[Sguil-devel] Understanding the process

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I've been trying to get a grasp on the process flow for sguil.  I'm doing 
this because I'm having problems with sancp stats files.  They aren't 
putting entered into the database, and they aren't being removed from the 
sensor.

                      -->sguild
My setup is sensor --|
                      -->sguildb

As I understand it, the sancp stats files are grabbed from the sensor by 
sguild.  I assume this is because you didn't want to add code to 
sensor_agent.tcl to feed the stats file directly to the db when you already 
had the code in sguild, right?

What's strange is, no matter how many times I restart sguild and/or sancp, 
the events aren't being transferred to the sguild box, so they never make 
it to the db.  When I first set the whole thing up, it worked, so I know 
there's a way to do it, but I'm having trouble, looking through the code, 
figuring out how it all works.

I'm also having problems with the sguild box /tmp dir filling up with 
stats.*.* and stats.*.*.tmp files (though not recently, obviously).  So, I 
looked for a place in the code where I could change the /tmp path to 
something more sizeable.  Couldn't find it.

So, can you explain the flow, strictly for sancp?  What does what?  How are 
the files deleted on the sensor?  Why are they written to /tmp on the 
server?  Etc., etc.

Paul Schmehl (pa...@ut...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu