Status Completed but unable to Poll


#1

Hello,

I’ve configured several feeds into STAXX and all of them say completed successfully (including Limo) however none of them are able to poll anything. When I hit poll now it just sits at running indefinitely. We just stood the platform up and I’m hoping for some advice on how to resolve this issue.

I’ve already confirmed that there isn’t a firewall issue. I am using v3.3.

Thanks


#2

Hello Joe and welcome to the Anomali forums. If you could please answer the following questions it would help us troubleshoot your situation:

  1. Do you mean to say that you STAXX dashboard is currently empty and that there are no indicators showing up at all?

  2. You said you confirmed that “there isn’t a firewall issue”. What happens when you execute ping limo.anomali.com from your STAXX VM’s command line?

  3. Are you using a proxy and if so, have you entered its credentials in STAXX?

  4. Does executing sudo systemctl restart xlink from your STAXX VM’s command line make a difference? (This command restarts STAXX.)


#3

Do you mean to say that you STAXX dashboard is currently empty and that there are no indicators showing up at all?
The dashboard is empty, no indicators at all.

You said you confirmed that “there isn’t a firewall issue”. What happens when you execute ping limo.anomali.com from your STAXX VM’s command line?
We receive replies when pinging.

Are you using a proxy and if so, have you entered its credentials in STAXX?
No proxy is being used.

Does executing sudo systemctl restart xlink from your STAXX VM’s command line make a difference? (This command restarts STAXX.)
We restarted STAXX and the same issue occurs.


#4

Just a quick note, it took a long time but the indicators are now coming in. Thanks!


#5

Hi Joe, glad to hear the problem is solved!


#6

Hi there,

having the same problem as Joe. Everything is installed. I have Limo and Haliataxii. Both pull back feeds but then I get no indicators in. I currently have an empty DB. If I ping the URLs from the server they resolve, but in the logs I have pulled off the server I see this:

[2018-04-13 00:00:00,993] [INFO ] Starting manual poll for site:[Anomali Limo]; feed:[209]; feed ID: [6]
[2018-04-13 00:00:01,010] [ERROR] Error occurred in feed polling: (6, "Couldn't resolve host 'limo.anomali.com'")
[2018-04-13 00:00:01,041] [ERROR] Error occurred in feed polling: (6, "Couldn't resolve host 'limo.anomali.com'")
[2018-04-13 00:00:01,085] [ERROR] Error occurred in feed polling: (6, "Couldn't resolve host 'limo.anomali.com'")
[2018-04-13 00:00:01,099] [ERROR] Error occurred in feed polling: (6, "Couldn't resolve host 'limo.anomali.com'")
[2018-04-13 00:00:01,108] [ERROR] Error occurred in feed polling: (6, "Couldn't resolve host 'limo.anomali.com'")
[2018-04-13 00:00:01,116] [ERROR] Error occurred in feed polling: (6, "Couldn't resolve host 'limo.anomali.com'")
[2018-04-13 00:00:01,124] [ERROR] Error occurred in feed polling: (6, "Couldn't resolve host 'limo.anomali.com'")
[2018-04-13 00:00:01,138] [ERROR] (6, "Couldn't resolve host 'hailataxii.com'")
[2018-04-13 00:00:01,141] [ERROR] STAXX: poll_stix for site http://hailataxii.com/taxii-discovery-service feed guest.Abuse_ch failed, response: None
[2018-04-13 00:00:01,142] [ERROR] Couldn't resolve host.
Traceback (most recent call last):
  File "taxii_stix.py", line 651, in poll_stix_once
  File "taxii_stix.py", line 524, in make_request
Exception: Couldn't resolve host.
[2018-04-13 00:00:01,147] [ERROR] Error occurred in feed polling: (6, "Couldn't resolve host 'limo.anomali.com'")
[2018-04-13 00:00:01,151] [INFO ] Finished manual poll for site:[Anomali Limo]; feed:[200]; feed_id: [5]
[2018-04-13 00:00:01,170] [ERROR] Error occurred in feed polling: (6, "Couldn't resolve host 'limo.anomali.com'")
[2018-04-13 00:00:01,172] [ERROR] Error occurred in feed polling: (6, "Couldn't resolve host 'limo.anomali.com'")
[2018-04-13 00:00:01,181] [ERROR] (6, "Couldn't resolve host 'hailataxii.com'")
[2018-04-13 00:00:01,181] [ERROR] STAXX: poll_stix for site http://hailataxii.com/taxii-discovery-service feed guest.Abuse_ch failed, response: None
[2018-04-13 00:00:01,182] [ERROR] Couldn't resolve host.
Traceback (most recent call last):
  File "taxii_stix.py", line 651, in poll_stix_once
  File "taxii_stix.py", line 524, in make_request
Exception: Couldn't resolve host.
[2018-04-13 00:00:01,185] [INFO ] Disabling force_sync
[2018-04-13 00:00:01,189] [ERROR] Error occurred in feed polling: (6, "Couldn't resolve host 'limo.anomali.com'")
[2018-04-13 00:00:01,191] [INFO ] Finished manual poll for site:[Anomali Limo]; feed:[107]; feed_id: [1]
[2018-04-13 00:00:01,208] [INFO ] Finished manual poll for site:[Anomali Limo]; feed:[150]; feed_id: [4]
[2018-04-13 00:00:01,216] [ERROR] (6, "Couldn't resolve host 'hailataxii.com'")
[2018-04-13 00:00:01,217] [ERROR] STAXX: poll_stix for site http://hailataxii.com/taxii-discovery-service feed guest.Abuse_ch failed, response: None
[2018-04-13 00:00:01,217] [ERROR] Couldn't resolve host.
Traceback (most recent call last):
  File "taxii_stix.py", line 651, in poll_stix_once
  File "taxii_stix.py", line 524, in make_request
Exception: Couldn't resolve host.
[2018-04-13 00:00:01,217] [INFO ] STAXX, poll max attempts reached 3, give up
[2018-04-13 00:00:01,217] [ERROR] poll_stix failed
Traceback (most recent call last):
  File "opticlink.py", line 367, in _fetch_taxii1x_timeslices
  File "taxii_stix.py", line 687, in poll_stix
Exception: poll_stix failed

Any ideas?

Thanks


#7

Hi Jon,

as stated by the logs, your machine is unable to resolve the hostname related to limo and hilataxii:

Couldn’t resolve host ‘hailataxii.com

Is your machine able to poll a dns server?


#8

Hey there,

Yeah seems to resolve everything fine.

[root@anomali-staxx ~]# ping limo.anomali[dot]com
PING limo.anomali[dot]com (52.53.84.36) 56(84) bytes of data.
64 bytes from ec2-52-53-84-36.us-west-1.compute.amazonaws.com (52.53.84.36): icmp_seq=1 ttl=34 time=156 ms

root@anomali-staxx ~]# ping hailataxii[dot]com
PING hailataxii[dot]com (162.252.82.163) 56(84) bytes of data.
64 bytes from 162-252-82-163.static.hvvc.us (162.252.82.163): icmp_seq=1 ttl=46 time=119 ms


#9

Please, open a new topic with some screeenshots of you configurations for polling both hilataxii and limo. The more details we have, the easier will be to help you out.


#10

Also, what is the outcome of:

curl http://limo.anomali.com

from your staxx vm?


#11

[root@anomali-staxx ~]# curl http://limo.anomali.com

301 Moved Permanently

301 Moved Permanently


openresty/1.11.2.2

#12


#13

Ok, please open a new topic so we can collect there all the findings


#14

OK. Can you change my account so I am not limited to 2 references in a post please? Its stopping me posting logs.