mirror of https://github.com/MISP/misp-book
parent
47415d10e4
commit
76cd0ff261
|
@ -139,7 +139,7 @@ To list all current organisation of the system, just click on List Organisations
|
|||
![View organisation.](figures/view_org.png)
|
||||
|
||||
#### Merge organisations:
|
||||
Merge Organisation menu is available only in the view organisation, under the left menu. Merge one organisation to another will transfer all users and data from one to another. On the left the organisation to merge, on the right the target one.
|
||||
Merge Organisation menu is available only in the organisation view, under the left menu. Merge one organisation to another will transfer all users and data from one to another. On the left the organisation to merge, on the right the target one.
|
||||
|
||||
![Merge organisations.](figures/merge_org.png)
|
||||
|
||||
|
@ -147,7 +147,7 @@ Merge Organisation menu is available only in the view organisation, under the le
|
|||
|
||||
### Roles
|
||||
|
||||
Privileges are assigned to users by assigning them to rule groups, which use one of four options determining what they can do with events and four additional privilege elevating settings. The four options for event manipulation are: Read Only, Manage My Own Events, Manage Organisation Events, Manage & Publish Organisation Events. A short description is provided below:
|
||||
Privileges are assigned to users by assigning them to rule groups. Rule groups use one of four options determining what they can do with events as well as four additional privilege elevation settings. These are the four options to edit the full options availble in the Roles section: Read Only, Manage My Own Events, Manage Organisation Events, Manage & Publish Organisation Events. A short description is provided below:
|
||||
|
||||
* **Read Only:** This allows a user to browse events that his organisation has access to, but doesn't allow any changes to be made to the database.
|
||||
* **Manage My Own Events:** The second option, gives its users the rights to create, modify or delete their own events, but they cannot publish them.
|
||||
|
@ -158,7 +158,7 @@ The extra permissions are defined below:
|
|||
|
||||
* **Perm Admin:** Gives the user limited administrator privileges, this setting is used for an organisation's admins.
|
||||
* **Perm Audit:** Grants access to the logs. With the exception of site admins, only logs generated by the user's own org are visible.
|
||||
* **Perm Tagger:** Allow user to assign tags to events.
|
||||
* **Perm Tagger:** Allows a user to assign tags to events.
|
||||
* **Perm Sharing Group:** Grant access to edit or create sharing groups.
|
||||
* **Perm Site Admin:** Gives the user full administrator privileges, this setting is used for site admins.
|
||||
* **Perm Auth:** This setting enables the authentication key of the role's users to be used for rest requests.
|
||||
|
@ -170,7 +170,7 @@ The extra permissions are defined below:
|
|||
|
||||
#### Adding a new role:
|
||||
|
||||
When creating a new role, you will have to enter a name for the role to be created and set up the permissions (as described above) using the drop-down menu and related check-boxes.
|
||||
When creating a new role, you will have to enter a name for the role to be created and set up permissions (as described above) using the drop-down menu and related check-boxes.
|
||||
|
||||
![Add a new role.](figures/add_role.png)
|
||||
|
||||
|
@ -178,7 +178,7 @@ When creating a new role, you will have to enter a name for the role to be creat
|
|||
|
||||
By clicking on the List Roles button, you can view a list of all currently registered roles and a list of the permission flags enabled for each. In addition, you can find buttons that allow you to edit and delete said roles. Keep in mind that you will need to first remove every member from a role before you can delete it.
|
||||
|
||||
![You can Edit or Delete roles using the action buttons to the right in each row. Keep in mind that in order to Delete a role, all members must be removed from said role before it can be deleted.](figures/list_roles.png)
|
||||
![You can Edit or Delete roles using the action buttons to the right in each row. Keep in mind that in order to Delete a role, all members of a Role must be removed from said role before it can be deleted.](figures/list_roles.png)
|
||||
|
||||
* **Id:** The role's automatically assigned ID number.
|
||||
* **Name:** The name of role.
|
||||
|
@ -216,8 +216,8 @@ The settings and diagnostics tool is split up into several aspects, all accessib
|
|||
* **MISP settings**: Basic MISP settings. This includes the way MISP handles the default settings for distribution settings, whether background jobs are enabled, etc
|
||||
* **GnuPG settings**: GPG related settings.
|
||||
* **Proxy settings**: HTTP proxy related settings.
|
||||
* **Security settings**: Settings controlling the brute-force protection and the application's salt key.
|
||||
* **Misc settings**: You change the debug options here, please ensure that debug is always disabled on a production system.
|
||||
* **Security settings**: Settings controlling brute-force protection and the application's salt key.
|
||||
* **Misc settings**: Settings controlling debug options, please ensure that debug is always disabled on a production system.
|
||||
* **Diagnostics**: The diagnostics tool checks if all directories that MISP uses to store data are writeable by the apache user. Also, the tool checks whether the STIX libraries and GPG are working as intended.
|
||||
* **Workers**: Shows the background workers (if enabled) and shows a warning if they are not running. Admins can also restart the workers here.
|
||||
* **Download report**: Download a report in JSON format, compiled of all of the settings visible in the tool.
|
||||
|
@ -259,7 +259,7 @@ The second use is blocking, if a regular expression is entered with a blank repl
|
|||
|
||||
#### Adding and modifying entries
|
||||
|
||||
Administrators can add, edit or delete regular expression rules, which are made up of a regex pattern that the system searches for and a replacement for the detected pattern.
|
||||
Administrators can add, edit or delete regular expression rules, these "expressions" are made up of a regex pattern that the system searches for and a replacement for the detected pattern.
|
||||
|
||||
![Add, edit or remove Regexp entries that will affect all newly created attributes here.](figures/regexp.png)
|
||||
|
||||
|
@ -277,9 +277,9 @@ When viewing the list of whitelisted addresses, the following data is shown: The
|
|||
|
||||
![You can edit or delete currently white-listed addresses using the action buttons on this list.](figures/whitelist.png)
|
||||
|
||||
### Using the logs of MISP
|
||||
### Using MISP logs
|
||||
|
||||
Users with audit permissions are able to browse or search the logs that MISP automatically appends each time certain actions are taken (actions that modify data or if a user logs in and out).
|
||||
Users with audit permissions are able to browse or search logs that MISP automatically appends each time certain actions are taken (actions that modify data or if a user logs in and out).
|
||||
Generally, the following actions are logged:
|
||||
|
||||
* **User:** Creation, deletion, modification, Login / Logout
|
||||
|
@ -292,9 +292,9 @@ Generally, the following actions are logged:
|
|||
* **Regexp:** Creation, deletion, modification
|
||||
|
||||
|
||||
#### Browsing the logs:
|
||||
#### Browsing logs:
|
||||
|
||||
Listing all the log entries will show the following columns generated by the users of your organisation (or all organisations in the case of site admins):
|
||||
Listing all the log entries will display the following columns generated by the users of your organisation (or all organisations in the case of site admins):
|
||||
|
||||
![Here you can view a list of all logged actions.](figures/list_logs.png)
|
||||
|
||||
|
@ -304,14 +304,14 @@ Listing all the log entries will show the following columns generated by the use
|
|||
* **Created:** The date and time when the entry originated.
|
||||
* **Action:** The action's type. This can include: login/logout for users, add, edit, delete for events, attributes, users and servers.
|
||||
* **Title:** The title of an event always includes the target type (Event, User, Attribute, Server), the target's ID and the target's name (for example: e-mail address for users, event description for events).
|
||||
* **Change:** This field is only filled out for entries with the action being add or edit. The changes are detailed in the following format:
|
||||
* **Change:** This field is only populated for entries with "add" or "edit" actions. The changes are detailed in the following format:
|
||||
__variable (initial_value)_ => _(new_value)_,...
|
||||
When the entry is about the creation of a new item (such as adding a new event) then the change will look like this for example:
|
||||
_org()_ => _(ADMIN)_, _date()_ => _(20012-10-19)_,...
|
||||
|
||||
![You can search the logs using this form, narrow down your search by filling out several fields.](figures/search_log.png)
|
||||
![You can search logs using this form, narrow down your search by populating several fields.](figures/search_log.png)
|
||||
|
||||
#### Searching the Logs:
|
||||
#### Searching Logs:
|
||||
|
||||
Another way to browse the logs is to search it by filtering the results according to the following fields (the search is a sub-string search, the sub-string has to be an exact match for the entry in the field that is being searched for):
|
||||
|
||||
|
@ -319,12 +319,12 @@ Another way to browse the logs is to search it by filtering the results accordin
|
|||
* **Org:** Searching for an organisation allows you to see all actions taken by any member of the organisation.
|
||||
* **Action:** With the help of this drop down menu, you can search for various types of actions taken (such as logins, deletions, etc).
|
||||
* **Title:** There are several ways in which to use this field, since the title fields contain several bits of information and the search searches for any substrings contained within the field, it is possible to just search for the ID number of a logged event, the username / server's name / event's name / attribute's name of the event target.
|
||||
* **Change:** With the help of this field, you can search for various specific changes or changes to certain variables (such as published will find all the log entries where an event has gotten published, ip-src will find all attributes where a source IP address has been entered / edited, etc).
|
||||
* **Change:** With the help of this field, you can search for various specific changes or changes to certain variables (Ex.: using "Published" as the search term for and find all log entries where an event has been "Published", ip-src will find all attributes where a source IP address has been entered / edited, etc).
|
||||
|
||||
|
||||
### Background Processing
|
||||
|
||||
If enabled, MISP can delegate a lot of the time intensive tasks to the background workers. These will then be executed in order, allowing the users of the instance to keep using the system without a hiccup and without having to wait for the process to finish. It also allows for certain tasks to be scheduled and automated.
|
||||
If enabled, MISP can delegate a lot of the time intensive tasks to the background workers. These will then be executed in sequence, allowing the users of the instance to keep using the system without a hiccup and without having to wait for the process to finish. It also allows for certain tasks to be scheduled and automated.
|
||||
|
||||
#### Command Line Tools for the Background Workers
|
||||
|
||||
|
@ -333,15 +333,15 @@ To start all of the workers needed by MISP go to your `/var/www/MISP/app/Console
|
|||
To interact with the workers, here is a list of useful commands. Go to your `/var/www/MISP/app/Console` (assuming a standard installation path) and execute one of the following commands as a parameter to `./cake CakeResque.CakeResque` (for example: `./cake CakeResque.CakeResque tail`):
|
||||
|
||||
* **tail**: tail the various log files that CakeResque creates, just choose the one from the list that you are interested in.
|
||||
* **cleanup**: terminate the job that a worker is working on immediately. You will be presented with a choice of workers to choose from when executing this command.
|
||||
* **cleanup**: terminate the job that a worker is working on with immediate effect. You will be presented with a choice of workers to choose from when executing this command.
|
||||
* **clear**: Clear the queue of a worker immediately.
|
||||
* **stats**: shows some statistics about your workers including the count of successful and failed jobs.
|
||||
* **stats**: Display some statistics about your workers including the count of successful and failed jobs.
|
||||
|
||||
The other commands should not be needed, instead of starting / stopping or restarting workers use the supplied start.sh (it stops all workers and starts them all up again). For further instructions on how to use the console commands for the workers, visit the [CakeResque list of commands](http://cakeresque.kamisama.me/commands#cleanup).
|
||||
The other commands should not be required, instead of starting / stopping or restarting workers use the supplied start.sh (it stops all workers and starts them all up again). For further instructions on how to use the console commands for the workers, visit the [CakeResque list of commands](http://cakeresque.kamisama.me/commands#cleanup).
|
||||
|
||||
#### Monitoring the Background Processes
|
||||
|
||||
The "Jobs" menu item within the Administration menu allows site admins to get an overview of all of the currently and in the past scheduled jobs. Admins can see the status of each job, and what the queued job is trying to do. If a job fails, it will try to set an error message here too. The following columns are shown in the jobs table:
|
||||
The "Jobs" menu item within the Administration menu allows site admins to get an overview of all of the current and past scheduled jobs. Admins can see the status of each job, and what the queued job is trying to do. If a job fails, it will try to set an error message here too. The following columns are shown in the jobs table:
|
||||
|
||||
* **Id**: The job's ID (this is the ID of the job's metadata stored in the default datastore, not to be confused with the process ID stored in the redis database and used by the workers)
|
||||
* **Process**: The process's ID.
|
||||
|
@ -351,7 +351,7 @@ The "Jobs" menu item within the Administration menu allows site admins to get an
|
|||
* **Message**: This will show what the job is currently doing or alternatively an error message describing why a job failed.
|
||||
* **Org**: The string identifier of the organisation that has scheduled the job.
|
||||
* **Status**: The status reported by the worker.
|
||||
* **Retries**: Currently unused, it is planned to introduced automatic delayed retries for the background processing to add resilience.
|
||||
* **Retries**: Currently unused, it is planned to introduced automatic delayed retries for the background processing and thus add resilience.
|
||||
* **Progress**: A progress bar showing how the job is coming along.
|
||||
|
||||
![Site administrators can monitor the process of all queued jobs here.](figures/jobs.png)
|
||||
|
@ -386,7 +386,7 @@ You can also set a default distribution level for attributes contained in an eve
|
|||
|
||||
#### Adding organisation logos
|
||||
|
||||
You can add logo for organisations in MISP by uploading them via the tab **Manage files** under the **Administration** menu & **Server Settings** sub-menu.
|
||||
You can add a logo for your organisations in MISP by uploading them via the tab **Manage files** under the **Administration** menu & **Server Settings** sub-menu.
|
||||
The filename must be exactly the same as the organisation name that you will use in MISP.
|
||||
It is recommended to use PNG files of 48x48 pixels.
|
||||
|
||||
|
@ -444,7 +444,7 @@ Trying to upload a large samples (>50M) might cause the following error:
|
|||
|
||||
Or will give you an error page in browser.
|
||||
|
||||
The error logs on the system will show you the following:
|
||||
The error logs on the system will display the following:
|
||||
|
||||
```
|
||||
PHP Warning: POST Content-Length of 57526024 bytes exceeds the limit of 8388608 bytes in Unknown on line 0, referer: https://XYZ/attributes/add_attachment/1948
|
||||
|
@ -456,12 +456,12 @@ And / Or
|
|||
PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 76705009 bytes) in /var/www/MISP/app/Lib/cakephp/lib/Cake/Network/CakeRequest.php on line 996
|
||||
```
|
||||
|
||||
To fix that you have to adjust the php settings:
|
||||
To fix that you need to adjust the php settings:
|
||||
```
|
||||
vi /etc/php5/apache2/php.ini
|
||||
```
|
||||
|
||||
Increase to the following values (or more if you like to)
|
||||
Increase to the following values (or more if you want to)
|
||||
```
|
||||
; Maximum size of POST data that PHP will accept.
|
||||
; Its value may be 0 to disable the limit. It is ignored if POST data reading
|
||||
|
@ -484,10 +484,10 @@ service apache2 restart
|
|||
|
||||
The preferred method for support & feature requests is to use the [GitHub ticketing system](https://github.com/MISP/MISP/issues).
|
||||
|
||||
If you want to discuss about something related to MISP, want help from the community, etc... You have
|
||||
If you want to discuss something related to MISP, want some help from the community, etc... You have
|
||||
the [MISP Users mailing list](https://groups.google.com/forum/#!forum/misp-users) and the [MISP developers mailing list](https://groups.google.com/forum/#!forum/misp-devel).
|
||||
|
||||
A number of companies are also offering custom development, consulting, and support around MISP, please check [the support page of the MISP Project website](http://www.misp-project.org/#support).
|
||||
A number of companies offer custom development, consulting, and support around MISP, please check [the support page of the MISP Project website](http://www.misp-project.org/#support).
|
||||
|
||||
#### More information in the notification emails about new events
|
||||
|
||||
|
@ -521,11 +521,11 @@ This will give you a top 10 table per ip and username:
|
|||
|
||||
#### MISP Logs
|
||||
|
||||
By default, MISP has several layers of logs that can be used to trouble-shoot and to monitor the system. Let's walk through each of the available logs:
|
||||
By default, MISP has several layers of logs that can be used to trouble-shoot and monitor the system. Let's walk through each of the available logs:
|
||||
|
||||
* **Apache access logs**: Rotating logs generated by apache, logging each request, by default (on Ubuntu) they are found in /var/log/apache2/misp.local\_access.log. The location can be changed via the apache conf file
|
||||
* **Apache error logs**: Rotating logs generated by apache, logging error messages, by default (on Ubuntu) they are found in /var/log/apache2/misp.local\_error.log. This error log file will generally not be used by MISP, however, if there is a PHP level error that prevents MISP from functionining you might have relevant entries here.
|
||||
* **MISP error log**: Generated by MISP, logging any exceptions that occur during usage. These can be found in /var/www/MISP/app/tmp/logs/error.log (assuming default installation path). If you are seeins errors in here and are stuck with an issue let us know via github!
|
||||
* **MISP error log**: Generated by MISP, logging any exceptions that occur during usage. These can be found in /var/www/MISP/app/tmp/logs/error.log (assuming default installation path). If you see errors in here and are stuck with an issue let us know via github!
|
||||
* **MISP debug log**: Generated by MISP, any debug messages and Notice level messages will be sent to this file. Generally less interesting, but can be helpful during debuging sessions. It should not be necesary to monitor this under normal usage. The file can be found in /var/www/MISP/app/tmp/logs/debug.log (assuming default installation path).
|
||||
* **MISP worker error log**: Generated by MISP background workers, logging any exceptions generated during a background job. It is the equivalent of the MISP error log for background jobs, so if scheduled tasks, synchronisation or e-mailing with the workers enabled are causing issues, this is the place to check. It can normally be found at /var/www/MISP/app/tmp/logs/resque-worker-error.log
|
||||
* **MISP worker logs**: Rotating logs generated by MISP background workers, logging any jobs executed by workers. This is part of the normal operation of background workers and doesn't have to be monitored, though it can help when debugging issues. Normally found at /var/www/MISP/app/tmp/logs/resque-[current date].log
|
||||
|
@ -580,7 +580,7 @@ Two ways to fix it:
|
|||
|
||||
#### Errors about fields or tables
|
||||
|
||||
If you have errors with fields or tables that you can see in the error.log or in the page (if you enabled _debug_ or _site_admin_debug_ settings), an easy first them to make most of them go away is to use the **clean cache** feature on the _server settings_ menu, _diagnostics_ tab.
|
||||
If you have errors with fields or tables that you can see in the error.log or in the page (if you enabled _debug_ or _site_admin_debug_ settings), an easy fix to make most of them go away is to use the **clean cache** feature on the _server settings_ menu, _diagnostics_ tab.
|
||||
An example of error message:
|
||||
```
|
||||
Error: [PDOException] SQLSTATE[42S22]: Column not found: 1054 Unknown column 'Task.job_id' in 'field list'
|
||||
|
|
Loading…
Reference in New Issue