Re: [Sguil-users] Transcript problems - No matching log files
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
Re: [Sguil-users] Transcript problems - No matching log files
|
From: Doug B. <dou...@gm...> - 2012-01-11 11:35:43
|
Hi Paul,
My Security Onion distro has Sguil 0.8 on Ubuntu 10.04, so perhaps you
could use it as a side-by-side comparison and look for any
differences.
Hope that helps!
Thanks,
Doug
On Tue, Jan 10, 2012 at 9:39 PM, Jeremy Hoel <jt...@gm...> wrote:
> That's odd.. I don't know. the fact that the pcap agent doesn't see
> the files is really odd.
>
> On Tue, Jan 10, 2012 at 3:28 PM, Paul Marin <pma...@gm...> wrote:
>> Hi Jeremy,
>>
>> Yes, the pcap files are owned by root:root with 600 permissions.
>>
>> However, pcap_agent as well other sguil-sensor agent scripts are running
>> as root.
>>
>> The transcript feature has never worked for me.
>>
>> Kindly,
>>
>> Paul
>>
>>
>> El 10/01/2012 03:44 p.m., Jeremy Hoel escribió:
>>> The right you showed on the files where root:root 600. What user is
>>> pcap_agent and sguild running as? maybe they don't have rights to read
>>> the file?
>>>
>>> Was this working before?
>>>
>>>
>>> 2012/1/10 Paul Marin <pma...@gm...>:
>>>> Thanks Jeremy for your quick reply.
>>>>
>>>> Here is the pcap agent's output in debug mode:
>>>>
>>>> Sensor Data Rcvd: RawDataRequest 10 sensor-01 {2012-01-10 17:25:11} S.S.S.S
>>>> C.C.C.C 80 2543 6 C.C.C.C:2543_S.S.S.S:80-6.raw xscript
>>>> Sending sguild (sock3) XscriptDebugMsg 10 {Making a list of local log
>>>> files.}
>>>> Sending sguild (sock3) XscriptDebugMsg 10 {Looking in
>>>> /nsm_data/sensor-01/dailylogs/2012-01-10.}
>>>> Sending sguild (sock3) XscriptDebugMsg 10 {Making a list of local log files
>>>> in /nsm_data/sensor-01/dailylogs/2012-01-10.}
>>>> Sending sguild (sock3) XscriptDebugMsg 10 {No matching log files.}
>>>> Sending sguild (sock3) XscriptDebugMsg 10 {}
>>>>
>>>> It's very similar to the sguild output...
>>>>
>>>> Kindly,
>>>>
>>>> Paul
>>>>
>>>>
>>>>
>>>> El 10/01/2012 03:16 p.m., Jeremy Hoel escribió:
>>>>
>>>> The pcap agent is what recieves the commands from sguild to parse those
>>>> files and generate the raw file for xscript. Check pcap agent in debug
>>>> mode.
>>>>
>>>> On Jan 10, 2012 1:59 PM, "Paul Marin" <pma...@gm...> wrote:
>>>>> Hi guys,
>>>>>
>>>>> I am running sguil 0.8.0 both server and sensor on Ubuntu Server 10.04
>>>>> LTS 32-bit. I have installed sguil from source following the INSTALL
>>>>> file instructions included in the tar ball.
>>>>>
>>>>> Both sensor and server time are configured to GMT. You can also see the
>>>>> alerts being sent from the sensor to the server without problems.
>>>>> However, when you issue the transcript feature of any alert, the client
>>>>> shows you the following error: "No matching log files".
>>>>>
>>>>> Let's see the sguild's debug output when a transcript requested is made:
>>>>>
>>>>> 2012-01-10 17:26:34 pid(17313) Client Command Received: XscriptRequest
>>>>> sensor-01 1 .sensor-01_11 {2012-01-10 17:25:11} S.S.S.S 80 C.C.C.C 2543 0
>>>>> 2012-01-10 17:26:34 pid(17313) Sending sensor-01: RawDataRequest 5
>>>>> sensor-01 2012-01-10 17:25:11 S.S.S.S C.C.C.C 2543 6
>>>>> C.C.C.C:2543_S.S.S.S:80-6.raw xscript
>>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg
>>>>> .sensor-01_11 {Raw data request sent to sensor-01.}
>>>>> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5
>>>>> {Making a list of local log files.}
>>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg
>>>>> .sensor-01_11 {Making a list of local log files.}
>>>>> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5
>>>>> {Looking in /nsm_data/sensor-01/dailylogs/2012-01-10.}
>>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg
>>>>> .sensor-01_11 {Looking in /nsm_data/sensor-01/dailylogs/2012-01-10.}
>>>>> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5
>>>>> {Making a list of local log files in
>>>>> /nsm_data/sensor-01/dailylogs/2012-01-10.}
>>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg
>>>>> .sensor-01_11 {Making a list of local log files in
>>>>> /nsm_data/sensor-01/dailylogs/2012-01-10.}
>>>>> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 {No
>>>>> matching log files.}
>>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg
>>>>> .sensor-01_11 {No matching log files.}
>>>>> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 {}
>>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg
>>>>> .sensor-01_11 {}
>>>>>
>>>>> If you list the files inside /nsm_data/sensor-01/dailylogs/2012-01-10
>>>>> you'll see:
>>>>>
>>>>> root@sensor-01:/nsm_data/sensor-01/dailylogs/2012-01-10# ls -l
>>>>> total 660320
>>>>> -rw------- 1 root root 134216351 2012-01-10 17:22 snort.log.1326215636
>>>>> -rw------- 1 root root 134216934 2012-01-10 17:23 snort.log.1326216162
>>>>> -rw------- 1 root root 134217178 2012-01-10 17:24 snort.log.1326216201
>>>>> -rw------- 1 root root 134217536 2012-01-10 17:24 snort.log.1326216246
>>>>> -rw------- 1 root root 134216849 2012-01-10 17:25 snort.log.1326216290
>>>>> -rw------- 1 root root 5077741 2012-01-10 17:25 snort.log.1326216333
>>>>>
>>>>> The date 2012-01-10 17:25:11 converted to unixtime results in: 1326216238
>>>>>
>>>>> As you can see, there is no file with that date in the directory and i
>>>>> don't know how sguild does the file search.
>>>>>
>>>>> I'd really appreciate if you guys could help me out here.
>>>>>
>>>>> Thanks in advance.
>>>>>
>>>>> Kindly,
>>>>>
>>>>> Paul
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Write once. Port to many.
>>>>> Get the SDK and tools to simplify cross-platform app development. Create
>>>>> new or port existing apps to sell to consumers worldwide. Explore the
>>>>> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
>>>>> http://p.sf.net/sfu/intel-appdev
>>>>> _______________________________________________
>>>>> Sguil-users mailing list
>>>>> Sgu...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sguil-users
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Write once. Port to many.
>>>> Get the SDK and tools to simplify cross-platform app development. Create
>>>> new or port existing apps to sell to consumers worldwide. Explore the
>>>> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
>>>> http://p.sf.net/sfu/intel-appdev
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Sguil-users mailing list
>>>> Sgu...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sguil-users
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Write once. Port to many.
>>>> Get the SDK and tools to simplify cross-platform app development. Create
>>>> new or port existing apps to sell to consumers worldwide. Explore the
>>>> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
>>>> http://p.sf.net/sfu/intel-appdev
>>>> _______________________________________________
>>>> Sguil-users mailing list
>>>> Sgu...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sguil-users
>>>>
>>> ------------------------------------------------------------------------------
>>> Write once. Port to many.
>>> Get the SDK and tools to simplify cross-platform app development. Create
>>> new or port existing apps to sell to consumers worldwide. Explore the
>>> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
>>> http://p.sf.net/sfu/intel-appdev
>>> _______________________________________________
>>> Sguil-users mailing list
>>> Sgu...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sguil-users
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Write once. Port to many.
>> Get the SDK and tools to simplify cross-platform app development. Create
>> new or port existing apps to sell to consumers worldwide. Explore the
>> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
>> http://p.sf.net/sfu/intel-appdev
>> _______________________________________________
>> Sguil-users mailing list
>> Sgu...@li...
>> https://lists.sourceforge.net/lists/listinfo/sguil-users
>
> ------------------------------------------------------------------------------
> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
> infrastructure or vast IT resources to deliver seamless, secure access to
> virtual desktops. With this all-in-one solution, easily deploy virtual
> desktops for less than the cost of PCs and save 60% on VDI infrastructure
> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> _______________________________________________
> Sguil-users mailing list
> Sgu...@li...
> https://lists.sourceforge.net/lists/listinfo/sguil-users
--
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
Please vote for Security Onion for 2011 Toolsmith Tool of the Year! |
http://goo.gl/PwTDi
|