Re: [Sguil-users] squil 0.8, ERROR: unable to set certificate file file /etc/nsm/server1/certs/sgu
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
Re: [Sguil-users] squil 0.8, ERROR: unable to set certificate file file /etc/nsm/server1/certs/sguild.pem: Too many open files
|
From: Stefan S. <Ste...@fe...> - 2011-03-23 12:34:34
|
Bamm,
24h passed now. I think it work.
Stefan
Am 16.03.11 23:11 schrieb "Bamm Visscher" unter <bam...@gm...>:
>Sorry it took so long this time. Try the lastest update.
>
>Bamm
>
>
>On Fri, Mar 11, 2011 at 9:03 AM, Stefan Sabolowitsch
><Ste...@fe...> wrote:
>> Hi Bamm,
>> Thank you for your time an fast bugfixing :)
>> Which i can say , you on the correct way. The problem of "to many open
>> files" is
>> now away -> hooray !
>> Also the Client seems to have no more problem with the "transcript"
>> (second click Problem).
>>
>> BUT from "to many open files" problem became now a "open network
>> conection" problem.
>> With this bugfix there are many "open network conection" (94) with
>>status
>> (CLOSE_WAIT) and this rises.
>> I am sure me that sguild will die thereby.
>>
>> Stefan
>>
>> tclsh 17845 root 11u IPv4 223043 TCP *:7734
>>(LISTEN)
>> tclsh 17845 root 12u IPv4 223044 TCP *:7736
>>(LISTEN)
>> tclsh 17845 root 13u IPv4 223441 TCP
>> 192.168.1.78:7736->192.168.1.97:36678 (ESTABLISHED)
>> tclsh 17845 root 14u IPv4 223442 TCP
>> 192.168.1.78:7736->192.168.1.97:36679 (ESTABLISHED)
>> tclsh 17845 root 15u IPv4 223443 TCP
>> 192.168.1.78:7736->192.168.1.97:36680 (ESTABLISHED)
>> tclsh 17845 root 16u IPv4 223444 TCP
>> 192.168.1.78:7736->192.168.1.97:36681 (ESTABLISHED)
>> tclsh 17845 root 17u IPv4 223445 TCP
>> 192.168.1.78:7736->192.168.1.97:36682 (ESTABLISHED)
>> tclsh 17845 root 18u IPv4 223446 TCP
>> 192.168.1.78:7736->192.168.1.97:36683 (ESTABLISHED)
>> tclsh 17845 root 19u IPv4 223447 TCP
>> 192.168.1.78:7736->192.168.1.97:36684 (CLOSE_WAIT)
>> tclsh 17845 root 20u IPv4 223449 TCP
>> 192.168.1.78:7736->192.168.1.97:36685 (CLOSE_WAIT)
>> tclsh 17845 root 21u IPv4 223452 TCP
>> 192.168.1.78:7736->192.168.1.97:36686 (CLOSE_WAIT)
>> tclsh 17845 root 22u IPv4 223454 TCP
>> 192.168.1.78:7736->192.168.1.97:36687 (CLOSE_WAIT)
>> .
>>
>> .
>> .
>> .
>> .
>> tclsh 17845 root 93u IPv4 225633 TCP
>> 192.168.1.78:7736->192.168.1.97:46699 (CLOSE_WAIT)
>> tclsh 17845 root 94u IPv4 225686 TCP
>> 192.168.1.78:7736->192.168.1.97:46700 (CLOSE_WAIT)
>> tclsh 17845 root 95u IPv4 225688 TCP
>> 192.168.1.78:7736->192.168.1.97:59591 (CLOSE_WAIT)
>> tclsh 17845 root 96u IPv4 225724 TCP
>> 192.168.1.78:7736->192.168.1.97:59592 (CLOSE_WAIT)
>> tclsh 17845 root 97u IPv4 225726 TCP
>> 192.168.1.78:7736->192.168.1.97:59593 (CLOSE_WAIT)
>>
>>
>>
>>
>> Am 10.03.11 23:04 schrieb "Bamm Visscher" unter
>><bam...@gm...>:
>>
>>>Potential fix in cvs for this.
>>>
>>>
>>>On Thu, Mar 10, 2011 at 12:44 PM, Bamm Visscher
>>><bam...@gm...>
>>>wrote:
>>>> I think I found the problem. I'll issue a fix tonight.
>>>>
>>>> Bamm
>>>>
>>>> PS
>>>>
>>>> Miss you in #snort-gui John ;)
>>>>
>>>> On Thu, Mar 10, 2011 at 11:15 AM, Stefan Sabolowitsch
>>>> <Ste...@fe...> wrote:
>>>>> OK,
>>>>> I make a hard cut.
>>>>> Complete new V0.8 Server, V0.8 Sensor and a clean sguil Server DB and
>>>>> clean Data Folders (Sensor, Server).
>>>>> But which i see however, does not make me hopeful.
>>>>>
>>>>> Within 10min there are already 84 open files, tendency increasing.
>>>>>
>>>>> #-snip-#
>>>>> tclsh 11367 root 85w REG 253,0 8192 9502981
>>>>>
>>>>>/nsm/server_data/server1/load/parsed.Serrig-DMZ.stats.br1.1299772903.2
>>>>>01
>>>>>103
>>>>> 10 (deleted)
>>>>> tclsh 11367 root 86w REG 253,0 8192 9502982
>>>>>
>>>>>/nsm/server_data/server1/load/parsed.Serrig-intern.stats.br0.129977292
>>>>>3.
>>>>>201
>>>>> 10310 (deleted)
>>>>> tclsh 11367 root 87w REG 253,0 8192 9502983
>>>>>
>>>>>/nsm/server_data/server1/load/parsed.Serrig-DMZ.stats.br1.1299772933.2
>>>>>01
>>>>>103
>>>>> 10 (deleted)
>>>>> tclsh 11367 root 88w REG 253,0 8192 9502984
>>>>>
>>>>>/nsm/server_data/server1/load/parsed.Serrig-intern.stats.br0.129977295
>>>>>3.
>>>>>201
>>>>> 10310 (deleted)
>>>>>
>>>>> #-snap-#
>>>>>
>>>>> Why V0.8 doesn't close these files? Why does V0.8 behave completely
>>>>> differently than V0.7?
>>>>>
>>>>> Stefan
>>>>>
>>>>> PS: I switch back to V 0.7
>>>>>
>>>>>
>>>>>
>>>>> Am 10.03.11 10:43 schrieb "John Curry" unter <joh...@me...>:
>>>>>
>>>>>>Stefan,
>>>>>>
>>>>>>Files may have queued on the sensor to the point that the agent
>>>>>>cannot
>>>>>>connect to the server. If this is the case, you can try moving the
>>>>>>queued files to another directory to get the agent connected again.
>>>>>>
>>>>>>> >> >> pid(31597) Sensor agent connect from 192.168.1.97:34756
>>>>>>>sock681
>>>>>>> >> >> pid(31597) Validating sensor access: 192.168.1.97 :
>>>>>>> >> >> pid(31597) Valid sensor agent: 192.168.1.97
>>>>>>> >> >> pid(31597) ERROR: unable to set certificate file
>>>>>>> >> >> /etc/nsm/server1/certs/sguild.pem: Too many open files
>>>>>>> >> >> pid(31597) Sensor agent connect from 192.168.1.97:34757
>>>>>>>sock17
>>>>>>> >> >> pid(31597) Validating sensor access: 192.168.1.97 :
>>>>>>> >> >> pid(31597) Valid sensor agent: 192.168.1.97
>>>>>>> >> >> pid(31597) Sensor agent connect from 192.168.1.97:34758
>>>>>>>sock17
>>>>>>> >> >> pid(31597) Validating sensor access: 192.168.1.97 :
>>>>>>> >> >> pid(31597) Valid sensor agent: 192.168.1.97
>>>>>>> >> >> pid(31597) ERROR: unable to set certificate file
>>>>>>> >> >> /etc/nsm/server1/certs/sguild.pem: Too many open files
>>>>>>> >> >> pid(31597) Sensor agent connect from 192.168.1.97:42284
>>>>>>>sock14
>>>>>>> >> >> pid(31597) Validating sensor access: 192.168.1.97 :
>>>>>>
>>>>>>Once you've confirmed the agent is connected and files are now
>>>>>>moving from cache directory to the server, you can try moving the
>>>>>>older
>>>>>>files back to the queue directory a few at a time.
>>>>>>
>>>>>>-John
>>>>>>
>>>>>>
>>>>>>
>>>>>>On Thu, 10 Mar 2011 08:39:44 +0000
>>>>>>Stefan Sabolowitsch <Ste...@fe...> wrote:
>>>>>>
>>>>>>> Hi Bamm, John
>>>>>>>
>>>>>>> I accomplished the following test (Centos5.5 Server and Sensor):
>>>>>>>
>>>>>>> Because of the "Too many open files" problem changed these values.
>>>>>>>
>>>>>>> /etc/sysctl.conf
>>>>>>> fs.file-max = 65536
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> /etc/security
>>>>>>> * hard nofile 65536
>>>>>>> * soft nofile 5120
>>>>>>>
>>>>>>>
>>>>>>> sancp_agent.conf
>>>>>>> set MAX_COPY 2
>>>>>>>
>>>>>>>
>>>>>>> Unfortunately these values (fs.file-max,nofile) for "Too many open
>>>>>>> files" do not work.
>>>>>>> It looks like that the value (fs.file-max,nofile) is hardcoded with
>>>>>>> 1024 in the Kernel.
>>>>>>>
>>>>>>> But one can see, that the squil version V0.8 breaks off after
>>>>>>> approximately 9h because max open file = 1024 was reached.
>>>>>>> With "set MAX_COPY 10" this is already reached in ca. 5h (max open
>>>>>>> file 1024).
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> lsof -c tclsh
>>>>>>> ##snip#
>>>>>>> tclsh 3645 root 1021w REG 253,0 8192 9503972
>>>>>>>
>>>>>>>/nsm/server_data/server1/load/parsed.Serrig-DMZ.stats.br1.1299708064
>>>>>>>.2
>>>>>>>011
>>>>>>>03
>>>>>>> 09 (deleted)
>>>>>>> tclsh 3645 root 1022w REG 253,0 8192 9503973
>>>>>>>
>>>>>>>/nsm/server_data/server1/load/parsed.Serrig-intern.stats.br0.1299708
>>>>>>>08
>>>>>>>3.2
>>>>>>>01
>>>>>>> 10309 (deleted)
>>>>>>> tclsh 3645 root 1023w REG 253,0 8192 9503974
>>>>>>>
>>>>>>>/nsm/server_data/server1/load/parsed.Serrig-DMZ.stats.br1.1299708094
>>>>>>>.2
>>>>>>>011
>>>>>>>03
>>>>>>> 09 (deleted)
>>>>>>> tclsh 3694 root cwd DIR 253,0 4096 2 /
>>>>>>> tclsh 3694 root rtd DIR 253,0 4096 2 /
>>>>>>>
>>>>>>> #snap#
>>>>>>>
>>>>>>> @Bamm
>>>>>>> >>How many sensors do you have?
>>>>>>> one Host with to Sensors
>>>>>>>
>>>>>>> Best regards
>>>>>>>
>>>>>>> Stefan
>>>>>>>
>>>>>>>
>>>>>>> Am 09.03.11 04:40 schrieb "John Curry" unter
>>>>>>><joh...@me...>:
>>>>>>>
>>>>>>> >Hello Stefan,
>>>>>>> >
>>>>>>> >Keying in on the error "Too many open files", what does the
>>>>>>>command
>>>>>>> >'ulimit -a' show for 'open files' on your system?
>>>>>>> >
>>>>>>> >You can try increasing this number with the command 'ulimit -n
>>>>>>><n>'.
>>>>>>> >where <n> is the maximum number of open files
>>>>>>> >
>>>>>>> >-John
>>>>>>> >
>>>>>>> >
>>>>>>> >On Tue, 8 Mar 2011 22:17:44 -0500
>>>>>>> >Bamm Visscher <bam...@gm...> wrote:
>>>>>>> >
>>>>>>> >> Stefan,
>>>>>>> >>
>>>>>>> >> How many sensors do you have? What happens if you set the
>>>>>>> >> MAX_COPY to 1 in your sancp_agent.conf?
>>>>>>> >>
>>>>>>> >> Bamm
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> On Fri, Mar 4, 2011 at 11:48 AM, Stefan Sabolowitsch
>>>>>>> >> <Ste...@fe...> wrote:
>>>>>>> >> > OK, an i see this on the sensor Site.
>>>>>>> >> >
>>>>>>> >> > Error registering data agent: error writing "sock6":
>>>>>>>connection
>>>>>>> >> > reset by peer
>>>>>>> >> >
>>>>>>> >> > This was 5 hours ago after which sguild died.
>>>>>>> >> > The bad one is that sancp_agent not tried a reconnection here.
>>>>>>> >> > All the others "agents" are OK, only sancp_agnet makes no new
>>>>>>> >> > connection.
>>>>>>> >> >
>>>>>>> >> > Stefan
>>>>>>> >> >
>>>>>>> >> > -----Ursprüngliche Nachricht-----
>>>>>>> >> > Von: Bamm Visscher [mailto:bam...@gm...]
>>>>>>> >> > Gesendet: Freitag, 4. März 2011 14:25
>>>>>>> >> > An: Stefan Sabolowitsch
>>>>>>> >> > Cc: sgu...@li...
>>>>>>> >> > Betreff: Re: [Sguil-users] squil 0.8, ERROR: unable to set
>>>>>>> >> > certificate file file /etc/nsm/server1/certs/sguild.pem: Too
>>>>>>>many
>>>>>>> >> > open files
>>>>>>> >> >
>>>>>>> >> > Durn it. This is on the server side. Thanks for the bug
>>>>>>>reports.
>>>>>>> >> >
>>>>>>> >> > Bamm
>>>>>>> >> >
>>>>>>> >> >
>>>>>>> >> > On Fri, Mar 4, 2011 at 8:21 AM, Stefan Sabolowitsch
>>>>>>> >> > <Ste...@fe...> wrote:
>>>>>>> >> >> Someone cheered too soon. :(
>>>>>>> >> >> The "Too many open files" Problem cam back.
>>>>>>> >> >>
>>>>>>> >> >>
>>>>>>> >> >> pid(31597) Sensor agent connect from 192.168.1.97:34756
>>>>>>>sock681
>>>>>>> >> >> pid(31597) Validating sensor access: 192.168.1.97 :
>>>>>>> >> >> pid(31597) Valid sensor agent: 192.168.1.97
>>>>>>> >> >> pid(31597) ERROR: unable to set certificate file
>>>>>>> >> >> /etc/nsm/server1/certs/sguild.pem: Too many open files
>>>>>>> >> >> pid(31597) Sensor agent connect from 192.168.1.97:34757
>>>>>>>sock17
>>>>>>> >> >> pid(31597) Validating sensor access: 192.168.1.97 :
>>>>>>> >> >> pid(31597) Valid sensor agent: 192.168.1.97
>>>>>>> >> >> pid(31597) Sensor agent connect from 192.168.1.97:34758
>>>>>>>sock17
>>>>>>> >> >> pid(31597) Validating sensor access: 192.168.1.97 :
>>>>>>> >> >> pid(31597) Valid sensor agent: 192.168.1.97
>>>>>>> >> >> pid(31597) ERROR: unable to set certificate file
>>>>>>> >> >> /etc/nsm/server1/certs/sguild.pem: Too many open files
>>>>>>> >> >> pid(31597) Sensor agent connect from 192.168.1.97:42284
>>>>>>>sock14
>>>>>>> >> >> pid(31597) Validating sensor access: 192.168.1.97 :
>>>>>>> >> >> pid(31597) Valid sensor agent: 192.168.1.97
>>>>>>> >> >> Error: couldn't create output pipe for command: too many open
>>>>>>> >> >> files couldn't create output pipe for command: too many open
>>>>>>> >> >> files while executing
>>>>>>> >> >> "open "| $P0F_PATH -q -s $fileName""
>>>>>>> >> >> (procedure "GenerateXscript" line 25)
>>>>>>> >> >> invoked from within
>>>>>>> >> >> "GenerateXscript
>>>>>>> >> >>
>>>>>>>
>>>>>>>>>/nsm/server_data/server1/archive/2011-03-04/Serrig-intern/192.168.
>>>>>>>>>1.
>>>>>>>>>11
>>>>>>> >> >> 5:602 00_194.117.224.81:80-6.raw sock514 .serrig-intern_5231
>>>>>>>7"
>>>>>>> >> >> ("eval" body line 1)
>>>>>>> >> >> invoked from within
>>>>>>> >> >> "eval $callback "
>>>>>>> >> >> (procedure "BinCopyFinished" line 5)
>>>>>>> >> >> invoked from within
>>>>>>> >> >> "BinCopyFinished sock14 file17
>>>>>>> >> >>
>>>>>>>
>>>>>>>>>/nsm/server_data/server1/archive/2011-03-04/Serrig-intern/192.168.
>>>>>>>>>1.
>>>>>>>>>11
>>>>>>> >> >> 5:602 00_194.117.224.81:80-6.raw {GenerateXscript /..."
>>>>>>> >> >> SGUILD: killing child procs...
>>>>>>> >> >> SGUILD: Exiting...
>>>>>>> >> >>
>>>>>>> >> >>
>>>>>>> >> >> Stefan
>>>>>>> >> >>
>>>>>>> >> >>
>>>>>>> >> >> Am 04.03.11 03:18 schrieb "Bamm Visscher" unter
>>>>>>> >> >> <bam...@gm...>:
>>>>>>> >> >>
>>>>>>> >> >>>I just committed a fix. It appears you had a large number of
>>>>>>> >> >>>sancp files queued on the disk and sancp_agent tried to
>>>>>>>upload
>>>>>>> >> >>>them all at once. The sancp_agent.conf file now has an option
>>>>>>> >> >>>for setting the max number of concurrent connections. Please
>>>>>>> >> >>>test again if you can.
>>>>>>> >> >>>
>>>>>>> >> >>>Bamm
>>>>>>> >> >>>
>>>>>>> >> >>>
>>>>>>> >> >>>On Sun, Feb 27, 2011 at 6:15 AM, Stefan Sabolowitsch
>>>>>>> >> >>><Ste...@fe...> wrote:
>>>>>>> >> >>>> Bamm,
>>>>>>> >> >>>> thanks for your fast answer, i switch back to V0.7 (V0.8 is
>>>>>>> >> >>>> not stable) If you need help, let me know.
>>>>>>> >> >>>>
>>>>>>> >> >>>> Stefan
>>>>>>> >> >>>>
>>>>>>> >> >>>> -----Ursprüngliche Nachricht-----
>>>>>>> >> >>>> Von: Bamm Visscher [mailto:bam...@gm...]
>>>>>>> >> >>>> Gesendet: Sonntag, 27. Februar 2011 12:06
>>>>>>> >> >>>> An: Stefan Sabolowitsch; sgu...@li...
>>>>>>> >> >>>> Betreff: Re: [Sguil-users] squil 0.8, ERROR: unable to set
>>>>>>> >> >>>>certificate file file /etc/nsm/server1/certs/sguild.pem: Too
>>>>>>> >> >>>>many open files
>>>>>>> >> >>>>
>>>>>>> >> >>>> Stefan,
>>>>>>> >> >>>>
>>>>>>> >> >>>> Tks for testing CVS and the bug report. Those appear to be
>>>>>>> >> >>>> directly
>>>>>>> >> >>>>related to the new code for uploading sancp and pcap files
>>>>>>>to
>>>>>>> >> >>>>sguild and will try to get a bug fix in soon.
>>>>>>> >> >>>>
>>>>>>> >> >>>> Bamm
>>>>>>> >> >>>>
>>>>>>> >> >>>>
>>>>>>> >> >>>> 2011/2/27 Stefan Sabolowitsch
>>>>>>> >> >>>> <Ste...@fe...>:
>>>>>>> >> >>>>> Bam, and i get this on the sensor side
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> Sensor Data Rcvd:
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> Sending sguild (sock5) PING
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> Socket sock5 closed
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> Attempting to reconnect.
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> Connected to 192.168.1.78
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> Sending sguild (sock5) RegisterAgent sancp Serrig-DMZ
>>>>>>> >> >>>>> DMZ_Net_Serrig
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> Sensor Data Rcvd: AgentInfo Serrig-DMZ sancp
>>>>>>>DMZ_Net_Serrig
>>>>>>> >> >>>>> 5 0
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> Error: error renaming "couldn't open
>>>>>>> >> >>>>> "/nsm/sensor_data/Serrig-DMZ/sancp/stats.br1.1298776057":
>>>>>>>too
>>>>>>> >> >>>>> many open
>>>>>>> >> >>>>> files": no such file or directory
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> error renaming "couldn't open
>>>>>>> >> >>>>> "/nsm/sensor_data/Serrig-DMZ/sancp/stats.br1.1298776057":
>>>>>>>too
>>>>>>> >> >>>>> many open
>>>>>>> >> >>>>> files": no such file or directory
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> while executing
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> "file rename $newFiles FAILED-$newFiles "
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> (procedure "CheckForSancpFiles" line 24)
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> invoked from within
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> "CheckForSancpFiles"
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> ("after" script)
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> I think i switch back to V 0.7
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> Stefan
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> Von: Stefan Sabolowitsch
>>>>>>> >> >>>>> [mailto:Ste...@fe...]
>>>>>>> >> >>>>> Gesendet: Sonntag, 27. Februar 2011 09:15
>>>>>>> >> >>>>> An: sgu...@li...
>>>>>>> >> >>>>> Betreff: [Sguil-users] squil 0.8, ERROR: unable to set
>>>>>>> >> >>>>> certificate file file
>>>>>>> >> >>>>> /etc/nsm/server1/certs/sguild.pem: Too many open files
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> Hi Bamm,
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> thank you for squil 0.8
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> I get this error Message after some time.
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> pid(2332) ERROR: unable to set certificate file
>>>>>>> >> >>>>> /etc/nsm/server1/certs/sguild.pem: Too many open files
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> Error: can not find channel named "sock13"
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> can not find channel named "sock13"
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> while executing
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> "flush $pcapSocketID"
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> (procedure "GetRawDataFromSensor" line 18)
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> invoked from within
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> "GetRawDataFromSensor $TRANS_ID $sensor $sensorID
>>>>>>>$timestamp
>>>>>>> >> >>>>> $srcIP $srcPort $dstIP $dstPort 6 $rawDataFileName
>>>>>>>xscript"
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> (procedure "XscriptRequest" line 26)
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> invoked from within
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> "XscriptRequest sock14 Serrig-intern 3 .serrig-intern_1477
>>>>>>> >> >>>>> {2011-02-26 21:58:42} 192.168.1.48 3389 192.168.50.15
>>>>>>>49929
>>>>>>> >> >>>>> 0"
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> ("eval" body line 1)
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> invoked from within
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> "eval $clientCmd $socketID [lrange $data 1 end] "
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> ("XscriptRequest" arm line 1)
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> invoked from within
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> "switch -exact $clientCmd {
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> DeleteEventIDList { $clientCmd $socketID [lindex
>>>>>>> >> >>>>> $data 1] [lindex $data 2] [lindex $data 3] }
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> EventHistoryR..."
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> (procedure "ClientCmdRcvd" line 46)
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> invoked from within
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> "ClientCmdRcvd sock14"
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> SGUILD: killing child procs...
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> SGUILD: Exiting...
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> #-#-#-#-#-#-#-#-#-#-#-#-#-##-#-#-#-#-#
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> Possibly an idea?
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>> PS: I noticed that there is not the option switch "-u" any
>>>>>>> >> >>>>> longer (sguil start with nsmnow) .
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>>
>>>>>>>>>------------------------------------------------------------------
>>>>>>>>>-
>>>>>>> >> >>>>> ---
>>>>>>> >> >>>>> -------- Free Software Download: Index, Search & Analyze
>>>>>>>Logs
>>>>>>> >> >>>>> and other IT data in Real-Time with Splunk. Collect, index
>>>>>>> >> >>>>> and harness all the fast moving IT data generated by your
>>>>>>> >> >>>>> applications, servers and devices whether physical,
>>>>>>>virtual
>>>>>>> >> >>>>> or in the cloud. Deliver compliance at lower cost and gain
>>>>>>> >> >>>>> new business insights. http://p.sf.net/sfu/splunk-dev2dev
>>>>>>> >> >>>>> _______________________________________________
>>>>>>> >> >>>>> Sguil-users mailing list
>>>>>>> >> >>>>> Sgu...@li...
>>>>>>> >> >>>>> https://lists.sourceforge.net/lists/listinfo/sguil-users
>>>>>>> >> >>>>>
>>>>>>> >> >>>>>
>>>>>>> >> >>>>
>>>>>>> >> >>>>
>>>>>>> >> >>>>
>>>>>>> >> >>>> --
>>>>>>> >> >>>> sguil - The Analyst Console for NSM
>>>>>>> >> >>>> http://sguil.sf.net
>>>>>>> >> >>>>
>>>>>>> >> >>>>
>>>>>>> >> >>>>
>>>>>>> >> >>>
>>>>>>> >> >>>
>>>>>>> >> >>>
>>>>>>> >> >>>--
>>>>>>> >> >>>sguil - The Analyst Console for NSM
>>>>>>> >> >>>http://sguil.sf.net
>>>>>>> >> >>>
>>>>>>> >> >>
>>>>>>> >> >>
>>>>>>> >> >>
>>>>>>> >> >
>>>>>>> >> >
>>>>>>> >> >
>>>>>>> >> > --
>>>>>>> >> > sguil - The Analyst Console for NSM
>>>>>>> >> > http://sguil.sf.net
>>>>>>> >> >
>>>>>>> >> >
>>>>>>> >> >
>>>>>>> >>
>>>>>>> >>
>>>>>>> >>
>>>>>>> >
>>>>>>> >
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>----------------------------------------------------------------------
>>>>>--
>>>>>------
>>>>> Colocation vs. Managed Hosting
>>>>> A question and answer guide to determining the best fit
>>>>> for your organization - today and in the future.
>>>>> http://p.sf.net/sfu/internap-sfd2d
>>>>> _______________________________________________
>>>>> Sguil-users mailing list
>>>>> Sgu...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sguil-users
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> sguil - The Analyst Console for NSM
>>>> http://sguil.sf.net
>>>>
>>>
>>>
>>>
>>>--
>>>sguil - The Analyst Console for NSM
>>>http://sguil.sf.net
>>>
>>
>>
>>
>
>
>
>--
>sguil - The Analyst Console for NSM
>http://sguil.sf.net
>
|