10. FAQs

This section has frequently asked questions and answers to them. You will find that the format of this section is split into a question as the introduction of each chapter and the explanation right after.

10.1. Disabling Assignment Logs

Q: My assignment Logs on the server are growing quickly, how can I turn them off

The assignment logs located at /var/lib/nextron/analysiscockpit3/log/assignment.log write warnings and errors for the Optimize function of the Cockpit.

If you have the feeling that the log is filling up too quickly, you can turn off those logs completely. It is advised to try and see what the problem is before turning off the log completely, as this might indicate an underlying issue.

Run the following command on your Analysis Cockpit (warning: this will restart your Analysis Cockpit. If you do not want to restart the Analysis Cockpit, you can run the second command at a later time):

nextron@cockpit:~$ echo "REPLACE INTO config VALUES ('write-assignment-log','false')" | sudo mysql analysiscockpit3
nextron@cockpit:~$ sudo systemctl restart analysiscockpit3.service

To turn back on the assignment.log, run the following command:

nextron@cockpit:~$ echo "REPLACE INTO config VALUES ('write-assignment-log','true')" | sudo mysql analysiscockpit3
nextron@cockpit:~$ sudo systemctl restart analysiscockpit3.service

10.2. No Events visible

Q: It seems that events are not visible or have been lost. What can I do to verify that they're still in the database?

If you think that some events are not visible or have been lost, you can do the following to verify that they still exist in the database.

First, check your date range picker.

Very often, analysts forget to set it to the right time frame and old events accidentally disappear from the view.

Secondly, make sure you're using the search in the Events section and not the Baselining section.

10.3. No new Events in Case

Q: I have created a case but it seems that no new incoming events are assigned to that existing case. How can I check what's wrong?

The first thing that you should check are the auto_case_ids of the events in that case (Cases > Open Case > Events > auto_case_id Panel).

If they are distributed as in the following screenshot, it seems that auto-casing doesn't work on this case.

Auto Case ID

This case doesn't have groupable contents and uses only so-called "Dynamic Auto Case IDs", which are used whenever the Analysis cockpit was unable to find a suitable filter template to create usable filters for this type of events.

Also check the grouping criteria of that case:

Cases > Open Case > Tab Grouping Criteria

What are the conditions defined to assign new events to that case?

10.4. Location of Scan Logs

Q: Where are Scan Logs on the system located?

You can find the Scan Logs in /var/lib/nextron/analysiscockpit3/events. In this folder you will find three different naming schemes:

  • .txt.gz - Logs which are not imported yet

  • .txt.gz.ok - Logs which were imported successfully

  • .txt.gz.problem - Logs which could not be imported correctly due to an error

If you need to manually investigate logs which failed during the import (.gz.problem), you can do so by copying the files to a different location (/tmp for example) and remove the suffix .problem. After that you can use gunzip to extract the log and inspect it. Most likely you will find that the file did not transfer correctly over to the Analysis Cockpit. This can be seen if you open the file and scroll to the very end. In this case the file will just end in the middle of a log line.

The Logs can be imported into the Cockpit via the Scans menu. Select the Asset which had a problem with the log transfer and click Request Events. This will transfer the Events from the corresponding ASGARD. You can also use the Fields Log Requested, Log Received and Log Received Error to filter and look for other failed log transmissions.

10.5. Default password for file downloads

Q: What is the password used to protect file downloads?

Artifacts uploaded to a case might be malware. To ensure the file is not automatically deleted by antivirus or executed by an unknowing user, we zip all files in the attachments and encrypt the ZIP file with a default password. The default password infected can be used to extract the file.

10.6. Disk Space filling up quickly

Q: My disk is getting full soon. What options do I have?

If your disk is already at or close to 100% and AC no longer works properly, see section Recover from a Full Disk.

In other cases check section Regain Disk Space.

10.7. Reverse Proxy to access the Analysis Cockpit

Q: I am using a Reverse Proxy to access the Analysis Cockpit. What do I have to take care of?

The Analysis Cockpit partially uses large URLs to communicate with its backend. Proxy server usually do not allow arbitrary large URLs.

In case of nginx the default header size is 8k (see http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers). If you want to use the Analyst Cockpit behind a nginx reverse proxy, you need to increase the large_client_header_buffer. A size of 100k should be sufficient. Also the HTTP2 protocol has to be disabled.

A minimal example configuration for nginx looks as follows:

server {
   listen 443 ssl; # !! no http2 !!
   ssl_certificate /path/to/your/certificate.crt;
   ssl_certificate_key /path/to/your/private.key;
   location / {
      proxy_pass https://analysis-cockpit.your.org;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }
   large_client_header_buffers 4 100k; # increase maximal allowed URL length
}

10.8. Internet Explorer

Q: I am using Internet Explorer and the Analyst Cockpit seems to run into a timeout. What can I do?

Modern browsers (e.g. Firefox, Chrome, Edge, Safari) support large URLs. Internet Explorer does not. If you want to access the Analyst Cockpit and all its features, you need to switch your browser.

10.9. Admin Password reset

Q: I forgot my admin password and lost access to the WebUI. How do I reset the admin user password?

If you've lost the password of the local admin user (Web GUI) but still have access the system via SSH, you can reset it via command line using the following command.

nextron@cockpit:~$ sudo mysql analysiscockpit3 -e "UPDATE users SET password = '7951GYqdAjLAoO1NaQu1ManJDIk' WHERE name = 'admin';"

This resets the password to admin. You should then change that password immediately.

10.10. Multi Factor Authentication reset

Q: How do I reset Multi Factor Authentication for a specific user

If you or another user lost their second factor (MFA) to log into the ASGARD Web UI, you can reset the users MFA Settings with the following command (in this example we assume that the user is called john):

nextron@cockpit:~$ sudo mysql analysiscockpit3 --execute "UPDATE users SET tfa_valid = 0 WHERE name = 'john';"