[Sguil-users] Transcript problems - No matching log files
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
[Sguil-users] Transcript problems - No matching log files
|
From: Paul M. <pma...@gm...> - 2012-01-10 18:58:39
|
Hi guys,
I am running sguil 0.8.0 both server and sensor on Ubuntu Server 10.04
LTS 32-bit. I have installed sguil from source following the INSTALL
file instructions included in the tar ball.
Both sensor and server time are configured to GMT. You can also see the
alerts being sent from the sensor to the server without problems.
However, when you issue the transcript feature of any alert, the client
shows you the following error: "No matching log files".
Let's see the sguild's debug output when a transcript requested is made:
2012-01-10 17:26:34 pid(17313) Client Command Received: XscriptRequest
sensor-01 1 .sensor-01_11 {2012-01-10 17:25:11} S.S.S.S 80 C.C.C.C 2543 0
2012-01-10 17:26:34 pid(17313) Sending sensor-01: RawDataRequest 5
sensor-01 2012-01-10 17:25:11 S.S.S.S C.C.C.C 2543 6
C.C.C.C:2543_S.S.S.S:80-6.raw xscript
2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg
.sensor-01_11 {Raw data request sent to sensor-01.}
2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5
{Making a list of local log files.}
2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg
.sensor-01_11 {Making a list of local log files.}
2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5
{Looking in /nsm_data/sensor-01/dailylogs/2012-01-10.}
2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg
.sensor-01_11 {Looking in /nsm_data/sensor-01/dailylogs/2012-01-10.}
2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5
{Making a list of local log files in
/nsm_data/sensor-01/dailylogs/2012-01-10.}
2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg
.sensor-01_11 {Making a list of local log files in
/nsm_data/sensor-01/dailylogs/2012-01-10.}
2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 {No
matching log files.}
2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg
.sensor-01_11 {No matching log files.}
2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 {}
2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg
.sensor-01_11 {}
If you list the files inside /nsm_data/sensor-01/dailylogs/2012-01-10
you'll see:
root@sensor-01:/nsm_data/sensor-01/dailylogs/2012-01-10# ls -l
total 660320
-rw------- 1 root root 134216351 2012-01-10 17:22 snort.log.1326215636
-rw------- 1 root root 134216934 2012-01-10 17:23 snort.log.1326216162
-rw------- 1 root root 134217178 2012-01-10 17:24 snort.log.1326216201
-rw------- 1 root root 134217536 2012-01-10 17:24 snort.log.1326216246
-rw------- 1 root root 134216849 2012-01-10 17:25 snort.log.1326216290
-rw------- 1 root root 5077741 2012-01-10 17:25 snort.log.1326216333
The date 2012-01-10 17:25:11 converted to unixtime results in: 1326216238
As you can see, there is no file with that date in the directory and i
don't know how sguild does the file search.
I'd really appreciate if you guys could help me out here.
Thanks in advance.
Kindly,
Paul
|