Re: [Sguil-users] Transcript problems - No matching log files
Status: Beta
Brought to you by:
bamm
From: Jeremy H. <jt...@gm...> - 2012-01-10 20:15:00
|
The right you showed on the files where root:root 600. What user is pcap_agent and sguild running as? maybe they don't have rights to read the file? Was this working before? 2012/1/10 Paul Marin <pma...@gm...>: > Thanks Jeremy for your quick reply. > > Here is the pcap agent's output in debug mode: > > Sensor Data Rcvd: RawDataRequest 10 sensor-01 {2012-01-10 17:25:11} S.S.S.S > C.C.C.C 80 2543 6 C.C.C.C:2543_S.S.S.S:80-6.raw xscript > Sending sguild (sock3) XscriptDebugMsg 10 {Making a list of local log > files.} > Sending sguild (sock3) XscriptDebugMsg 10 {Looking in > /nsm_data/sensor-01/dailylogs/2012-01-10.} > Sending sguild (sock3) XscriptDebugMsg 10 {Making a list of local log files > in /nsm_data/sensor-01/dailylogs/2012-01-10.} > Sending sguild (sock3) XscriptDebugMsg 10 {No matching log files.} > Sending sguild (sock3) XscriptDebugMsg 10 {} > > It's very similar to the sguild output... > > Kindly, > > Paul > > > > El 10/01/2012 03:16 p.m., Jeremy Hoel escribió: > > The pcap agent is what recieves the commands from sguild to parse those > files and generate the raw file for xscript. Check pcap agent in debug > mode. > > On Jan 10, 2012 1:59 PM, "Paul Marin" <pma...@gm...> wrote: >> >> Hi guys, >> >> I am running sguil 0.8.0 both server and sensor on Ubuntu Server 10.04 >> LTS 32-bit. I have installed sguil from source following the INSTALL >> file instructions included in the tar ball. >> >> Both sensor and server time are configured to GMT. You can also see the >> alerts being sent from the sensor to the server without problems. >> However, when you issue the transcript feature of any alert, the client >> shows you the following error: "No matching log files". >> >> Let's see the sguild's debug output when a transcript requested is made: >> >> 2012-01-10 17:26:34 pid(17313) Client Command Received: XscriptRequest >> sensor-01 1 .sensor-01_11 {2012-01-10 17:25:11} S.S.S.S 80 C.C.C.C 2543 0 >> 2012-01-10 17:26:34 pid(17313) Sending sensor-01: RawDataRequest 5 >> sensor-01 2012-01-10 17:25:11 S.S.S.S C.C.C.C 2543 6 >> C.C.C.C:2543_S.S.S.S:80-6.raw xscript >> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >> .sensor-01_11 {Raw data request sent to sensor-01.} >> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 >> {Making a list of local log files.} >> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >> .sensor-01_11 {Making a list of local log files.} >> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 >> {Looking in /nsm_data/sensor-01/dailylogs/2012-01-10.} >> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >> .sensor-01_11 {Looking in /nsm_data/sensor-01/dailylogs/2012-01-10.} >> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 >> {Making a list of local log files in >> /nsm_data/sensor-01/dailylogs/2012-01-10.} >> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >> .sensor-01_11 {Making a list of local log files in >> /nsm_data/sensor-01/dailylogs/2012-01-10.} >> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 {No >> matching log files.} >> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >> .sensor-01_11 {No matching log files.} >> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 {} >> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >> .sensor-01_11 {} >> >> If you list the files inside /nsm_data/sensor-01/dailylogs/2012-01-10 >> you'll see: >> >> root@sensor-01:/nsm_data/sensor-01/dailylogs/2012-01-10# ls -l >> total 660320 >> -rw------- 1 root root 134216351 2012-01-10 17:22 snort.log.1326215636 >> -rw------- 1 root root 134216934 2012-01-10 17:23 snort.log.1326216162 >> -rw------- 1 root root 134217178 2012-01-10 17:24 snort.log.1326216201 >> -rw------- 1 root root 134217536 2012-01-10 17:24 snort.log.1326216246 >> -rw------- 1 root root 134216849 2012-01-10 17:25 snort.log.1326216290 >> -rw------- 1 root root 5077741 2012-01-10 17:25 snort.log.1326216333 >> >> The date 2012-01-10 17:25:11 converted to unixtime results in: 1326216238 >> >> As you can see, there is no file with that date in the directory and i >> don't know how sguild does the file search. >> >> I'd really appreciate if you guys could help me out here. >> >> Thanks in advance. >> >> Kindly, >> >> Paul >> >> >> ------------------------------------------------------------------------------ >> Write once. Port to many. >> Get the SDK and tools to simplify cross-platform app development. Create >> new or port existing apps to sell to consumers worldwide. Explore the >> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join >> http://p.sf.net/sfu/intel-appdev >> _______________________________________________ >> Sguil-users mailing list >> Sgu...@li... >> https://lists.sourceforge.net/lists/listinfo/sguil-users > > > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join > http://p.sf.net/sfu/intel-appdev > > > > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join > http://p.sf.net/sfu/intel-appdev > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > |