Re: [Sguil-users] Transcript problems - No matching log files
Status: Beta
Brought to you by:
bamm
From: Bamm V. <bam...@gm...> - 2012-01-13 02:17:55
|
Did you modify anything in this output. According to pcap_agent, there are no pcap files in that date directory. Bamm On 1/10/12, Paul Marin <pma...@gm...> wrote: > Hi guys, > > I am running sguil 0.8.0 both server and sensor on Ubuntu Server 10.04 > LTS 32-bit. I have installed sguil from source following the INSTALL > file instructions included in the tar ball. > > Both sensor and server time are configured to GMT. You can also see the > alerts being sent from the sensor to the server without problems. > However, when you issue the transcript feature of any alert, the client > shows you the following error: "No matching log files". > > Let's see the sguild's debug output when a transcript requested is made: > > 2012-01-10 17:26:34 pid(17313) Client Command Received: XscriptRequest > sensor-01 1 .sensor-01_11 {2012-01-10 17:25:11} S.S.S.S 80 C.C.C.C 2543 0 > 2012-01-10 17:26:34 pid(17313) Sending sensor-01: RawDataRequest 5 > sensor-01 2012-01-10 17:25:11 S.S.S.S C.C.C.C 2543 6 > C.C.C.C:2543_S.S.S.S:80-6.raw xscript > 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg > .sensor-01_11 {Raw data request sent to sensor-01.} > 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 > {Making a list of local log files.} > 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg > .sensor-01_11 {Making a list of local log files.} > 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 > {Looking in /nsm_data/sensor-01/dailylogs/2012-01-10.} > 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg > .sensor-01_11 {Looking in /nsm_data/sensor-01/dailylogs/2012-01-10.} > 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 > {Making a list of local log files in > /nsm_data/sensor-01/dailylogs/2012-01-10.} > 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg > .sensor-01_11 {Making a list of local log files in > /nsm_data/sensor-01/dailylogs/2012-01-10.} > 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 {No > matching log files.} > 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg > .sensor-01_11 {No matching log files.} > 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 {} > 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg > .sensor-01_11 {} > > If you list the files inside /nsm_data/sensor-01/dailylogs/2012-01-10 > you'll see: > > root@sensor-01:/nsm_data/sensor-01/dailylogs/2012-01-10# ls -l > total 660320 > -rw------- 1 root root 134216351 2012-01-10 17:22 snort.log.1326215636 > -rw------- 1 root root 134216934 2012-01-10 17:23 snort.log.1326216162 > -rw------- 1 root root 134217178 2012-01-10 17:24 snort.log.1326216201 > -rw------- 1 root root 134217536 2012-01-10 17:24 snort.log.1326216246 > -rw------- 1 root root 134216849 2012-01-10 17:25 snort.log.1326216290 > -rw------- 1 root root 5077741 2012-01-10 17:25 snort.log.1326216333 > > The date 2012-01-10 17:25:11 converted to unixtime results in: 1326216238 > > As you can see, there is no file with that date in the directory and i > don't know how sguild does the file search. > > I'd really appreciate if you guys could help me out here. > > Thanks in advance. > > Kindly, > > Paul > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join > http://p.sf.net/sfu/intel-appdev > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > -- Sent from my mobile device sguil - The Analyst Console for NSM http://sguil.sf.net |