Re: [Sguil-users] Transcript problems - No matching log files
Status: Beta
Brought to you by:
bamm
From: Paul M. <pma...@gm...> - 2012-01-11 16:35:55
|
Hi Paul, I got the same results with other two TCP events. The thing is that i started snort just for a seconds to capture few alerts to test the transcript function. Kindly, Paul El 11/01/2012 10:30 a.m., Paul Halliday escribió: > Paul, > > Is this the only example you have? Have you tried other events and > got the same result? > > >>>>>>> 2012-01-10 17:26:34 pid(17313) Client Command Received: >>>>>>> XscriptRequest >>>>>>> sensor-01 1 .sensor-01_11 {2012-01-10 17:25:11} S.S.S.S 80 C.C.C.C >>>>>>> 2543 0 >>>>>>> 2012-01-10 17:26:34 pid(17313) Sending sensor-01: RawDataRequest 5 >>>>>>> sensor-01 2012-01-10 17:25:11 S.S.S.S C.C.C.C 2543 6 >>>>>>> C.C.C.C:2543_S.S.S.S:80-6.raw xscript >>>>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >>>>>>> .sensor-01_11 {Raw data request sent to sensor-01.} >>>>>>> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 >>>>>>> {Making a list of local log files.} >>>>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >>>>>>> .sensor-01_11 {Making a list of local log files.} >>>>>>> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 >>>>>>> {Looking in /nsm_data/sensor-01/dailylogs/2012-01-10.} >>>>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >>>>>>> .sensor-01_11 {Looking in /nsm_data/sensor-01/dailylogs/2012-01-10.} >>>>>>> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 >>>>>>> {Making a list of local log files in >>>>>>> /nsm_data/sensor-01/dailylogs/2012-01-10.} >>>>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >>>>>>> .sensor-01_11 {Making a list of local log files in >>>>>>> /nsm_data/sensor-01/dailylogs/2012-01-10.} >>>>>>> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 >>>>>>> {No >>>>>>> matching log files.} >>>>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >>>>>>> .sensor-01_11 {No matching log files.} >>>>>>> 2012-01-10 17:26:34 pid(17313) Sensor Data Rcvd: XscriptDebugMsg 5 {} >>>>>>> 2012-01-10 17:26:34 pid(17313) Sending sock18: XscriptDebugMsg >>>>>>> .sensor-01_11 {} >>>>>>> >>>>>>> If you list the files inside /nsm_data/sensor-01/dailylogs/2012-01-10 >>>>>>> you'll see: >>>>>>> >>>>>>> root@sensor-01:/nsm_data/sensor-01/dailylogs/2012-01-10# ls -l >>>>>>> total 660320 >>>>>>> -rw------- 1 root root 134216351 2012-01-10 17:22 snort.log.1326215636 >>>>>>> -rw------- 1 root root 134216934 2012-01-10 17:23 snort.log.1326216162 >>>>>>> -rw------- 1 root root 134217178 2012-01-10 17:24 snort.log.1326216201 >>>>>>> -rw------- 1 root root 134217536 2012-01-10 17:24 snort.log.1326216246 >>>>>>> -rw------- 1 root root 134216849 2012-01-10 17:25 snort.log.1326216290 >>>>>>> -rw------- 1 root root 5077741 2012-01-10 17:25 snort.log.1326216333 >>>>>>> |