25/02/2014: Hi, I’ve created a new post for CentOS 6.5 but it may work also for CentOS 6.4, please visit this new post before. I’ll keep this article as an archived version if you need to compile wkhtmltopdf for any reason.
If I want to have fun with Suricata IDS I think it will be useful to have a monitoring tool to track possible alerts. I’ve chosen Snorby as it seems to have a nice and intuitive GUI. Snorby uses ruby on rails and a mysql database. After many attempts I’ve finally got it running so I want to share with you the steps I’ve followed.
According to its web page, Snorby requires:
- Ruby > 1.9.2
- ImageMagick > 6.6.4
- Rails > 3.0.0
- Wkhtmltopdf
Unfortunately, packages in CentOS 6.4 repositories have older versions, maybe you can find newer versions in other repositories but time I’ll stick with the official repositories. Compilation fun! Warning: if you use the following commands check if newer versions of downloaded packages exist and change directories and names accordingly.
- We’ll start installing some packages using yum
yum groupinstall "Development Tools" yum install openssl-devel readline-devel libxml2-devel libxslt-devel mysql mysql-devel mysql-libs mysql-server urw-fonts libX11-devel libXext-devel qconf fontconfig-devel libXrender-devel unzip wget
- Let’s compile ImageMagick.
cd /opt wget http://ftp.sunet.se/pub/multimedia/graphics/ImageMagick/ImageMagick-6.8.5-9.tar.gz
-
tar xvfz ImageMagick-6.8.5-9.tar.gz cd ImageMagick-6.8.5-9 ./configure make make install ldconfig /usr/local/lib
- Time for Wkhtmltopdf. I’ve downloaded the source files because I had problems with the static versions of Wkhtmltopdf. I’ve used the readme file (README_WKHTMLTOPDF) which comes with wkhtmltopdf as a guide, but notice that the gitorious repository is not found.Warning: this step is going to take a loooong time so if you don’t need pdf reporting skip it.Warning: if you see squares in your pdf report instead of text install with yum the urw-fonts package. This information is provided thanks to this stackoverflow question.
cd /opt git clone git://github.com/jcsalterego/wkhtmltopdf-qt.git wkhtmltopdf-qt cd wkhtmltopdf-qt
-
// Edit the mkspecs/linux-g++-64/qmake.conf file and change the following lines: QMAKE_LIBDIR_X11 = /usr/lib64 QMAKE_LIBDIR_OPENGL = /usr/lib64
-
./configure -nomake tools,examples,demos,docs,translations -opensource -prefix ../wkqt make -j3 make install cd /opt wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.11.0_rc1.tar.bz2 tar jxvf wkhtmltopdf-0.11.0_rc1.tar.bz2 cd wkhtmltopdf-0.11.0_rc1 ../wkqt/bin/qmake make ldconfig ln -s /opt/wkhtmltopdf-0.11.0_rc1/bin/wkhtmltopdf /usr/local/bin/wkhtmltopdf ln -s /opt/wkhtmltopdf-0.11.0_rc1/bin/libwkhtmltox.so.0 /usr/lib64/libwkhtmltox.so.0
- MySQL!. Start the service and if it’s the first time you install it use the mysql_secure_installation to set root’s password and remove unnecessary tables.
service mysqld start mysql_secure_installation chkconfig mysqld on
- And now we need Ruby and RubyGems. I’m installing ruby 1.9.3 from ruby’s webpage.
cd /opt wget ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p448.tar.gz tar xvfz ruby-1.9.3-p448.tar.gz cd ruby-1.9.3-p448 ./configure make make install cd /opt wget http://production.cf.rubygems.org/rubygems/rubygems-2.0.4.tgz tar xvfz rubygems-2.0.4.tgz cd rubygems-2.0.4 ruby setup.rb
- We now have gem installed and we’re going to install bundler gem which is needed by Snorby setup.
cd /opt gem install bundler
- OK. I want to use Snorby so I need to download it!. I’ve had problems with the latest git version of snorby so I had to use the zip with the stable version (which is linked from Snorby’s webpage).
wget -O snorby.zip --no-check-certificate https://github.com/Snorby/snorby/archive/master.zip unzip snorby.zip cd snorby-master
- Now, pay attention! I’ve found many problems trying to use bundle with ruby 9.3 and I spent several hours finding out what to do. This is what I’ve done, I can guarantee that it’ll work with a newer ruby or snorby version but at least if you find the same problem you won’t suffer. If you find any error please contact me maybe I can help you and update the post so it’s useful for other users.
//Edit the Gemfile file and change this line: //gem 'rake', '0.9.2' to: gem 'rake', '> 0.9.2' //unless you want this error to show when using bundler: "error: /usr/local/lib/ruby/gems/1.9.1/gems/bundler-1.3.1/lib/bundler/fetcher.rb:112:in `specs': undefined method `each' //for nil:NilClass (NoMethodError)" //Edit the Gemfile file and add this line: //gem 'orm_adapter' after the line: gem netaddr, //unless you want this error when using bundler: 'orm_adapter' file not found //Edit Gemfile.lock and change rake (0.9.2) to rake(0.9.2.2) //so rake setup does not complain about a different rake version //Create a snorby_config.yml file. Edit the production section and set your domain cp config/snorby_config.yml.example config/snorby_config.yml // Create a MySQL database and a user for snorby mysql> create database snorby; Query OK, 1 row affected (0.00 sec) mysql> grant all privileges on snorby.* to snorby@localhost identified by 'snorby'; // Create a database.yml config file. // Edit the file and set the root password and MySQL server location cp config/database.yml.example config/database.yml
- OK! Now let’s install Snorby. And don’t forget to read the README.md file provided by Snorby’s developers
// We are in the snorby directory bundle install rake snorby:setup // This is the command's output ERROR 1007 (HY000) at line 1: Can't create database 'snorby'; database exists [datamapper] Finished auto_upgrade! for :default repository 'snorby' [~] Adding `index_timestamp_cid_sid` index to the event table [~] Adding `id` to the event table [~] Building `aggregated_events` database view [~] Building `events_with_join` database view * Removing old jobs * Starting the Snorby worker process. * Adding jobs to the queue
- Snorby is installed woohoo! Before launching it let’s create an iptables rule (TCP 3000 is the default port)
iptables -I INPUT -p tcp --dport 3000 -m state --state=NEW,ESTABLISHED,RELATED -j ACCEPT
- And now finally let’s start Snorby in my CentOS 6.4 server:
rails server -e production Booting WEBrick Rails 3.1.12 application starting in production on http://0.0.0.0:300 Call with -d to detach Ctrl-C to shutdown server
- If all is fine, open a web browser http://x.x.x.x:3000. Here, two screenshots so you can check that I haven’t lied to you.
Snorby default credentials are: snorby@snorby.org and password snorby.
I’ve had several issues with QT compilation and these links helped me:
- http://qt-project.org/forums/viewthread/6476
- http://www.qtforum.org/article/27886/installing-qt4-problem-basic-xlib-functionality-test-failed.html
Enjoy!
Quick note: for wkhtmltopdf on a production server, you’ll need xvfb.
I’ve used qt-webkit for page rendering, and I needed to use xvfb when moving the whole thing on a standalone server.
If you’ve used a better trick, please share 🙂
LikeLike
Hi,
thanks for your tip! If I find a better way I’ll update the post.
Regards,
Miguel
LikeLike
Nice post! I am the developer of Snorby. I just wanted to add that there are a few static builds (https://code.google.com/p/wkhtmltopdf/downloads/list) of wkhtmltopdf that you can use as well. This will cut out that whole step.
I would also like to add that if you are not running rails with apache or nginx, please use the thin webserver. The default is webbrick I believe which is single threaded and will block pretty much all the time. It also doesn’t support a lot of the modern things http servers do. Most notably streaming.
LikeLike
Forgot to add how to use thin.. Just add `gem “thin”` to the Gemfile in the dir snorby dir and bundle install again.
LikeLike
@n40lab thank you very much for this helpful guide! @mephux also thank you for your suggestions! I am not sure what the problem is but adding gem ‘thin’ to the Gemfile and bundle installing again did not change the default server, rails was still using webrick. Found the following temporary fix though, when starting web server simply add “thin” to command line “rails server thin -e production”.
LikeLike
Hi,
nice to meet you mephux! First of all thanks a lot for Snorby… it’s awesome!, a nice GUI, easy to use, great features, and so useful for monitoring… thanks for sharing your work.
Also thanks for your comments, this weekend I’ll try all your suggestions and I’ll update my post with the results.
Regards,
Miguel
LikeLike
This was extremely important for me. I tried installing mysql and found a lot of problems. You need to add the MaraidDB repo so it can find those packages. https://downloads.mariadb.org/mariadb/repositories/
I had to revert to a snapshot since I halfway installed some mysql dependancies and couldn’t fix it.
LikeLike
[root@snorby snorby-master]# bundle install
Fetching http://github.com/Snorby/snorby_cas_authenticatable.git
error: RPC failed; result=22, HTTP code = 400
LikeLike
Edit the snorby Gemfile and replace all occurrences of http://github.com with https://github.com
LikeLike
Fantastic, that worked perfectly for me!
I was having the same issue when (re)installing Snorby with the HTTP error 400, and replacing the paths in the Gemfile got my “bundle install” working – thanks again!
LikeLike
Just type
git clone https://github.com/Snorby/snorby_cas_authenticatable.git
LikeLike
Thank you for that document. I am actually not having a problem running with ruby 1.9.2 (but had a problem and was unable to make it working with ruby 2.0.0, so had to delete ruby and install 1.9.2), rake 10.1.0, rails 4.0.0.
LikeLike
Hi there,
Thank you for the detailed tutorial.
I’m facing error when trying to install ruby 1.9.3-p484 on CentOS 6.5-x64. The snapshot of the error is as follow.
make[1]: *** [ossl_pkey_ec.o] Error 1
make[1]: Leaving directory `/opt/ruby-1.9.2-p320/ext/openssl’
make: *** [mkmain.sh] Error 1
Please guide me through.
Thank you, once more.
LikeLike
Hi Parvez,
I’ll try to install Snorby on CentOS 6.5 this weekend on a clean machine following my guide so I can reproduce your error, and let you know the result.
Thanks for reading!
LikeLike
Have you installed the package openssl-devel before trying to compile ruby 1.9.3-p484?
Regards
LikeLike
Hi,
I’m terribly sorry for pasting wrong error output. In fact, I tried both ruby 1.9.2 and 1.9.3 and faced the same issue.
Sorry for any inconvenience.
Thank you.
LikeLike
By the way, I’ve just finished installing Snorby in CentOS 6.5 if you can wait tomorrow I’ll create a new post with some enhancements that makes quicker the installation process.
Cheers!
LikeLike
That’s great. I am using your insightful post as a project to get better at CentOS and also have a great dashboard for my pfSense Snort logs on my home lab. Currently I am kind of confused/stuck on step 4 when it comes to configuring Wkhtmltopdf on CentOS 6.5. Great work, looking forward to read your new post.
LikeLike
Hi,
I’ve just finished the post. I hope it’ll help you, sorry for the delay.
Thanks for reading my blog and for your comment.
LikeLike