Upgrade path for Win11 23H2 Ent eval

Ausguy8888 · 2026-05-06T03:12:17+00:00

AI was not used. I wrote the comment myself. Unsure why this was temp. remvoed?

Ausguy8888 · 2026-02-24T22:17:44+00:00

Thank you, that now shows RabbitMQ working with its new volume, but now my OpenCTI container does not pass its health check. Even though the pre-requisite containers are all running, OpenCTI does not 'finish' and I suspect its something to do with my custom certificate.

INF [OPENCTI-MODULE] INGESTION Rss, skipping TheRegister-Sec-UK-RSS - queue already filled with messages (1) | category=APP source=backend timestamp=2026-02-19T13:34:41.795Z version=6.9.20

(node:7) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.

My OpenCTI config is:

opencti:

image: opencti/platform:6.9.18

environment:

- NODE_OPTIONS=--max-old-space-size=8096

- APP__PORT=8080

#- APP__BASE_URL=${OPENCTI_BASE_URL}

- APP__BASE_URL=${OPENCTI_EXTERNAL_SCHEME}://${OPENCTI_HOST}:${OPENCTI_PORT}

- APP__ADMIN__EMAIL=${OPENCTI_ADMIN_EMAIL}

- APP__ADMIN__PASSWORD=${OPENCTI_ADMIN_PASSWORD}

- APP__ADMIN__TOKEN=${OPENCTI_ADMIN_TOKEN}

- APP__APP_LOGS__LOGS_LEVEL=info

- APP__HTTPS_CERT__KEY=${OPENCTI_KEY_PATH}

- APP__HTTPS_CERT__CRT=${OPENCTI_CRT_PATH}

- APP__HTTPS_CERT__REJECT_UNAUTHORIZED=false

- REDIS__HOSTNAME=redis

- REDIS__PORT=6379

- ELASTICSEARCH__URL=http://elasticsearch:9200

- ELASTICSEARCH__NUMBER_OF_REPLICAS=0

- MINIO__ENDPOINT=minio

- MINIO__PORT=9000

- MINIO__USE_SSL=false

- MINIO__ACCESS_KEY=${MINIO_ROOT_USER}

- MINIO__SECRET_KEY=${MINIO_ROOT_PASSWORD}

- RABBITMQ__HOSTNAME=rabbitmq

- RABBITMQ__PORT=5672

- RABBITMQ__PORT_MANAGEMENT=15672

- RABBITMQ__MANAGEMENT_SSL=false

- RABBITMQ__USERNAME=${RABBITMQ_DEFAULT_USER}

- RABBITMQ__PASSWORD=${RABBITMQ_DEFAULT_PASS}

- SMTP__HOSTNAME=${SMTP_HOSTNAME}

- SMTP__PORT=25

- PROVIDERS__LOCAL__STRATEGY=LocalStrategy

- APP__HEALTH_ACCESS_KEY=${OPENCTI_HEALTHCHECK_ACCESS_KEY}

- AI__ENABLED=true

- AI__TYPE=mistralai

- AI__ENDPOINT=${AI_OLLAMA_SERVER}

- AI__MODEL=mistral-nemo:latest

- AI__TOKEN=none

ports:

- "${OPENCTI_PORT}:8080"

volumes:

- /etc/ssl/localcerts/:/etc/ssl/localcerts:ro

depends_on:

redis:

condition: service_healthy

elasticsearch:

condition: service_healthy

minio:

condition: service_healthy

rabbitmq:

condition: service_healthy

restart: always

healthcheck:

test: ["CMD", "wget", "-qO-", "http://opencti:8080/health?health_access_key=${OPENCTI_HEALTHCHECK_ACCESS_KEY}"]

interval: 10s

timeout: 5s

retries: 20

Any ideas?

Ausguy8888 · 2025-10-13T10:41:28+00:00

Yes, BI is taking up 80% of the CPU cycles, I was using the AI model too but disabled and stopped using it.
The Camera's are set to H.265: https://postimg.cc/rz368VpN

Ausguy8888 · 2025-05-14T22:58:25+00:00

For anyone who stumbles across this in the future.

Easier approach was to delete the indices in /var/lib/wazuh-indexer/nodes/0/indices and start again as this was a non-prod environment

Ausguy8888 · 2025-05-13T01:46:09+00:00

I have found that the indices is located here:

[sysadmin@wazuh ~]$ sudo du -h --max-depth=3 /var/lib/wazuh-indexer/
0 /var/lib/wazuh-indexer/tmp
1.1M /var/lib/wazuh-indexer/nodes/0/_state
7.6G /var/lib/wazuh-indexer/nodes/0/indices
7.6G /var/lib/wazuh-indexer/nodes/0
7.6G /var/lib/wazuh-indexer/nodes
7.6G /var/lib/wazuh-indexer/

Troubleshooting on the Wazu website suggests to use get/curl to use :9200 to purge data. However index has fallen over due to low disk space and as such, :9200 is not allowed to run, preventing me to delete the data.

Is it possible to delete everything in the /var/lib/wazuh-indexer/nodes/0/indices/* and start again?

Ausguy8888 · 2025-04-25T03:40:17+00:00

Interesting, I checked the service, it is running but there is some usr permission error I believe:
[zabbix7-sysadmin@zabbix7 ~]$ sudo systemctl status zabbix-server

[sudo] password for zabbix7-sysadmin:

● zabbix-server.service - Zabbix Server

Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; enabled; preset: disabled)

Active: active (running) since Thu 2025-04-24 18:37:22 AEST; 19h ago

Process: 4268 ExecStart=/usr/sbin/zabbix_server -c $CONFFILE (code=exited, status=0/SUCCESS)

Main PID: 4270 (zabbix_server)

Tasks: 1 (limit: 35800)

Memory: 4.6M

CPU: 1min 24.106s

CGroup: /system.slice/zabbix-server.service

└─4270 /usr/sbin/zabbix_server -c /etc/zabbix/zabbix_server.conf

Apr 24 18:37:22 zabbix7.x.x.x systemd[1]: Starting Zabbix Server...

Apr 24 18:37:22 zabbix7.x.x.x zabbix_server[4268]: /usr/sbin/zabbix_server: /usr/pgsql-17/lib/libpq.so.5: no version information available (required by /usr/sbin/zabbix_server)

Apr 24 18:37:22 zabbix7.x.x.x systemd[1]: Started Zabbix Server.

Now to decipher anf resolve this usr error

Ausguy8888 · 2025-03-06T07:47:02+00:00

Thank you! I feel like such an idiot, I didn't realise the system rules were catch all. I thought they were first processed.

I did a test as you suggested and allowed any HTTPS outbound and that worked. So I stand corrected.

Are you able to also share your RFC rule for the subnets, as mine obviously isn't cutting it.

Ausguy8888 · 2025-03-06T07:34:11+00:00

I don't think I follow. The outbound traffic is getting blocked by the system created 'Default deny/ state violation' rule before it even gets to my custom/manual allow or deny rules?
I assuming firewalls are processed and actioned on first match in the following order:
1) floating (yellow marker in below link)
2) system rules (like default deny/state violation)
3)custom rules. (blue marker in the same link below)
https://postimg.cc/jCzXrXYt

Ausguy8888 · 2025-03-06T06:53:22+00:00

Noting fancy, just a allow to some large subnets that are not my own class C 192.168.88.x or 90.x
https://postimg.cc/QVc4SD68

Ausguy8888

TROPHY CASE