you have configured. If the new connection opens on the new port, you have successfully changed them. If not, edit the file again and look for errors. Clint Baxley

…

On Thu, Jan 16, 2025 at 6:44 PM indian-summers ***@***.***> wrote: Looks like my SSH connection to the server. I don't have a GUI installed on the computer, I use SSH because it allows me to cut and paste the scripts. tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 421927/ssh tcp6 0 0 ::1:8080 :::* LISTEN 421927/ssh Any suggestions on mitigating this? — Reply to this email directly, view it on GitHub <#550 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAQY33WD3FLJOSUE35DUWUD2LA75VAVCNFSM6AAAAABVKWKMCWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOJXGEZTGMBTHA> . You are receiving this because you commented.Message ID: ***@***.***>

[indian-summers]

Hello Clint, thank you for the info.

To check sshd
sudo systemctl status sshd

result: Failed to restart sshd.service: Unit sshd.service not found.

To restart it
sudo systemctl restart sshd

result: Failed to restart sshd.service: Unit sshd.service not found.

files in /etc/ssh/ named ssh_config

-rw-r--r-- 1 root root 1649 Aug 8 19:33 ssh_config
drwxr-xr-x 2 root root 4096 Aug 8 19:33 ssh_config.d
-rw-r--r-- 1 root root 3272 Jan 17 09:58 sshd_config
drwxr-xr-x 2 root root 4096 Jan 15 14:22 sshd_config.d

I don't see Port 8080 in the file.

Contents of sshd_config referencing Port 22:
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

[indian-summers]

Follow up:

Terminated all ssh connections, rebooted the server and type the commands on the server and the error persists.

ssh -L 8080:localhost:5601 LME
bind [127.0.0.1]:8080: Address already in use
channel_setup_fwd_listener_tcpip: cannot listen to port: 8080
Could not request local forwarding

sudo -i podman ps --format "{{.Names}} {{.Status}}"
lme-elasticsearch Up 13 minutes (healthy)
lme-elastalert2 Up 12 minutes
lme-wazuh-manager Up 12 minutes (healthy)
lme-kibana Up 12 minutes (healthy)
lme-fleet-server Up 11 minutes

Should I install a GUI? if YES, which would you recommend?

[cbaxley]

I don't think you need to do the ssh -L forwarding. You should be able to just connect to https://ipofmachine
That port forwarding is just for if there is a proxy and you need to connect to it on a special port.

[indian-summers]

Hello Clint,

I am happy to announce progress!

I am still seeing the error message with port 8080 already in use.

Installed gnome-desktop to rule out ssh.

I am now at the elastic login screen,

Whats next? I tried retrieving the password with the script but I did not get the expected results. Can you include the script to obtain the elastic login password in your response?

Best regards

[cbaxley]

Use . scripts/extract_secrets.sh -p That has a dot at the beginning. It puts the passwords in your shell environment variables, but it will also print the secrets out for you to copy. The user is "elastic" that you are looking for. I don't use an OS gui for anything. I do everything in the web interface that you are trying to login to. Thanks, Clint

…

On Fri, Jan 17, 2025 at 8:13 PM indian-summers ***@***.***> wrote: Hello Clint, I am happy to announce progress! I am still seeing the error message with port 8080 already in use. Installed gnome-desktop to rule out ssh. I am now at the elastic login screen, Elastic.Login.Page.png (view on web) <https://github.com/user-attachments/assets/aea7dd96-aa6d-4025-b2d4-153f6cd50010> Whats next? I tried retrieving the password with the script but I did not get the expected results. Can you include the script to obtain the elastic login password in your response? Best regards — Reply to this email directly, view it on GitHub <#550 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAQY33QMPD2M5AXWDJABMT32LGTD5AVCNFSM6AAAAABVKWKMCWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOJZGQ2DIMJYGY> . You are receiving this because you commented.Message ID: ***@***.***>

[indian-summers]

can you elaborate on "I do everything in the web interface that you are trying to login to."

I am not sure how to do that without a GUI! I installed gnome-desktop yesterday for testing and was able to get to the login screen from a firefox. I am not sure how to do it with out a GUI.

Additionally, I ran the ansible-playbook ./ansible/post_install_local.yml script to validate the installation, and now it shows TASK [Upload dashboards to Kibana] failed

PLAY RECAP *************************************************************************************
localhost : ok=11 changed=1 unreachable=0 failed=1 skipped=2 rescued=0 ignored=0

All the services appear to be running, and healthy.

sudo -i podman ps --format "{{.Names}} {{.Status}}"
lme-elasticsearch Up 2 hours (healthy)
lme-elastalert2 Up 2 hours
lme-wazuh-manager Up 2 hours (healthy)
lme-kibana Up 2 hours (healthy)
lme-fleet-server Up 2 hours

Perhaps the following questions is premature, but I'd like to know if the elastic login page will be accessible from any computer in the LAN?

[cbaxley]

Yes. It should be available from other computers on the lan if the IP_VAR is set up right. If it is not, uninstall, change the IP_VAR variable (in the config file) to the ip of the machine on the network. I was saying I connect to it from other machines on the network via the web interface. Make sure you are installing from /home/youruser/LME. It works best that way. On one of hundreds of installs, I did have it not be able to find the dashboards one time and it was just a fluke. Thanks, Clint

…

On Sat, Jan 18, 2025 at 8:58 PM indian-summers ***@***.***> wrote: can you elaborate on "*I do everything in the web interface that you are trying to login to.*" I am not sure how to do that without a GUI! I installed gnome-desktop yesterday for testing and was able to get to the login screen from a firefox. I am not sure how to do it with out a GUI. Additionally, I ran the *ansible-playbook ./ansible/post_install_local.yml* script to validate the installation, and now it shows *TASK [Upload dashboards to Kibana] failed* PLAY RECAP ************************************************************************************* localhost : ok=11 changed=1 unreachable=0 *failed=1* skipped=2 rescued=0 ignored=0 All the services appear to be running, and healthy. sudo -i podman ps --format "{{.Names}} {{.Status}}" lme-elasticsearch Up 2 hours (healthy) lme-elastalert2 Up 2 hours lme-wazuh-manager Up 2 hours (healthy) lme-kibana Up 2 hours (healthy) lme-fleet-server Up 2 hours Perhaps the following questions is premature, but I'd like to know if the elastic login page will be accessible from any computer in the LAN? — Reply to this email directly, view it on GitHub <#550 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAQY33UYJEXFAYC572VZWEL2LMBF5AVCNFSM6AAAAABVKWKMCWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMBQGQZTSMBWGU> . You are receiving this because you commented.Message ID: ***@***.***>

[indian-summers]

Hi Clint,

I was wondering if we should close this issue which was related to port 8080?

I was able to resolve this particular issue with your help, but now I not unable to get passed the following script.
ansible-playbook ./ansible/post_install_local.yml without seeing the error below.

ASK [Upload dashboards to Kibana] *********************************************************************************
failed: [localhost] (item=/opt/lme/dashboards/elastic/credential_access_logs_dashboard_2_0.ndjson) => {"ansible_loop_var": "item", "changed": false, "item": "/opt/lme/dashboards/elastic/credential_access_logs_dashboard_2_0.ndjson", "msg": "Unsupported parameters for (ansible.legacy.command) module: warn. Supported parameters include: _raw_params, _uses_shell, argv, chdir, creates, executable, expand_argument_vars, removes, stdin, stdin_add_newline, strip_empty_ends.

localhost : ok=11 changed=1 unreachable=0 failed=1 skipped=2 rescued=0 ignored=0

[cbaxley]

We are getting ready to release a new version that removes those lines. On newer versions of ansible, they have been deprecated.

Here is a version I have been using that should work well for you. I have removed the lines and also added some more features to help it work better. Replace the contents of your post_install_local.yml with this.

post_install_local.yml

[indian-summers]

Hi Clint,

I updated the post_install_local.yml and it gets stuck on TASK [Wait for Kibana port to be available]

FAILED - RETRYING

BTW, I open up another incident yesterday, perhaps we should work from that one since it is the same issue.

[cbaxley]

We have released a new version of the installer. I would suggest downloading the latest version. Thanks, Clint

…

On Sun, Jan 19, 2025 at 10:33 PM indian-summers ***@***.***> wrote: Hi Clint, I was wondering if we should close this issue which was related to port 8080? I was able to resolve this particular issue with your help, but now I not unable to get passed the following script. *ansible-playbook ./ansible/post_install_local.yml* without seeing the error below. ASK [Upload dashboards to Kibana] ********************************************************************************* failed: [localhost] (item=/opt/lme/dashboards/elastic/credential_access_logs_dashboard_2_0.ndjson) => {"ansible_loop_var": "item", "changed": false, "item": "/opt/lme/dashboards/elastic/credential_access_logs_dashboard_2_0.ndjson", "msg": "Unsupported parameters for (ansible.legacy.command) module: warn. Supported parameters include: _raw_params, _uses_shell, argv, chdir, creates, executable, expand_argument_vars, removes, stdin, stdin_add_newline, strip_empty_ends. localhost : ok=11 changed=1 unreachable=0 *failed=1* skipped=2 rescued=0 ignored=0 — Reply to this email directly, view it on GitHub <#550 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAQY33WMOUQJLKQKGXTIX4D2LRU73AVCNFSM6AAAAABVKWKMCWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMBRGI2TGNBRG4> . You are receiving this because you commented.Message ID: ***@***.***>

[indian-summers]

Where can I find the latest version, I downloaded it from the github page yesterday.

[kendallhoffman-gsa]

Hello! We noticed you're having some difficulty with the install process. I wanted to reach out to let you know that we're offering 1:1 support sessions to users who are interested in working with the technical team to help them walk through their installation process. If you're interested in setting one of these up please email me ([email protected]) with your availability!

Looking forward to chatting with you.

Kendall Hoffman
LME Product Manager

[cbaxley]

Here is the latest version.

https://github.com/cisagov/LME/releases/tag/v2.0.2