Re: [Sguil-users] Transcript problems - No matching log files
Status: Beta
Brought to you by:
bamm
From: Doug B. <dou...@gm...> - 2012-01-11 11:35:43
|
Hi Paul, My Security Onion distro has Sguil 0.8 on Ubuntu 10.04, so perhaps you could use it as a side-by-side comparison and look for any differences. Hope that helps! Thanks, Doug On Tue, Jan 10, 2012 at 9:39 PM, Jeremy Hoel <jt...@gm...> wrote: > That's odd.. I don't know. the fact that the pcap agent doesn't see > the files is really odd. > > On Tue, Jan 10, 2012 at 3:28 PM, Paul Marin <pma...@gm...> wrote: >> Hi Jeremy, >> >> Yes, the pcap files are owned by root:root with 600 permissions. >> >> However, pcap_agent as well other sguil-sensor agent scripts are running >> as root. >> >> The transcript feature has never worked for me. >> >> Kindly, >> >> Paul >> >> >> El 10/01/2012 03:44 p.m., Jeremy Hoel escribió: >>> The right you showed on the files where root:root 600. What user is >>> pcap_agent and sguild running as? maybe they don't have rights to read >>> the file? >>> >>> Was this working before? >>> >>> >>> 2012/1/10 Paul Marin <pma...@gm...>: >>>> Thanks Jeremy for your quick reply. >>>> >>>> Here is the pcap agent's output in debug mode: >>>> >>>> Sensor Data Rcvd: RawDataRequest 10 sensor-01 {2012-01-10 17:25:11} S.S.S.S >>>> C.C.C.C 80 2543 6 C.C.C.C:2543_S.S.S.S:80-6.raw xscript >>>> Sending sguild (sock3) XscriptDebugMsg 10 {Making a list of local log >>>> files.} >>>> Sending sguild (sock3) XscriptDebugMsg 10 {Looking in >>>> /nsm_data/sensor-01/dailylogs/2012-01-10.} >>>> Sending sguild (sock3) XscriptDebugMsg 10 {Making a list of local log files >>>> in /nsm_data/sensor-01/dailylogs/2012-01-10.} >>>> Sending sguild (sock3) XscriptDebugMsg 10 {No matching log files.} >>>> Sending sguild (sock3) XscriptDebugMsg 10 {} >>>> >>>> It's very similar to the sguild output... >>>> >>>> Kindly, >>>> >>>> Paul >>>> >>>> >>>> >>>> El 10/01/2012 03:16 p.m., Jeremy Hoel escribió: >>>> >>>> The pcap agent is what recieves the commands from sguild to parse those >>>> files and generate the raw file for xscript. Check pcap agent in debug >>>> mode. >>>> >>>> On Jan 10, 2012 1:59 PM, "Paul Marin" <pma...@gm...> wrote: >>>>> Hi guys, >>>>> >>>>> I am running sguil 0.8.0 both server and sensor on Ubuntu Server 10.04 >>>>> LTS 32-bit. I have installed sguil from source following the INSTALL >>>>> file instructions included in the tar ball. >>>>> >>>>> Both sensor and server time are configured to GMT. You can also see the >>>>> alerts being sent from the sensor to the server without problems. >>>>> However, when you issue the transcript feature of any alert, the client >>>>> shows you the following error: "No matching log files". >>>>> >>>>> Let's see the sguild's debug output when a transcript requested is made: >>>>> >>>>> 2012-01-10 17:26:34 pid(17313) Client Command Received: XscriptRequest >>>>> sensor-01 1 .sensor-01_11 {2012-01-10 17:25:11} S.S.S.S 80 C.C.C.C 2543 0 >>>>> 2012-01-10 17:26:34 pid(17313) Sending sensor-01: RawDataRequest 5 >>>>> sensor-01 2012-01-10 17:25:11 S.S.S.S C.C.C.C 2543 6 >>>>> C.C.C.C:2543_S.S.S.S:80-6.raw xscript >>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >>>>> .sensor-01_11 {Raw data request sent to sensor-01.} >>>>> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 >>>>> {Making a list of local log files.} >>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >>>>> .sensor-01_11 {Making a list of local log files.} >>>>> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 >>>>> {Looking in /nsm_data/sensor-01/dailylogs/2012-01-10.} >>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >>>>> .sensor-01_11 {Looking in /nsm_data/sensor-01/dailylogs/2012-01-10.} >>>>> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 >>>>> {Making a list of local log files in >>>>> /nsm_data/sensor-01/dailylogs/2012-01-10.} >>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >>>>> .sensor-01_11 {Making a list of local log files in >>>>> /nsm_data/sensor-01/dailylogs/2012-01-10.} >>>>> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 {No >>>>> matching log files.} >>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >>>>> .sensor-01_11 {No matching log files.} >>>>> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 {} >>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >>>>> .sensor-01_11 {} >>>>> >>>>> If you list the files inside /nsm_data/sensor-01/dailylogs/2012-01-10 >>>>> you'll see: >>>>> >>>>> root@sensor-01:/nsm_data/sensor-01/dailylogs/2012-01-10# ls -l >>>>> total 660320 >>>>> -rw------- 1 root root 134216351 2012-01-10 17:22 snort.log.1326215636 >>>>> -rw------- 1 root root 134216934 2012-01-10 17:23 snort.log.1326216162 >>>>> -rw------- 1 root root 134217178 2012-01-10 17:24 snort.log.1326216201 >>>>> -rw------- 1 root root 134217536 2012-01-10 17:24 snort.log.1326216246 >>>>> -rw------- 1 root root 134216849 2012-01-10 17:25 snort.log.1326216290 >>>>> -rw------- 1 root root 5077741 2012-01-10 17:25 snort.log.1326216333 >>>>> >>>>> The date 2012-01-10 17:25:11 converted to unixtime results in: 1326216238 >>>>> >>>>> As you can see, there is no file with that date in the directory and i >>>>> don't know how sguild does the file search. >>>>> >>>>> I'd really appreciate if you guys could help me out here. >>>>> >>>>> Thanks in advance. >>>>> >>>>> Kindly, >>>>> >>>>> Paul >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Write once. Port to many. >>>>> Get the SDK and tools to simplify cross-platform app development. Create >>>>> new or port existing apps to sell to consumers worldwide. Explore the >>>>> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join >>>>> http://p.sf.net/sfu/intel-appdev >>>>> _______________________________________________ >>>>> Sguil-users mailing list >>>>> Sgu...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sguil-users >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Write once. Port to many. >>>> Get the SDK and tools to simplify cross-platform app development. Create >>>> new or port existing apps to sell to consumers worldwide. Explore the >>>> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join >>>> http://p.sf.net/sfu/intel-appdev >>>> >>>> >>>> >>>> _______________________________________________ >>>> Sguil-users mailing list >>>> Sgu...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sguil-users >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Write once. Port to many. >>>> Get the SDK and tools to simplify cross-platform app development. Create >>>> new or port existing apps to sell to consumers worldwide. Explore the >>>> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join >>>> http://p.sf.net/sfu/intel-appdev >>>> _______________________________________________ >>>> Sguil-users mailing list >>>> Sgu...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sguil-users >>>> >>> ------------------------------------------------------------------------------ >>> Write once. Port to many. >>> Get the SDK and tools to simplify cross-platform app development. Create >>> new or port existing apps to sell to consumers worldwide. Explore the >>> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join >>> http://p.sf.net/sfu/intel-appdev >>> _______________________________________________ >>> Sguil-users mailing list >>> Sgu...@li... >>> https://lists.sourceforge.net/lists/listinfo/sguil-users >>> >> >> >> ------------------------------------------------------------------------------ >> Write once. Port to many. >> Get the SDK and tools to simplify cross-platform app development. Create >> new or port existing apps to sell to consumers worldwide. Explore the >> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join >> http://p.sf.net/sfu/intel-appdev >> _______________________________________________ >> Sguil-users mailing list >> Sgu...@li... >> https://lists.sourceforge.net/lists/listinfo/sguil-users > > ------------------------------------------------------------------------------ > Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex > infrastructure or vast IT resources to deliver seamless, secure access to > virtual desktops. With this all-in-one solution, easily deploy virtual > desktops for less than the cost of PCs and save 60% on VDI infrastructure > costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users -- Doug Burks SANS GSE and Community Instructor Security Onion | http://securityonion.blogspot.com President, Greater Augusta ISSA | http://augusta.issa.org Please vote for Security Onion for 2011 Toolsmith Tool of the Year! | http://goo.gl/PwTDi |