sguil-users Mailing List for Sguil
Status: Beta
Brought to you by:
bamm
You can subscribe to this list here.
2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
(22) |
Nov
(2) |
Dec
(8) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2004 |
Jan
(6) |
Feb
(9) |
Mar
(5) |
Apr
(5) |
May
(9) |
Jun
(18) |
Jul
(12) |
Aug
(24) |
Sep
(10) |
Oct
(11) |
Nov
(14) |
Dec
(11) |
2005 |
Jan
(115) |
Feb
(108) |
Mar
(82) |
Apr
(3) |
May
(7) |
Jun
(20) |
Jul
(29) |
Aug
(7) |
Sep
(43) |
Oct
(10) |
Nov
(27) |
Dec
(25) |
2006 |
Jan
(52) |
Feb
(68) |
Mar
(115) |
Apr
(36) |
May
(24) |
Jun
(34) |
Jul
(13) |
Aug
(21) |
Sep
(34) |
Oct
(65) |
Nov
(31) |
Dec
(17) |
2007 |
Jan
(40) |
Feb
(95) |
Mar
(49) |
Apr
(27) |
May
(48) |
Jun
(23) |
Jul
(15) |
Aug
(20) |
Sep
(20) |
Oct
(58) |
Nov
(32) |
Dec
(20) |
2008 |
Jan
(14) |
Feb
(24) |
Mar
(22) |
Apr
(45) |
May
(28) |
Jun
(15) |
Jul
(60) |
Aug
(7) |
Sep
(29) |
Oct
(44) |
Nov
(22) |
Dec
(28) |
2009 |
Jan
(14) |
Feb
|
Mar
(7) |
Apr
(18) |
May
(12) |
Jun
(1) |
Jul
(7) |
Aug
(17) |
Sep
(6) |
Oct
(16) |
Nov
(23) |
Dec
(40) |
2010 |
Jan
(6) |
Feb
|
Mar
(30) |
Apr
(9) |
May
(8) |
Jun
(4) |
Jul
(1) |
Aug
(6) |
Sep
(7) |
Oct
(7) |
Nov
|
Dec
(4) |
2011 |
Jan
(5) |
Feb
(7) |
Mar
(38) |
Apr
(24) |
May
(13) |
Jun
(10) |
Jul
(15) |
Aug
(10) |
Sep
(13) |
Oct
(55) |
Nov
(45) |
Dec
(6) |
2012 |
Jan
(51) |
Feb
(25) |
Mar
(2) |
Apr
(5) |
May
(4) |
Jun
(2) |
Jul
(1) |
Aug
(4) |
Sep
(7) |
Oct
|
Nov
(6) |
Dec
(14) |
2013 |
Jan
(31) |
Feb
(1) |
Mar
(7) |
Apr
|
May
(8) |
Jun
|
Jul
|
Aug
|
Sep
(3) |
Oct
(26) |
Nov
(1) |
Dec
(3) |
2014 |
Jan
(21) |
Feb
|
Mar
|
Apr
(18) |
May
(1) |
Jun
(7) |
Jul
(30) |
Aug
|
Sep
(1) |
Oct
|
Nov
(27) |
Dec
(1) |
2015 |
Jan
(3) |
Feb
(5) |
Mar
(4) |
Apr
(3) |
May
(2) |
Jun
(5) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(8) |
2016 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2023 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: priscille G. <pri...@gm...> - 2023-05-11 10:21:52
|
<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; font-size:11.0pt; font-family:"Calibri",sans-serif;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} .MsoChpDefault {mso-style-type:export-only;} @page WordSection1 {size:612.0pt 792.0pt; margin:70.85pt 70.85pt 70.85pt 70.85pt;} div.WordSection1 {page:WordSection1;} --></style></head><body lang=fr-CG link=blue vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=FR>Hello everyone. I've been working on sguil 0.9.0 for a while now, I've enjoyed the tool, it's very rich. However, I would now like to be able to receive email notifications when an alert appears and send details of the alerts via email on the sguil interface, but I still can't. Could you please help me?</span><span lang=fr-CG><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Envoyé à partir de <a href="https://go.microsoft.com/fwlink/?LinkId=550986">Courrier</a> pour Windows</p><p class=MsoNormal><o:p> </o:p></p></div></body></html> |
From: Eln <ele...@gm...> - 2019-07-05 07:52:15
|
Hello, I use Security Onion and in /var/log/nsm/securityonion/sguild.log i have : Sensor Data Rcvd: BYEventRcvd sock1054610 ... and Alert Received: 0 2 attempted-recon Where can i modify Alert Received to include payload? Thanks |
From: hernani c. <coe...@sa...> - 2019-02-05 11:10:06
|
hello, i have installed kali linux debian i have installed sguil, ./sguild works fine, but the ./sguil.tk give me this error ---> ERROR: Cannot fine the Iwidgets extension. The iwidgets package is part of the incr tcl extension and is available as a port/package most systems. See http://www.tcltk.com/iwidgets/ for more info. i have installed iwidgets from repositories debian can someone help me? thanks hernani coelho |
From: Gerhard M. <gmo...@gm...> - 2016-05-27 14:52:50
|
Helo List, I’ve installed Sguil version 0.9.0 on CentOS 6.7 with Squert. When a log into the Squert web page, there is no data at all! I can see that I receive alerts on the OS but nothing on the Squert page! Gerhard, |
From: ML m. <mln...@ya...> - 2016-05-15 09:14:01
|
Hello, I am trying to install Sguil 0.9 on OpenBSD 5.9 with Tcl 8.5 and manage to install without any problems TclX 8.4 but for the mysqltcl package it simply does not want to work... When I test it from the Tcl shell I get the following error: % package require mysqltcl couldn't load file "/usr/local/lib/tcl/mysqltcl-3.052/libmysqltcl3052.so.1.0": Cannot load specified object an ldd on the library file does not show any missing libraries: /usr/local/lib/mysqltcl-3.052/libmysqltcl3052.so.1.0: Start End Type Open Ref GrpRef Name 00001d77173b4000 00001d77177be000 dlib 2 0 0 /usr/local/lib/mysqltcl-3.052/libmysqltcl3052.so.1.0 00001d76af76e000 00001d76afed5000 rlib 0 1 0 /usr/local/lib/libmysqlclient.so.27.0 00001d7704cb0000 00001d77050c2000 rlib 0 1 0 /usr/lib/libpthread.so.20.1 00001d769ee91000 00001d769f2a6000 rlib 0 1 0 /usr/lib/libz.so.5.0 00001d774da5e000 00001d774deb8000 rlib 0 1 0 /usr/lib/libssl.so.38.0 00001d7710a74000 00001d7711043000 rlib 0 2 0 /usr/lib/libcrypto.so.37.0 00001d76b1fda000 00001d76b24f0000 rlib 0 1 0 /usr/lib/libstdc++.so.57.0 00001d7772653000 00001d7772a7b000 rlib 0 2 0 /usr/lib/libm.so.9.0 I used the following configure parameters to compile mysqltcl: --with-tcl=/usr/local/lib/tcl/tcl8.5/ --with-mysql-include=/usr/local/include/mysql/ --with-mysql-lib=/usr/local/lib/mysql/ Any ideas what could be going wrong here? or did anyone else manage to install Sguil on a modern OpenBSD 5.9? Regards ML |
From: James L. <jl...@sl...> - 2016-05-09 17:54:40
|
Quick question...is purging interfaces no longer in use just a process of purging old data, or is there something else I need to do. Thank you. James |
From: Matt G <sec...@gm...> - 2016-04-12 21:54:48
|
Bamm Visscher <bamm.visscher@...> writes: > It looks like this bug may be a timezone issue. Is the timezone of your server set to something other than UTC? > Bamm > That was exactly it. Thank you for responding, works great now! |
From: Bamm V. <bam...@gm...> - 2016-03-17 02:03:33
|
It looks like this bug may be a timezone issue. Is the timezone of your server set to something other than UTC? Bamm On Tue, Dec 15, 2015 at 10:06 AM, Matt G <sec...@gm...> wrote: > No doubt about it, sguil rocks. > > > Unfortunately, though, I'm experiencing a strange behavior with my sguil > installation. It has worked flawlessly for years, but it has recently > developed a problem. > > In the console, whenever I mark an aggregated row of alerts with F8 (No > action required), I almost always get the dreaded error: > > ERROR: Some events may not have been updated. Event(s) may be missing > from DB. See sguild output for more information. > > So I've turned up the debugging on sguil and also on mysql. Here is a > representative event: > > sguild log: > > Dec 15 07:33:45 skipper SGUILD: ERROR: Number of updates mismatched > number of events. Number of EVENTS: 5 Number of UPDATES: 4 Update > List: 4.251447 4.289120 4.341253 4.398851 4.401153 > > The associated mysql activity looks like this: > > UPDATE `event_internal_20151208` SET status=1, last_modified='2015-12-15 > 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (289120) > UPDATE `event_internal_20151210` SET status=1, last_modified='2015-12-15 > 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (398851) > UPDATE `event_internal_20151209` SET status=1, last_modified='2015-12-15 > 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (341253) > UPDATE `event_internal_20151211` SET status=1, last_modified='2015-12-15 > 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (401153) > UPDATE `event_internal_20151207` SET status=1, last_modified='2015-12-15 > 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (251447) > INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, > 251447, 2, '2015-12-15 14:33:45', 1) > INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, > 289120, 2, '2015-12-15 14:33:45', 1) > INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, > 341253, 2, '2015-12-15 14:33:45', 1) > INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, > 398851, 2, '2015-12-15 14:33:45', 1) > INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, > 401153, 2, '2015-12-15 14:33:45', 1) > > So clearly one of the update events is failing. When I walk through the > SQL I find the failing event: > > > mysql> SELECT cid FROM `event_internal_20151209` WHERE cid IN (341253); > +--------+ > | cid | > +--------+ > | 341253 | > +--------+ > 1 row in set (0.02 sec) > > mysql> SELECT cid FROM `event_internal_20151208` WHERE cid IN (289120); > +--------+ > | cid | > +--------+ > | 289120 | > +--------+ > 1 row in set (0.02 sec) > > mysql> SELECT cid FROM `event_internal_20151210` WHERE cid IN (398851); > +--------+ > | cid | > +--------+ > | 398851 | > +--------+ > 1 row in set (0.02 sec) > > mysql> SELECT cid FROM `event_internal_20151209` WHERE cid IN (341253); > +--------+ > | cid | > +--------+ > | 341253 | > +--------+ > 1 row in set (0.00 sec) > > mysql> SELECT cid FROM `event_internal_20151211` WHERE cid IN (401153); > Empty set (0.01 sec) > > mysql> SELECT cid FROM `event_internal_20151207` WHERE cid IN (251447); > +--------+ > | cid | > +--------+ > | 251447 | > +--------+ > 1 row in set (0.02 sec) > > mysql> > > After poking around a bit, I've discovered that the "missing" event with > cid 401153 is actually in a different table (belonging to the same > parent merge table): > > mysql> SELECT cid FROM `event_internal_20151210` WHERE cid IN (401153); > +--------+ > | cid | > +--------+ > | 401153 | > +--------+ > 1 row in set (0.02 sec) > > mysql> > > So sguil is updating the record in event_internal_20151211 but the event > lives in event_internal_20151210. This is happening constantly in my > installation. Any ideas what I might do to resolve this? > > > Thanks. > > --Matt > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > -- sguil - The Analyst Console for NSM http://www.sguil.net |
From: Reuben P. <reu...@gm...> - 2016-02-11 17:16:45
|
Hey all, quick question. I have a process that trips an emerging threats rule when it attempts to go to an akamai IP to pull down some OFAC information. The whois for the destination ip shows two CIDR blocks for that IP. Since the autocat rule wizard (via SecurityOnion 12) only allows one IP/CIDR notation in an address field, I had to create two autocat rules, each with a different CIDR notated IP range in the destination field. Everything else between the two events from the autocat perspective is the same, and yet, I still get daily alerts showing up when the process runs (again, same source ip, same destination ip and port). I would think that Autocat should catch this using one of the two rules.. what gives here? Am I going about this the wrong way? Thanks in advance Reuben A. Popp |
From: Edward F. <edw...@gm...> - 2015-12-19 10:02:04
|
I did a git-clone in the beginning of May and set up 3 new systems, all have that annoying "feature" :) Thank you for digging into it. I never took the time. Hope there will be a fix one day :) E On Tue, Dec 15, 2015 at 4:06 PM, Matt G <sec...@gm...> wrote: > No doubt about it, sguil rocks. > > > Unfortunately, though, I'm experiencing a strange behavior with my sguil > installation. It has worked flawlessly for years, but it has recently > developed a problem. > > In the console, whenever I mark an aggregated row of alerts with F8 (No > action required), I almost always get the dreaded error: > > ERROR: Some events may not have been updated. Event(s) may be missing > from DB. See sguild output for more information. > > So I've turned up the debugging on sguil and also on mysql. Here is a > representative event: > > sguild log: > > Dec 15 07:33:45 skipper SGUILD: ERROR: Number of updates mismatched > number of events. Number of EVENTS: 5 Number of UPDATES: 4 Update > List: 4.251447 4.289120 4.341253 4.398851 4.401153 > > The associated mysql activity looks like this: > > UPDATE `event_internal_20151208` SET status=1, last_modified='2015-12-15 > 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (289120) > UPDATE `event_internal_20151210` SET status=1, last_modified='2015-12-15 > 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (398851) > UPDATE `event_internal_20151209` SET status=1, last_modified='2015-12-15 > 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (341253) > UPDATE `event_internal_20151211` SET status=1, last_modified='2015-12-15 > 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (401153) > UPDATE `event_internal_20151207` SET status=1, last_modified='2015-12-15 > 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (251447) > INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, > 251447, 2, '2015-12-15 14:33:45', 1) > INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, > 289120, 2, '2015-12-15 14:33:45', 1) > INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, > 341253, 2, '2015-12-15 14:33:45', 1) > INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, > 398851, 2, '2015-12-15 14:33:45', 1) > INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, > 401153, 2, '2015-12-15 14:33:45', 1) > > So clearly one of the update events is failing. When I walk through the > SQL I find the failing event: > > > mysql> SELECT cid FROM `event_internal_20151209` WHERE cid IN (341253); > +--------+ > | cid | > +--------+ > | 341253 | > +--------+ > 1 row in set (0.02 sec) > > mysql> SELECT cid FROM `event_internal_20151208` WHERE cid IN (289120); > +--------+ > | cid | > +--------+ > | 289120 | > +--------+ > 1 row in set (0.02 sec) > > mysql> SELECT cid FROM `event_internal_20151210` WHERE cid IN (398851); > +--------+ > | cid | > +--------+ > | 398851 | > +--------+ > 1 row in set (0.02 sec) > > mysql> SELECT cid FROM `event_internal_20151209` WHERE cid IN (341253); > +--------+ > | cid | > +--------+ > | 341253 | > +--------+ > 1 row in set (0.00 sec) > > mysql> SELECT cid FROM `event_internal_20151211` WHERE cid IN (401153); > Empty set (0.01 sec) > > mysql> SELECT cid FROM `event_internal_20151207` WHERE cid IN (251447); > +--------+ > | cid | > +--------+ > | 251447 | > +--------+ > 1 row in set (0.02 sec) > > mysql> > > After poking around a bit, I've discovered that the "missing" event with > cid 401153 is actually in a different table (belonging to the same > parent merge table): > > mysql> SELECT cid FROM `event_internal_20151210` WHERE cid IN (401153); > +--------+ > | cid | > +--------+ > | 401153 | > +--------+ > 1 row in set (0.02 sec) > > mysql> > > So sguil is updating the record in event_internal_20151211 but the event > lives in event_internal_20151210. This is happening constantly in my > installation. Any ideas what I might do to resolve this? > > > Thanks. > > --Matt > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > -- Edward Bjarte Fjellskål Senior Security Analyst http://www.gamelinux.org/ |
From: Matt G <sec...@gm...> - 2015-12-15 15:10:29
|
No doubt about it, sguil rocks. Unfortunately, though, I'm experiencing a strange behavior with my sguil installation. It has worked flawlessly for years, but it has recently developed a problem. In the console, whenever I mark an aggregated row of alerts with F8 (No action required), I almost always get the dreaded error: ERROR: Some events may not have been updated. Event(s) may be missing from DB. See sguild output for more information. So I've turned up the debugging on sguil and also on mysql. Here is a representative event: sguild log: Dec 15 07:33:45 skipper SGUILD: ERROR: Number of updates mismatched number of events. Number of EVENTS: 5 Number of UPDATES: 4 Update List: 4.251447 4.289120 4.341253 4.398851 4.401153 The associated mysql activity looks like this: UPDATE `event_internal_20151208` SET status=1, last_modified='2015-12-15 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (289120) UPDATE `event_internal_20151210` SET status=1, last_modified='2015-12-15 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (398851) UPDATE `event_internal_20151209` SET status=1, last_modified='2015-12-15 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (341253) UPDATE `event_internal_20151211` SET status=1, last_modified='2015-12-15 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (401153) UPDATE `event_internal_20151207` SET status=1, last_modified='2015-12-15 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (251447) INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, 251447, 2, '2015-12-15 14:33:45', 1) INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, 289120, 2, '2015-12-15 14:33:45', 1) INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, 341253, 2, '2015-12-15 14:33:45', 1) INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, 398851, 2, '2015-12-15 14:33:45', 1) INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, 401153, 2, '2015-12-15 14:33:45', 1) So clearly one of the update events is failing. When I walk through the SQL I find the failing event: mysql> SELECT cid FROM `event_internal_20151209` WHERE cid IN (341253); +--------+ | cid | +--------+ | 341253 | +--------+ 1 row in set (0.02 sec) mysql> SELECT cid FROM `event_internal_20151208` WHERE cid IN (289120); +--------+ | cid | +--------+ | 289120 | +--------+ 1 row in set (0.02 sec) mysql> SELECT cid FROM `event_internal_20151210` WHERE cid IN (398851); +--------+ | cid | +--------+ | 398851 | +--------+ 1 row in set (0.02 sec) mysql> SELECT cid FROM `event_internal_20151209` WHERE cid IN (341253); +--------+ | cid | +--------+ | 341253 | +--------+ 1 row in set (0.00 sec) mysql> SELECT cid FROM `event_internal_20151211` WHERE cid IN (401153); Empty set (0.01 sec) mysql> SELECT cid FROM `event_internal_20151207` WHERE cid IN (251447); +--------+ | cid | +--------+ | 251447 | +--------+ 1 row in set (0.02 sec) mysql> After poking around a bit, I've discovered that the "missing" event with cid 401153 is actually in a different table (belonging to the same parent merge table): mysql> SELECT cid FROM `event_internal_20151210` WHERE cid IN (401153); +--------+ | cid | +--------+ | 401153 | +--------+ 1 row in set (0.02 sec) mysql> So sguil is updating the record in event_internal_20151211 but the event lives in event_internal_20151210. This is happening constantly in my installation. Any ideas what I might do to resolve this? Thanks. --Matt |
From: Matt . <stt...@gm...> - 2015-12-08 17:39:10
|
Nevermind, the server was blocked again due to the noise. Will follow-up on the SO list. On Tue, Dec 8, 2015 at 8:41 AM, Matt . <stt...@gm...> wrote: > Now emails aren't working again, they stopped yesterday afternoon/evening. > > After each event there are entries that say "no clients to send info msg > to". > > On Tue, Dec 8, 2015 at 4:03 AM, Doug Burks <dou...@gm...> wrote: > >> If your Sguil emails are working properly now and these new error >> messages are unrelated, then that would suggest this is not a Sguil >> problem and thus beyond the scope of this mailing list. >> >> On Mon, Dec 7, 2015 at 5:51 PM, Matt . <stt...@gm...> wrote: >> > Sorry I meant to state that when I posted. I did check the log file, >> didn't >> > see errors, restarted anyways. I also tried a few changes for the fun >> of it, >> > no love. >> > >> > Now today it's now mostly working... Not sure why since I hadn't changed >> > anything since the deployment until the problems started happening >> recently. >> > >> > That said there's one outlier, The mail server is getting frequent >> request >> > from the Security Onion server still. Pasting in a snippet, happening >> many >> > times a minute. I substitued the actual server name "servername", it >> isn't a >> > real domain name as the error implies. I've sifted through config files >> for >> > nullmailr etc and while I found on eplace that i replaced "servername" >> with >> > an actual domain name I must be failing to look a tsome fonig file. >> > >> > MAIL+FROM:<sg...@se...rvername> >> > >> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain. >> > ICOM-ME >> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 2152 QUIT QUIT >> > 221+Service+closing+transmission+channel ICOM-ME >> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1624 HELO >> > HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME >> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1624 MAIL >> > MAIL+FROM:<ro...@se...rvername> >> > >> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain. >> > ICOM-ME >> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1624 QUIT QUIT >> > 221+Service+closing+transmission+channel ICOM-ME >> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1460 HELO >> > HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME >> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1460 MAIL >> > MAIL+FROM:<ro...@se...rvername> >> > >> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain. >> > ICOM-ME >> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1460 QUIT QUIT >> > 221+Service+closing+transmission+channel ICOM-ME >> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 2000 HELO >> > HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME >> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 2000 MAIL >> > MAIL+FROM:<ro...@se...rvername> >> > >> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain. >> > ICOM-ME >> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 2000 QUIT QUIT >> > 221+Service+closing+transmission+channel ICOM-ME >> > >> > Thanks, >> > Matt >> > >> > On Fri, Dec 4, 2015 at 4:14 PM, Doug Burks <dou...@gm...> >> wrote: >> >> >> >> Hi Matt, >> >> >> >> Have you checked the sguild log file? >> >> /var/log/nsm/securityonion/sguild.log >> >> >> >> Have you tried restarting sguild? >> >> sudo nsm_server_ps-restart >> >> >> >> On Fri, Dec 4, 2015 at 5:35 PM, Matt . <stt...@gm...> wrote: >> >> > I use Security Onion which utilizes SGUIL. I've stopped receiving >> email >> >> > from >> >> > SGUIL on my main server. I don't see errors in sguil.log. >> >> > >> >> > I've since enabled SGUIL email on a secondary server (duplicating the >> >> > config >> >> > of the main one). It's working properly. >> >> > >> >> > At one point the IP was blocked of the main server, weeks ago, but it >> >> > was >> >> > unblocked. I'm wondering if SGUIL is choking on the backlog or >> >> > something. >> >> > >> >> > I'm ok with purging old email and starting from "now". What steps >> can I >> >> > take >> >> > to troubleshoot this further? I'm guessing I'm not checking a >> location >> >> > for >> >> > some logs somewhere. >> >> > >> >> > Thanks, >> >> > Matt >> >> > >> >> > >> >> > >> >> > >> ------------------------------------------------------------------------------ >> >> > Go from Idea to Many App Stores Faster with Intel(R) XDK >> >> > Give your users amazing mobile app experiences with Intel(R) XDK. >> >> > Use one codebase in this all-in-one HTML5 development environment. >> >> > Design, debug & build mobile apps & 2D/3D high-impact games for >> multiple >> >> > OSs. >> >> > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 >> >> > _______________________________________________ >> >> > Sguil-users mailing list >> >> > Sgu...@li... >> >> > https://lists.sourceforge.net/lists/listinfo/sguil-users >> >> > >> >> >> >> >> >> >> >> -- >> >> Doug Burks >> >> Need Security Onion Training or Commercial Support? >> >> http://securityonionsolutions.com >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> Go from Idea to Many App Stores Faster with Intel(R) XDK >> >> Give your users amazing mobile app experiences with Intel(R) XDK. >> >> Use one codebase in this all-in-one HTML5 development environment. >> >> Design, debug & build mobile apps & 2D/3D high-impact games for >> multiple >> >> OSs. >> >> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 >> >> _______________________________________________ >> >> Sguil-users mailing list >> >> Sgu...@li... >> >> https://lists.sourceforge.net/lists/listinfo/sguil-users >> > >> > >> > >> > >> ------------------------------------------------------------------------------ >> > Go from Idea to Many App Stores Faster with Intel(R) XDK >> > Give your users amazing mobile app experiences with Intel(R) XDK. >> > Use one codebase in this all-in-one HTML5 development environment. >> > Design, debug & build mobile apps & 2D/3D high-impact games for multiple >> > OSs. >> > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 >> > _______________________________________________ >> > Sguil-users mailing list >> > Sgu...@li... >> > https://lists.sourceforge.net/lists/listinfo/sguil-users >> > >> >> >> >> -- >> Doug Burks >> Need Security Onion Training or Commercial Support? >> http://securityonionsolutions.com >> >> >> ------------------------------------------------------------------------------ >> Go from Idea to Many App Stores Faster with Intel(R) XDK >> Give your users amazing mobile app experiences with Intel(R) XDK. >> Use one codebase in this all-in-one HTML5 development environment. >> Design, debug & build mobile apps & 2D/3D high-impact games for multiple >> OSs. >> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 >> _______________________________________________ >> Sguil-users mailing list >> Sgu...@li... >> https://lists.sourceforge.net/lists/listinfo/sguil-users >> > > |
From: Matt . <stt...@gm...> - 2015-12-08 16:41:56
|
Now emails aren't working again, they stopped yesterday afternoon/evening. After each event there are entries that say "no clients to send info msg to". On Tue, Dec 8, 2015 at 4:03 AM, Doug Burks <dou...@gm...> wrote: > If your Sguil emails are working properly now and these new error > messages are unrelated, then that would suggest this is not a Sguil > problem and thus beyond the scope of this mailing list. > > On Mon, Dec 7, 2015 at 5:51 PM, Matt . <stt...@gm...> wrote: > > Sorry I meant to state that when I posted. I did check the log file, > didn't > > see errors, restarted anyways. I also tried a few changes for the fun of > it, > > no love. > > > > Now today it's now mostly working... Not sure why since I hadn't changed > > anything since the deployment until the problems started happening > recently. > > > > That said there's one outlier, The mail server is getting frequent > request > > from the Security Onion server still. Pasting in a snippet, happening > many > > times a minute. I substitued the actual server name "servername", it > isn't a > > real domain name as the error implies. I've sifted through config files > for > > nullmailr etc and while I found on eplace that i replaced "servername" > with > > an actual domain name I must be failing to look a tsome fonig file. > > > > MAIL+FROM:<sg...@se...rvername> > > > 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain. > > ICOM-ME > > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 2152 QUIT QUIT > > 221+Service+closing+transmission+channel ICOM-ME > > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1624 HELO > > HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME > > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1624 MAIL > > MAIL+FROM:<ro...@se...rvername> > > > 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain. > > ICOM-ME > > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1624 QUIT QUIT > > 221+Service+closing+transmission+channel ICOM-ME > > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1460 HELO > > HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME > > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1460 MAIL > > MAIL+FROM:<ro...@se...rvername> > > > 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain. > > ICOM-ME > > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1460 QUIT QUIT > > 221+Service+closing+transmission+channel ICOM-ME > > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 2000 HELO > > HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME > > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 2000 MAIL > > MAIL+FROM:<ro...@se...rvername> > > > 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain. > > ICOM-ME > > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 2000 QUIT QUIT > > 221+Service+closing+transmission+channel ICOM-ME > > > > Thanks, > > Matt > > > > On Fri, Dec 4, 2015 at 4:14 PM, Doug Burks <dou...@gm...> wrote: > >> > >> Hi Matt, > >> > >> Have you checked the sguild log file? > >> /var/log/nsm/securityonion/sguild.log > >> > >> Have you tried restarting sguild? > >> sudo nsm_server_ps-restart > >> > >> On Fri, Dec 4, 2015 at 5:35 PM, Matt . <stt...@gm...> wrote: > >> > I use Security Onion which utilizes SGUIL. I've stopped receiving > email > >> > from > >> > SGUIL on my main server. I don't see errors in sguil.log. > >> > > >> > I've since enabled SGUIL email on a secondary server (duplicating the > >> > config > >> > of the main one). It's working properly. > >> > > >> > At one point the IP was blocked of the main server, weeks ago, but it > >> > was > >> > unblocked. I'm wondering if SGUIL is choking on the backlog or > >> > something. > >> > > >> > I'm ok with purging old email and starting from "now". What steps can > I > >> > take > >> > to troubleshoot this further? I'm guessing I'm not checking a location > >> > for > >> > some logs somewhere. > >> > > >> > Thanks, > >> > Matt > >> > > >> > > >> > > >> > > ------------------------------------------------------------------------------ > >> > Go from Idea to Many App Stores Faster with Intel(R) XDK > >> > Give your users amazing mobile app experiences with Intel(R) XDK. > >> > Use one codebase in this all-in-one HTML5 development environment. > >> > Design, debug & build mobile apps & 2D/3D high-impact games for > multiple > >> > OSs. > >> > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > >> > _______________________________________________ > >> > Sguil-users mailing list > >> > Sgu...@li... > >> > https://lists.sourceforge.net/lists/listinfo/sguil-users > >> > > >> > >> > >> > >> -- > >> Doug Burks > >> Need Security Onion Training or Commercial Support? > >> http://securityonionsolutions.com > >> > >> > >> > ------------------------------------------------------------------------------ > >> Go from Idea to Many App Stores Faster with Intel(R) XDK > >> Give your users amazing mobile app experiences with Intel(R) XDK. > >> Use one codebase in this all-in-one HTML5 development environment. > >> Design, debug & build mobile apps & 2D/3D high-impact games for multiple > >> OSs. > >> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > >> _______________________________________________ > >> Sguil-users mailing list > >> Sgu...@li... > >> https://lists.sourceforge.net/lists/listinfo/sguil-users > > > > > > > > > ------------------------------------------------------------------------------ > > Go from Idea to Many App Stores Faster with Intel(R) XDK > > Give your users amazing mobile app experiences with Intel(R) XDK. > > Use one codebase in this all-in-one HTML5 development environment. > > Design, debug & build mobile apps & 2D/3D high-impact games for multiple > > OSs. > > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > > _______________________________________________ > > Sguil-users mailing list > > Sgu...@li... > > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > > > > -- > Doug Burks > Need Security Onion Training or Commercial Support? > http://securityonionsolutions.com > > > ------------------------------------------------------------------------------ > Go from Idea to Many App Stores Faster with Intel(R) XDK > Give your users amazing mobile app experiences with Intel(R) XDK. > Use one codebase in this all-in-one HTML5 development environment. > Design, debug & build mobile apps & 2D/3D high-impact games for multiple > OSs. > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > |
From: Doug B. <dou...@gm...> - 2015-12-08 12:03:23
|
If your Sguil emails are working properly now and these new error messages are unrelated, then that would suggest this is not a Sguil problem and thus beyond the scope of this mailing list. On Mon, Dec 7, 2015 at 5:51 PM, Matt . <stt...@gm...> wrote: > Sorry I meant to state that when I posted. I did check the log file, didn't > see errors, restarted anyways. I also tried a few changes for the fun of it, > no love. > > Now today it's now mostly working... Not sure why since I hadn't changed > anything since the deployment until the problems started happening recently. > > That said there's one outlier, The mail server is getting frequent request > from the Security Onion server still. Pasting in a snippet, happening many > times a minute. I substitued the actual server name "servername", it isn't a > real domain name as the error implies. I've sifted through config files for > nullmailr etc and while I found on eplace that i replaced "servername" with > an actual domain name I must be failing to look a tsome fonig file. > > MAIL+FROM:<sg...@se...rvername> > 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain. > ICOM-ME > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 2152 QUIT QUIT > 221+Service+closing+transmission+channel ICOM-ME > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1624 HELO > HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1624 MAIL > MAIL+FROM:<ro...@se...rvername> > 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain. > ICOM-ME > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1624 QUIT QUIT > 221+Service+closing+transmission+channel ICOM-ME > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1460 HELO > HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1460 MAIL > MAIL+FROM:<ro...@se...rvername> > 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain. > ICOM-ME > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1460 QUIT QUIT > 221+Service+closing+transmission+channel ICOM-ME > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 2000 HELO > HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 2000 MAIL > MAIL+FROM:<ro...@se...rvername> > 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain. > ICOM-ME > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 2000 QUIT QUIT > 221+Service+closing+transmission+channel ICOM-ME > > Thanks, > Matt > > On Fri, Dec 4, 2015 at 4:14 PM, Doug Burks <dou...@gm...> wrote: >> >> Hi Matt, >> >> Have you checked the sguild log file? >> /var/log/nsm/securityonion/sguild.log >> >> Have you tried restarting sguild? >> sudo nsm_server_ps-restart >> >> On Fri, Dec 4, 2015 at 5:35 PM, Matt . <stt...@gm...> wrote: >> > I use Security Onion which utilizes SGUIL. I've stopped receiving email >> > from >> > SGUIL on my main server. I don't see errors in sguil.log. >> > >> > I've since enabled SGUIL email on a secondary server (duplicating the >> > config >> > of the main one). It's working properly. >> > >> > At one point the IP was blocked of the main server, weeks ago, but it >> > was >> > unblocked. I'm wondering if SGUIL is choking on the backlog or >> > something. >> > >> > I'm ok with purging old email and starting from "now". What steps can I >> > take >> > to troubleshoot this further? I'm guessing I'm not checking a location >> > for >> > some logs somewhere. >> > >> > Thanks, >> > Matt >> > >> > >> > >> > ------------------------------------------------------------------------------ >> > Go from Idea to Many App Stores Faster with Intel(R) XDK >> > Give your users amazing mobile app experiences with Intel(R) XDK. >> > Use one codebase in this all-in-one HTML5 development environment. >> > Design, debug & build mobile apps & 2D/3D high-impact games for multiple >> > OSs. >> > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 >> > _______________________________________________ >> > Sguil-users mailing list >> > Sgu...@li... >> > https://lists.sourceforge.net/lists/listinfo/sguil-users >> > >> >> >> >> -- >> Doug Burks >> Need Security Onion Training or Commercial Support? >> http://securityonionsolutions.com >> >> >> ------------------------------------------------------------------------------ >> Go from Idea to Many App Stores Faster with Intel(R) XDK >> Give your users amazing mobile app experiences with Intel(R) XDK. >> Use one codebase in this all-in-one HTML5 development environment. >> Design, debug & build mobile apps & 2D/3D high-impact games for multiple >> OSs. >> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 >> _______________________________________________ >> Sguil-users mailing list >> Sgu...@li... >> https://lists.sourceforge.net/lists/listinfo/sguil-users > > > > ------------------------------------------------------------------------------ > Go from Idea to Many App Stores Faster with Intel(R) XDK > Give your users amazing mobile app experiences with Intel(R) XDK. > Use one codebase in this all-in-one HTML5 development environment. > Design, debug & build mobile apps & 2D/3D high-impact games for multiple > OSs. > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > -- Doug Burks Need Security Onion Training or Commercial Support? http://securityonionsolutions.com |
From: Matt . <stt...@gm...> - 2015-12-07 22:51:35
|
Sorry I meant to state that when I posted. I did check the log file, didn't see errors, restarted anyways. I also tried a few changes for the fun of it, no love. Now today it's now mostly working... Not sure why since I hadn't changed anything since the deployment until the problems started happening recently. That said there's one outlier, The mail server is getting frequent request from the Security Onion server still. Pasting in a snippet, happening many times a minute. I substitued the actual server name "servername", it isn't a real domain name as the error implies. I've sifted through config files for nullmailr etc and while I found on eplace that i replaced "servername" with an actual domain name I must be failing to look a tsome fonig file. MAIL+FROM:<sg...@se...rvername> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain. ICOM-ME 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 2152 QUIT QUIT 221+Service+closing+transmission+channel ICOM-ME 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1624 HELO HELO+ domain.com 250+Requested+mail+action+okay,+completed ICOM-ME 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1624 MAIL MAIL+FROM:<ro...@se...rvername> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain. ICOM-ME 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1624 QUIT QUIT 221+Service+closing+transmission+channel ICOM-ME 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1460 HELO HELO+ domain.com 250+Requested+mail+action+okay,+completed ICOM-ME 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1460 MAIL MAIL+FROM:<ro...@se...rvername> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain. ICOM-ME 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 1460 QUIT QUIT 221+Service+closing+transmission+channel ICOM-ME 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 2000 HELO HELO+ domain.com 250+Requested+mail+action+okay,+completed ICOM-ME 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 2000 MAIL MAIL+FROM:<ro...@se...rvername> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain. ICOM-ME 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN xx.xx.xx.74 2000 QUIT QUIT 221+Service+closing+transmission+channel ICOM-ME Thanks, Matt On Fri, Dec 4, 2015 at 4:14 PM, Doug Burks <dou...@gm...> wrote: > Hi Matt, > > Have you checked the sguild log file? > /var/log/nsm/securityonion/sguild.log > > Have you tried restarting sguild? > sudo nsm_server_ps-restart > > On Fri, Dec 4, 2015 at 5:35 PM, Matt . <stt...@gm...> wrote: > > I use Security Onion which utilizes SGUIL. I've stopped receiving email > from > > SGUIL on my main server. I don't see errors in sguil.log. > > > > I've since enabled SGUIL email on a secondary server (duplicating the > config > > of the main one). It's working properly. > > > > At one point the IP was blocked of the main server, weeks ago, but it was > > unblocked. I'm wondering if SGUIL is choking on the backlog or something. > > > > I'm ok with purging old email and starting from "now". What steps can I > take > > to troubleshoot this further? I'm guessing I'm not checking a location > for > > some logs somewhere. > > > > Thanks, > > Matt > > > > > > > ------------------------------------------------------------------------------ > > Go from Idea to Many App Stores Faster with Intel(R) XDK > > Give your users amazing mobile app experiences with Intel(R) XDK. > > Use one codebase in this all-in-one HTML5 development environment. > > Design, debug & build mobile apps & 2D/3D high-impact games for multiple > > OSs. > > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > > _______________________________________________ > > Sguil-users mailing list > > Sgu...@li... > > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > > > > -- > Doug Burks > Need Security Onion Training or Commercial Support? > http://securityonionsolutions.com > > > ------------------------------------------------------------------------------ > Go from Idea to Many App Stores Faster with Intel(R) XDK > Give your users amazing mobile app experiences with Intel(R) XDK. > Use one codebase in this all-in-one HTML5 development environment. > Design, debug & build mobile apps & 2D/3D high-impact games for multiple > OSs. > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > |
From: Doug B. <dou...@gm...> - 2015-12-05 00:15:06
|
Hi Matt, Have you checked the sguild log file? /var/log/nsm/securityonion/sguild.log Have you tried restarting sguild? sudo nsm_server_ps-restart On Fri, Dec 4, 2015 at 5:35 PM, Matt . <stt...@gm...> wrote: > I use Security Onion which utilizes SGUIL. I've stopped receiving email from > SGUIL on my main server. I don't see errors in sguil.log. > > I've since enabled SGUIL email on a secondary server (duplicating the config > of the main one). It's working properly. > > At one point the IP was blocked of the main server, weeks ago, but it was > unblocked. I'm wondering if SGUIL is choking on the backlog or something. > > I'm ok with purging old email and starting from "now". What steps can I take > to troubleshoot this further? I'm guessing I'm not checking a location for > some logs somewhere. > > Thanks, > Matt > > > ------------------------------------------------------------------------------ > Go from Idea to Many App Stores Faster with Intel(R) XDK > Give your users amazing mobile app experiences with Intel(R) XDK. > Use one codebase in this all-in-one HTML5 development environment. > Design, debug & build mobile apps & 2D/3D high-impact games for multiple > OSs. > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > -- Doug Burks Need Security Onion Training or Commercial Support? http://securityonionsolutions.com |
From: Matt . <stt...@gm...> - 2015-12-04 22:35:18
|
I use Security Onion which utilizes SGUIL. I've stopped receiving email from SGUIL on my main server. I don't see errors in sguil.log. I've since enabled SGUIL email on a secondary server (duplicating the config of the main one). It's working properly. At one point the IP was blocked of the main server, weeks ago, but it was unblocked. I'm wondering if SGUIL is choking on the backlog or something. I'm ok with purging old email and starting from "now". What steps can I take to troubleshoot this further? I'm guessing I'm not checking a location for some logs somewhere. Thanks, Matt |
From: Lay, J. <jam...@wi...> - 2015-06-23 15:29:23
|
Thanks again for the link Paul! Fixed up with : If you can't downgrade, a workaround could be to force some other cipher on the sensors, like MD5. change these lines in snort_agent.tcl and pcap_agent.tcl: tls::import $dataChannelID -ssl2 false -ssl3 false -tls1 true -cipher MD5 Woot! James From: Paul Halliday [mailto:pau...@gm...] Sent: Tuesday, June 23, 2015 9:14 AM To: sgu...@li... Subject: Re: [Sguil-users] Sguil broken after OpenSSL update (Ubuntu) http://blog.securityonion.net/2015/06/new-tcltls-package-resolves-openssl.html That might help you. On Tue, Jun 23, 2015 at 12:13 PM, Paul Halliday <pau...@gm...<mailto:pau...@gm...>> wrote: James, Take a quick peek at the most recent threads on the security onion mailing list WRT to this. I think is was fixed with an updated tcltls package. On Tue, Jun 23, 2015 at 11:55 AM, Lay, James <jam...@wi...<mailto:jam...@wi...>> wrote: From sguild: 2015-06-23 14:45:36 pid(14931) Sensor agent connect from 127.0.0.1:40300<http://127.0.0.1:40300> sock15 2015-06-23 14:45:36 pid(14931) Validating sensor access: 127.0.0.1 : 2015-06-23 14:45:36 pid(14931) Valid sensor agent: 127.0.0.1 2015-06-23 14:45:36 pid(14931) ERROR: handshake failed: sslv3 alert handshake failure 2015-06-23 14:45:36 pid(14931) Error: Improper sensor cmd received: VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}: can't read "socketInfo(sock15)": no such variable 2015-06-23 14:45:36 pid(14931) Error from socket sock15: SSL channel "sock15": error: sslv3 alert handshake failure 2015-06-23 14:45:36 pid(14931) Closing socket. From the snort_agent: Connected to localhost Sending sguild (sock3) RegisterAgent snort POS POS ERROR: error writing "sock3": software caused connection abort : RegisterAgent snort POS POS Socket sock3 closed Attempting to reconnect. Is there any way to disable ssl usage? In my case the agents are on the local machine anyway. Thank you. James ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ Sguil-users mailing list Sgu...@li...<mailto:Sgu...@li...> https://lists.sourceforge.net/lists/listinfo/sguil-users -- Paul Halliday http://www.pintumbler.org/ -- Paul Halliday http://www.pintumbler.org/ |
From: Lay, J. <jam...@wi...> - 2015-06-23 15:19:22
|
Thanks Paul…appreciate it. James From: Paul Halliday [mailto:pau...@gm...] Sent: Tuesday, June 23, 2015 9:14 AM To: sgu...@li... Subject: Re: [Sguil-users] Sguil broken after OpenSSL update (Ubuntu) http://blog.securityonion.net/2015/06/new-tcltls-package-resolves-openssl.html That might help you. On Tue, Jun 23, 2015 at 12:13 PM, Paul Halliday <pau...@gm...<mailto:pau...@gm...>> wrote: James, Take a quick peek at the most recent threads on the security onion mailing list WRT to this. I think is was fixed with an updated tcltls package. On Tue, Jun 23, 2015 at 11:55 AM, Lay, James <jam...@wi...<mailto:jam...@wi...>> wrote: From sguild: 2015-06-23 14:45:36 pid(14931) Sensor agent connect from 127.0.0.1:40300<http://127.0.0.1:40300> sock15 2015-06-23 14:45:36 pid(14931) Validating sensor access: 127.0.0.1 : 2015-06-23 14:45:36 pid(14931) Valid sensor agent: 127.0.0.1 2015-06-23 14:45:36 pid(14931) ERROR: handshake failed: sslv3 alert handshake failure 2015-06-23 14:45:36 pid(14931) Error: Improper sensor cmd received: VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}: can't read "socketInfo(sock15)": no such variable 2015-06-23 14:45:36 pid(14931) Error from socket sock15: SSL channel "sock15": error: sslv3 alert handshake failure 2015-06-23 14:45:36 pid(14931) Closing socket. From the snort_agent: Connected to localhost Sending sguild (sock3) RegisterAgent snort POS POS ERROR: error writing "sock3": software caused connection abort : RegisterAgent snort POS POS Socket sock3 closed Attempting to reconnect. Is there any way to disable ssl usage? In my case the agents are on the local machine anyway. Thank you. James ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ Sguil-users mailing list Sgu...@li...<mailto:Sgu...@li...> https://lists.sourceforge.net/lists/listinfo/sguil-users -- Paul Halliday http://www.pintumbler.org/ -- Paul Halliday http://www.pintumbler.org/ |
From: Paul H. <pau...@gm...> - 2015-06-23 15:14:37
|
http://blog.securityonion.net/2015/06/new-tcltls-package-resolves-openssl.html That might help you. On Tue, Jun 23, 2015 at 12:13 PM, Paul Halliday <pau...@gm...> wrote: > James, > > Take a quick peek at the most recent threads on the security onion mailing > list WRT to this. I think is was fixed with an updated tcltls package. > > On Tue, Jun 23, 2015 at 11:55 AM, Lay, James <jam...@wi...> > wrote: > >> From sguild: >> >> >> >> 2015-06-23 14:45:36 pid(14931) Sensor agent connect from 127.0.0.1:40300 >> sock15 >> >> 2015-06-23 14:45:36 pid(14931) Validating sensor access: 127.0.0.1 : >> >> 2015-06-23 14:45:36 pid(14931) Valid sensor agent: 127.0.0.1 >> >> 2015-06-23 14:45:36 pid(14931) ERROR: handshake failed: sslv3 alert >> handshake failure >> >> 2015-06-23 14:45:36 pid(14931) Error: Improper sensor cmd received: >> VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}: can't read "socketInfo(sock15)": >> no such variable >> >> 2015-06-23 14:45:36 pid(14931) Error from socket sock15: SSL channel >> "sock15": error: sslv3 alert handshake failure >> >> 2015-06-23 14:45:36 pid(14931) Closing socket. >> >> >> >> From the snort_agent: >> >> >> >> Connected to localhost >> >> Sending sguild (sock3) RegisterAgent snort POS POS >> >> ERROR: error writing "sock3": software caused connection abort : >> RegisterAgent snort POS POS >> >> Socket sock3 closed >> >> Attempting to reconnect. >> >> >> >> Is there any way to disable ssl usage? In my case the agents are on the >> local machine anyway. Thank you. >> >> >> >> James >> >> >> ------------------------------------------------------------------------------ >> Monitor 25 network devices or servers for free with OpManager! >> OpManager is web-based network management software that monitors >> network devices and physical & virtual servers, alerts via email & sms >> for fault. Monitor 25 devices for free with no restriction. Download now >> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o >> _______________________________________________ >> Sguil-users mailing list >> Sgu...@li... >> https://lists.sourceforge.net/lists/listinfo/sguil-users >> >> > > > -- > Paul Halliday > http://www.pintumbler.org/ > -- Paul Halliday http://www.pintumbler.org/ |
From: Paul H. <pau...@gm...> - 2015-06-23 15:13:29
|
James, Take a quick peek at the most recent threads on the security onion mailing list WRT to this. I think is was fixed with an updated tcltls package. On Tue, Jun 23, 2015 at 11:55 AM, Lay, James <jam...@wi...> wrote: > From sguild: > > > > 2015-06-23 14:45:36 pid(14931) Sensor agent connect from 127.0.0.1:40300 > sock15 > > 2015-06-23 14:45:36 pid(14931) Validating sensor access: 127.0.0.1 : > > 2015-06-23 14:45:36 pid(14931) Valid sensor agent: 127.0.0.1 > > 2015-06-23 14:45:36 pid(14931) ERROR: handshake failed: sslv3 alert > handshake failure > > 2015-06-23 14:45:36 pid(14931) Error: Improper sensor cmd received: > VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}: can't read "socketInfo(sock15)": > no such variable > > 2015-06-23 14:45:36 pid(14931) Error from socket sock15: SSL channel > "sock15": error: sslv3 alert handshake failure > > 2015-06-23 14:45:36 pid(14931) Closing socket. > > > > From the snort_agent: > > > > Connected to localhost > > Sending sguild (sock3) RegisterAgent snort POS POS > > ERROR: error writing "sock3": software caused connection abort : > RegisterAgent snort POS POS > > Socket sock3 closed > > Attempting to reconnect. > > > > Is there any way to disable ssl usage? In my case the agents are on the > local machine anyway. Thank you. > > > > James > > > ------------------------------------------------------------------------------ > Monitor 25 network devices or servers for free with OpManager! > OpManager is web-based network management software that monitors > network devices and physical & virtual servers, alerts via email & sms > for fault. Monitor 25 devices for free with no restriction. Download now > http://ad.doubleclick.net/ddm/clk/292181274;119417398;o > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > -- Paul Halliday http://www.pintumbler.org/ |
From: Lay, J. <jam...@wi...> - 2015-06-23 15:07:39
|
>From sguild: 2015-06-23 14:45:36 pid(14931) Sensor agent connect from 127.0.0.1:40300 sock15 2015-06-23 14:45:36 pid(14931) Validating sensor access: 127.0.0.1 : 2015-06-23 14:45:36 pid(14931) Valid sensor agent: 127.0.0.1 2015-06-23 14:45:36 pid(14931) ERROR: handshake failed: sslv3 alert handshake failure 2015-06-23 14:45:36 pid(14931) Error: Improper sensor cmd received: VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}: can't read "socketInfo(sock15)": no such variable 2015-06-23 14:45:36 pid(14931) Error from socket sock15: SSL channel "sock15": error: sslv3 alert handshake failure 2015-06-23 14:45:36 pid(14931) Closing socket. >From the snort_agent: Connected to localhost Sending sguild (sock3) RegisterAgent snort POS POS ERROR: error writing "sock3": software caused connection abort : RegisterAgent snort POS POS Socket sock3 closed Attempting to reconnect. Is there any way to disable ssl usage? In my case the agents are on the local machine anyway. Thank you. James |
From: E. F. <edw...@gm...> - 2015-05-08 10:56:47
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 compiling a newer version of tcpflow seems to fix it. Seems like the error on newer debian/ubuntu with tcpflow erroring: "write error to stdout" b0rks the sguil pcap agent, and leaving it in a limbo state. E On 05/08/2015 11:12 AM, Edward Fjellskål wrote: > Did you guys solve this? Im seeing the same. Ubuntu 14.04 tcl8.6. > > E > > On Tue, Nov 11, 2014 at 2:33 PM, C. L. Martinez > <car...@gm...> wrote: > >> Thanks Bamm. Nop, the only error message that I have is on the >> sguil server side: >> >> Nov 4 14:49:00 plzfsiem04 SGUILD: Error: Improper sensor cmd >> received: RawDataFile 10.196.0.15:59567_107.20.198.79:443-6.raw >> 5 20588: error writing "stdout": I/O error Nov 4 14:49:00 >> bsdsguil01 SGUILD: Sensor Cmd Unknown (sock19): >> <D4><C3><B2><A1>#002 Nov 4 14:49:00 bsdsguil01 SGUILD: Error: >> Improper sensor cmd received: <D4><C3><B2><A1>#002 Nov 4 >> 14:49:00 bsdsguil01 SGUILD: Sensor Cmd Unknown (sock19): Nov 4 >> 14:49:00 bsdsguil01 SGUILD: Error: Improper sensor cmd received: >> Nov 4 14:49:00 bsdsguil01 SGUILD: Sensor Cmd Unknown (sock19): >> <C4> Nov 4 14:49:00 bsdsguil01 SGUILD: Error: Improper sensor >> cmd received: <C4> Nov 4 14:49:00 bsdsguil01 SGUILD: Sensor Cmd >> Unknown (sock19): Nov 4 14:49:00 bsdsguil01 SGUILD: Error: >> Improper sensor cmd received: Nov 4 14:49:00 bsdsguil01 SGUILD: >> Sensor Cmd Unknown (sock19): <C4> Nov 4 14:49:00 bsdsguil01 >> SGUILD: Error: Improper sensor cmd received: <C4> >> >> On Tue, Nov 11, 2014 at 12:35 PM, Bamm Visscher >> <bam...@gm...> wrote: >>> Can you send more details? Do you have output for >>> pcap_agent.tcl? >>> >>> Bamm >>> >>> On Tue, Nov 11, 2014 at 5:32 AM, C. L. Martinez >>> <car...@gm...> wrote: >>>> >>>> Ok, I don't why but the problem is with pcap_agent script. >>>> Restarting every hour, problem disappears ... >>>> >>>> On Fri, Nov 7, 2014 at 2:15 PM, C. L. Martinez >>>> <car...@gm...> wrote: >>>>> Uhmm . maybe the problemas is that sguil server is >>>>> installed under lxc container?? Hard disk is ok, works >>>>> without problema. >>>>> >>>>> >>>>> On Friday, November 7, 2014, James Lay >>>>> <jl...@sl...> >> wrote: >>>>>> >>>>>> On Fri, 2014-11-07 at 12:32 +0000, C. L. Martinez wrote: >>>>>> >>>>>> Hi all, >>>>>> >>>>>> How can I debug this error? >>>>>> >>>>>> Nov 7 12:28:03 sguiltst01 SGUILD: Error: Improper sensor >>>>>> cmd received: RawDataFile >>>>>> 10.196.0.98:61540_173.194.40.184:443-6.raw 4 182244: >>>>>> error writing "stdout": I/O error >>>>>> >>>>>> Is it a problem with sguil server or with the agent?? >>>>>> >>>>>> >>>>>> >>>>>> >> ------------------------------------------------------------------------------ >>>>>> >> _______________________________________________ >>>>>> Sguil-users mailing list >>>>>> Sgu...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sguil-users >>>>>> >>>>>> >>>>>> That looks like it might be a disk thing...what do dmes >>>>>> and smartctl have to show? >>>>>> >>>>>> James >>>> >>>> >>>> >> ------------------------------------------------------------------------------ >>>> >> Comprehensive Server Monitoring with Site24x7. >>>> Monitor 10 servers for $9/Month. Get alerted through email, >>>> SMS, voice calls or mobile push >> notifications. >>>> Take corrective actions from your mobile device. >>>> >>>> >> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk >>>> >> _______________________________________________ >>>> Sguil-users mailing list Sgu...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sguil-users >>> >>> >>> >>> >>> -- sguil - The Analyst Console for NSM http://www.sguil.net >>> >>> >> ------------------------------------------------------------------------------ >>> >> Comprehensive Server Monitoring with Site24x7. >>> Monitor 10 servers for $9/Month. Get alerted through email, >>> SMS, voice calls or mobile push notifications. Take corrective >>> actions from your mobile device. >>> >> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk >>> >> _______________________________________________ >>> Sguil-users mailing list Sgu...@li... >>> https://lists.sourceforge.net/lists/listinfo/sguil-users >>> >> >> >> ------------------------------------------------------------------------------ >> >> Comprehensive Server Monitoring with Site24x7. >> Monitor 10 servers for $9/Month. Get alerted through email, SMS, >> voice calls or mobile push notifications. Take corrective actions >> from your mobile device. >> >> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk >> >> _______________________________________________ >> Sguil-users mailing list Sgu...@li... >> https://lists.sourceforge.net/lists/listinfo/sguil-users >> > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJVTJZkAAoJEAf3kNGaI009b6gIAKK27c5FVZfKw6BEFUHb+90y yP6vyZGVsvk55SAvA8JWe8ycrxU7zQi08TKkk6tjm0fxSv7fOl9zrWcOfjGEYZVx fejUrylapjPg2vRNXgluf+OHcszBRltGvLHfFaqLkJwvGrH1qUl+E/XIYZVBgdvt 8P8G25GHcK+Ttj2TyWQgR5xKEpCyAdcirBffCvj9CM5jwVkgh+yy8EtVnZ9GZZx1 WequH+gozth186rw2zfy2GnXU9q2BgVtOVs6J7RH+aQOZRKsKLW03Q+TqUH+p8Tt RybB6VfNprBpELfpFk3uF9P4zsIb17JW0PcLnIjgKZYIPxMGzuMzITLXq7AJx9Y= =EvZJ -----END PGP SIGNATURE----- |
From: Edward F. <edw...@gm...> - 2015-05-08 09:12:27
|
Did you guys solve this? Im seeing the same. Ubuntu 14.04 tcl8.6. E On Tue, Nov 11, 2014 at 2:33 PM, C. L. Martinez <car...@gm...> wrote: > Thanks Bamm. Nop, the only error message that I have is on the sguil > server side: > > Nov 4 14:49:00 plzfsiem04 SGUILD: Error: Improper sensor cmd > received: RawDataFile 10.196.0.15:59567_107.20.198.79:443-6.raw 5 > 20588: error writing "stdout": I/O error > Nov 4 14:49:00 bsdsguil01 SGUILD: Sensor Cmd Unknown (sock19): > <D4><C3><B2><A1>#002 > Nov 4 14:49:00 bsdsguil01 SGUILD: Error: Improper sensor cmd > received: <D4><C3><B2><A1>#002 > Nov 4 14:49:00 bsdsguil01 SGUILD: Sensor Cmd Unknown (sock19): > Nov 4 14:49:00 bsdsguil01 SGUILD: Error: Improper sensor cmd received: > Nov 4 14:49:00 bsdsguil01 SGUILD: Sensor Cmd Unknown (sock19): <C4> > Nov 4 14:49:00 bsdsguil01 SGUILD: Error: Improper sensor cmd received: > <C4> > Nov 4 14:49:00 bsdsguil01 SGUILD: Sensor Cmd Unknown (sock19): > Nov 4 14:49:00 bsdsguil01 SGUILD: Error: Improper sensor cmd received: > Nov 4 14:49:00 bsdsguil01 SGUILD: Sensor Cmd Unknown (sock19): <C4> > Nov 4 14:49:00 bsdsguil01 SGUILD: Error: Improper sensor cmd received: > <C4> > > On Tue, Nov 11, 2014 at 12:35 PM, Bamm Visscher <bam...@gm...> > wrote: > > Can you send more details? Do you have output for pcap_agent.tcl? > > > > Bamm > > > > On Tue, Nov 11, 2014 at 5:32 AM, C. L. Martinez <car...@gm...> > > wrote: > >> > >> Ok, I don't why but the problem is with pcap_agent script. Restarting > >> every hour, problem disappears ... > >> > >> On Fri, Nov 7, 2014 at 2:15 PM, C. L. Martinez <car...@gm...> > >> wrote: > >> > Uhmm . maybe the problemas is that sguil server is installed under lxc > >> > container?? Hard disk is ok, works without problema. > >> > > >> > > >> > On Friday, November 7, 2014, James Lay <jl...@sl...> > wrote: > >> >> > >> >> On Fri, 2014-11-07 at 12:32 +0000, C. L. Martinez wrote: > >> >> > >> >> Hi all, > >> >> > >> >> How can I debug this error? > >> >> > >> >> Nov 7 12:28:03 sguiltst01 SGUILD: Error: Improper sensor cmd > >> >> received: RawDataFile 10.196.0.98:61540_173.194.40.184:443-6.raw 4 > >> >> 182244: error writing "stdout": I/O error > >> >> > >> >> Is it a problem with sguil server or with the agent?? > >> >> > >> >> > >> >> > >> >> > ------------------------------------------------------------------------------ > >> >> _______________________________________________ > >> >> Sguil-users mailing list > >> >> Sgu...@li... > >> >> https://lists.sourceforge.net/lists/listinfo/sguil-users > >> >> > >> >> > >> >> That looks like it might be a disk thing...what do dmes and smartctl > >> >> have > >> >> to show? > >> >> > >> >> James > >> > >> > >> > ------------------------------------------------------------------------------ > >> Comprehensive Server Monitoring with Site24x7. > >> Monitor 10 servers for $9/Month. > >> Get alerted through email, SMS, voice calls or mobile push > notifications. > >> Take corrective actions from your mobile device. > >> > >> > http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk > >> _______________________________________________ > >> Sguil-users mailing list > >> Sgu...@li... > >> https://lists.sourceforge.net/lists/listinfo/sguil-users > > > > > > > > > > -- > > sguil - The Analyst Console for NSM > > http://www.sguil.net > > > > > ------------------------------------------------------------------------------ > > Comprehensive Server Monitoring with Site24x7. > > Monitor 10 servers for $9/Month. > > Get alerted through email, SMS, voice calls or mobile push notifications. > > Take corrective actions from your mobile device. > > > http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk > > _______________________________________________ > > Sguil-users mailing list > > Sgu...@li... > > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > > > ------------------------------------------------------------------------------ > Comprehensive Server Monitoring with Site24x7. > Monitor 10 servers for $9/Month. > Get alerted through email, SMS, voice calls or mobile push notifications. > Take corrective actions from your mobile device. > > http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > -- Edward Bjarte Fjellskål Senior Security Analyst http://www.gamelinux.org/ |
From: Nguyen V. D. <dun...@vc...> - 2015-04-14 07:14:54
|
Dear I checked back my system to fix. And now my service pads , pads agent, snort , snort agent. But sguil still running 1. When i start sancp_agent , i received a alert: "[root@SVR080 ~]# service sancp_agent-SVR080 start Starting sancp_agent-SVR080: [ OK ] [root@SVR080 ~]# Error: can't read "MAX_COPY": no such variable can't read "MAX_COPY": no such variable while executing "if { $ACTIVE_COPY >= $MAX_COPY } { vwait ACTIVE_COPY }" (procedure "CheckForSancpFiles" line 29) invoked from within "CheckForSancpFiles" ("after" script) service sancp_agent-SVR080 status SANCP agent for sensor SVR080 is DOWN 2. My barnyard have a lot off log " /var/log/message" that: "Apr 14 12:18:12 SVR080 barnyard[4099]: Waiting 15 secs to try again. Apr 14 12:18:27 SVR080 barnyard[4099]: Cannot connect to localhost on TCP port 7746. Apr 14 12:18:27 SVR080 barnyard[4099]: Waiting 15 secs to try again. Apr 14 12:18:42 SVR080 barnyard[4099]: Connected to localhost on 7746. Apr 14 12:18:42 SVR080 barnyard[4099]: ERROR: Invalid packet length: 3626607104 Apr 14 12:18:42 SVR080 barnyard[4099]: FATAL ERROR: Read error Apr 14 12:18:42 SVR080 barnyard[4099]: Exiting " So, my sguil still not run. I hope your reply. Thanks so much On Fri, Apr 10, 2015 at 7:00 PM, <sgu...@li...> wrote: > Send Sguil-users mailing list submissions to > sgu...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/sguil-users > or, via email, send a message with subject or body 'help' to > sgu...@li... > > You can reach the person managing the list at > sgu...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Sguil-users digest..." > > > Today's Topics: > > 1. Re: Need support for "Error : bad cell index.." on sguil > server - client (Bamm Visscher) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 9 Apr 2015 10:40:15 -0400 > From: Bamm Visscher <bam...@gm...> > Subject: Re: [Sguil-users] Need support for "Error : bad cell index.." > on sguil server - client > To: Sguil <sgu...@li...> > Message-ID: > < > CAC...@ma...> > Content-Type: text/plain; charset="utf-8" > > The error is from the Sguil client and should not prevent you from viewing > or receiving events. If you select "OK", the client should function as > normal. > > In order to debug further, can you better describe what you were doing when > the error occurred? Also, please send the full error output. You should be > able to cut and pasted the full text versus sending a screen shot. > > Bamm > > > On Sat, Apr 4, 2015 at 3:38 AM, Nguyen Viet Dung <dun...@vc... > > > wrote: > > > Dear > > I'm a administrator network of company at Viet nam. I setup sguil to > > monitor network security on my system which i 'm admin. > > So, i have a error warning that : > > " Error: bad cell index ",srcip": must be active, anchor, end, @x,y, or > > row,col, where row must be active, anchor, end, top, bottom, a number, a > > full key, or a name, and col must be active, anchor, end, left, right, a > > number, or a name > > bad cell index ",srcip": must be active, anchor, end, @x,y, or row,col, > > where row must be active, anchor, end, top, bottom, a number, a full key, > > or a name, and col must be active, anchor, end, left, right, a number, > or a > > name" > > > > Now, i can't see traffic, log .. on sguil. I don't Known this error , > from > > sguil server? sguil client? or sguil sensor? > > I hope your reply. Thanks you so muc > > > > ps: i sent to you a figure which i shot from my monitor > > > > -- > > VC Corporation. > > Email: dun...@vc... > > Mobile: 0988133013 > > C? ??nh: 04.39743410 - Ext:248 > > > > Address: 17th floor, VTCOnline tower, 18 Tam Trinh St, Hanoi. > > > > > > > ------------------------------------------------------------------------------ > > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > > Develop your own process in accordance with the BPMN 2 standard > > Learn Process modeling best practices with Bonita BPM through live > > exercises > > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > > event?utm_ > > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > > _______________________________________________ > > Sguil-users mailing list > > Sgu...@li... > > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > > > > > -- > sguil - The Analyst Console for NSM > http://www.sguil.net > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live > exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > > ------------------------------ > > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > End of Sguil-users Digest, Vol 82, Issue 2 > ****************************************** > -- VC Corporation. Email: dun...@vc... Mobile: 0988133013 Cố định: 04.39743410 - Ext:248 Address: 17th floor, VTCOnline tower, 18 Tam Trinh St, Hanoi. |