The pcap agent is what recieves the commands from sguild to parse those files and generate the raw file for xscript.  Check pcap agent in debug mode.

On Jan 10, 2012 1:59 PM, "Paul Marin" <pmarinh45@gmail.com> wrote:
Hi guys,

I am running sguil 0.8.0 both server and sensor on Ubuntu Server 10.04
LTS 32-bit. I have installed sguil from source following the INSTALL
file instructions included in the tar ball.

Both sensor and server time are configured to GMT. You can also see the
alerts being sent from the sensor to the server without problems.
However, when you issue the transcript feature of any alert, the client
shows you the following error: "No matching log files".

Let's see the sguild's debug output when a transcript requested is made:

2012-01-10 17:26:34 pid(17313)  Client Command Received: XscriptRequest
sensor-01 1 .sensor-01_11 {2012-01-10 17:25:11} S.S.S.S 80 C.C.C.C 2543 0
2012-01-10 17:26:34 pid(17313)  Sending sensor-01: RawDataRequest 5
sensor-01 2012-01-10 17:25:11 S.S.S.S C.C.C.C 2543 6
C.C.C.C:2543_S.S.S.S:80-6.raw xscript
2012-01-10 17:26:34 pid(17313)  Sending sock18: XscriptDebugMsg
.sensor-01_11 {Raw data request sent to sensor-01.}
2012-01-10 17:26:34 pid(17313)  Sensor Data Rcvd: XscriptDebugMsg 5
{Making a list of local log files.}
2012-01-10 17:26:34 pid(17313)  Sending sock18: XscriptDebugMsg
.sensor-01_11 {Making a list of local log files.}
2012-01-10 17:26:34 pid(17313)  Sensor Data Rcvd: XscriptDebugMsg 5
{Looking in /nsm_data/sensor-01/dailylogs/2012-01-10.}
2012-01-10 17:26:34 pid(17313)  Sending sock18: XscriptDebugMsg
.sensor-01_11 {Looking in /nsm_data/sensor-01/dailylogs/2012-01-10.}
2012-01-10 17:26:34 pid(17313)  Sensor Data Rcvd: XscriptDebugMsg 5
{Making a list of local log files in
/nsm_data/sensor-01/dailylogs/2012-01-10.}
2012-01-10 17:26:34 pid(17313)  Sending sock18: XscriptDebugMsg
.sensor-01_11 {Making a list of local log files in
/nsm_data/sensor-01/dailylogs/2012-01-10.}
2012-01-10 17:26:34 pid(17313)  Sensor Data Rcvd: XscriptDebugMsg 5 {No
matching log files.}
2012-01-10 17:26:34 pid(17313)  Sending sock18: XscriptDebugMsg
.sensor-01_11 {No matching log files.}
2012-01-10 17:26:34 pid(17313)  Sensor Data Rcvd: XscriptDebugMsg 5 {}
2012-01-10 17:26:34 pid(17313)  Sending sock18: XscriptDebugMsg
.sensor-01_11 {}

If you list the files inside /nsm_data/sensor-01/dailylogs/2012-01-10
you'll see:

root@sensor-01:/nsm_data/sensor-01/dailylogs/2012-01-10# ls -l
total 660320
-rw------- 1 root root 134216351 2012-01-10 17:22 snort.log.1326215636
-rw------- 1 root root 134216934 2012-01-10 17:23 snort.log.1326216162
-rw------- 1 root root 134217178 2012-01-10 17:24 snort.log.1326216201
-rw------- 1 root root 134217536 2012-01-10 17:24 snort.log.1326216246
-rw------- 1 root root 134216849 2012-01-10 17:25 snort.log.1326216290
-rw------- 1 root root   5077741 2012-01-10 17:25 snort.log.1326216333

The date 2012-01-10 17:25:11 converted to unixtime results in: 1326216238

As you can see, there is no file with that date in the directory and i
don't know how sguild does the file search.

I'd really appreciate if you guys could help me out here.

Thanks in advance.

Kindly,

Paul

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users