[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] only receiving system/cron logs for alerts
From: Heine Lysemose <lysemose () gmail ! com>
Date: 2015-05-29 18:28:51
Message-ID: CAN4C-Dkp+9WBQcdOeC1DGrnWUm996P+Qrqt80R1pM3JET5z-eg () mail ! gmail ! com
[Download RAW message or body]
Okay, so this is a sensor installation.
Can you show me the output from sudo sostat-redacted on the server too?
Regards,
Lysemose
On May 29, 2015 20:23, "adrian fernandez" <ciscotech05@gmail.com> wrote:
> For the last item, here you go:
> sudo rule-update
> Backing up current local_rules.xml file.
> Cleaning up local_rules.xml backup files older than 30 days.
> Backing up current downloaded.rules file before it gets overwritten.
> Cleaning up downloaded.rules backup files older than 30 days.
> Backing up current local.rules file before it gets overwritten.
> Cleaning up local.rules backup files older than 30 days.
>
> local_rules.xml
>
> 0% 0 0.0KB/s
> --:-- ETA
> local_rules.xml
>
> 100% 1735 1.7KB/s
> 00:00
> Copying rules from 10.55.56.158.
>
> downloaded.rules
>
> 0% 0 0.0KB/s
> --:-- ETA
> downloaded.rules
>
> 13% 2992KB 2.9MB/s
> 00:06 ETA
> downloaded.rules
>
> 26% 5872KB 2.9MB/s
> 00:05 ETA
> downloaded.rules
>
> 44% 9888KB 3.0MB/s
> 00:04 ETA
> downloaded.rules
>
> 50% 11MB 2.8MB/s
> 00:03 ETA
> downloaded.rules
>
> 72% 16MB 3.0MB/s
> 00:01 ETA
> downloaded.rules
>
> 97% 21MB 3.3MB/s
> 00:00 ETA
> downloaded.rules
>
> 100% 22MB 3.6MB/s
> 00:06
>
> local.rules
>
> 0% 0 0.0KB/s
> --:-- ETA
> local.rules
>
> 100% 5999 5.9KB/s
> 00:00
>
> sid-msg.map
>
> 0% 0 0.0KB/s
> --:-- ETA
> sid-msg.map
>
> 69% 4560KB 4.5MB/s
> 00:00 ETA
> sid-msg.map
>
> 100% 6550KB 6.4MB/s
> 00:01
>
> threshold.conf
>
> 0% 0 0.0KB/s
> --:-- ETA
> threshold.conf
>
> 100% 217KB 216.8KB/s
> 00:00
>
> bpf.conf
>
> 100% 0 0.0KB/s
> 00:00
>
> so_rules.rules
>
> 100% 0 0.0KB/s
> 00:00
> scp: /usr/local/lib/snort_dynamicrules/*: No such file or directory
> Restarting Barnyard2.
>
> [1;34mRestarting: crewsstatebank-wauchula-so-ids-eth1 [0;39m [0;39m
>
> [0;34m* [0;39m stopping: barnyard2-1 (spooler, unified2 format)
> [237C [8D [0;39m[ [1;32m OK [0;39m]
>
> [0;34m* [0;39m starting: barnyard2-1 (spooler, unified2 format)
> [237C [8D [0;39m[ [1;32m OK [0;39m]
>
> [1;34mRestarting: crewsstatebank-wauchula-so-ids-eth2 [0;39m [0;39m
>
> [0;34m* [0;39m stopping: barnyard2-1 (spooler, unified2 format)
> [237C [8D [0;39m[ [1;32m OK [0;39m]
>
> [0;34m* [0;39m starting: barnyard2-1 (spooler, unified2 format)
> [237C [8D [0;39m[ [1;32m OK [0;39m]
>
> [1;34mRestarting: crewsstatebank-wauchula-so-ids-eth3 [0;39m [0;39m
>
> [0;34m* [0;39m stopping: barnyard2-1 (spooler, unified2 format)
> [237C [8D [0;39m[ [1;32m OK [0;39m]
>
> [0;34m* [0;39m starting: barnyard2-1 (spooler, unified2 format)
> [237C [8D [0;39m[ [1;32m OK [0;39m]
> Restarting IDS Engine.
>
> [1;34mRestarting: crewsstatebank-wauchula-so-ids-eth1 [0;39m [0;39m
>
> [0;34m* [0;39m stopping: snort-1 (alert data)
> [237C [8D [0;39m[ [1;32m OK [0;39m]
>
> [0;34m* [0;39m starting: snort-1 (alert data)
> [237C [8D [0;39m[ [1;32m OK [0;39m]
>
> [1;34mRestarting: crewsstatebank-wauchula-so-ids-eth2 [0;39m [0;39m
>
> [0;34m* [0;39m stopping: snort-1 (alert data)
> [237C [8D [0;39m[ [1;32m OK [0;39m]
>
> [0;34m* [0;39m starting: snort-1 (alert data)
> [237C [8D [0;39m[ [1;32m OK [0;39m]
>
> [1;34mRestarting: crewsstatebank-wauchula-so-ids-eth3 [0;39m [0;39m
>
> [0;34m* [0;39m stopping: snort-1 (alert data)
> [237C [8D [0;39m[ [1;32m OK [0;39m]
>
> [0;34m* [0;39m starting: snort-1 (alert data)
> [237C [8D [0;39m[ [1;32m OK [0;39m]
>
> On Friday, May 29, 2015 at 1:31:50 PM UTC-4, Lysemose wrote:
> > Hi
> >
> > See my replies inline...
> >
> > In general I would encourage you to look through the basic documentation
> and see the videos Doug has posted...
> >
> > Regards,
> >
> > Lysemose
> >
> > On May 29, 2015 18:17, "adrian fernandez" <cisco...@gmail.com> wrote:
> >
> > >
> >
> > > Does you Bro data look fine? Can you search from ELSA?
> >
> > > How do i check if my Bro data is good? How do i use ELSA to search?
> >
> > >
> >
> > You can access the ELSA web interface from SecurityOnion index page on
> the SecurityOnion server. From there you have links to the basic stuff.
> >
> > > Have you ever had any alerts from Snort?
> >
> > > Yes
> >
> > >
> >
> > From your sostat output your Snort output doesn't look very consistent.
> You have large gaps in the dates.
> >
> > > When have it stopped working, any changes made at that time?
> >
> > > It stopped working on 4/23/2015, and no changes have been made to this
> device.
> >
> > >
> >
> > Have any changes been made to the SPAN port of the switch/router?
> >
> > > How are you getting for data, TAP or SPAN?
> >
> > > SPAN
> >
> > >
> >
> > Are you doing any filtering on the SPAN port?
> >
> > > Are you using any BPF filters on Snort?
> >
> > > No
> >
> > >
> >
> > > Are you using any thresholds, suppression, enablesid, disablesid
> configurations?
> >
> > > How do i check this?
> >
> > >
> >
> > You have those files under /etc/pulledpork/ if I remember correctly.
> >
> > > How many rules have you enabled in your downloaded.rules?
> >
> > Do you have Internet access from the server?
> >
> > Can you run sudo rule-update and post the output?
> >
> > > I do not see any rules enabled in there.
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > > On Friday, May 29, 2015 at 5:39:19 AM UTC-4, Lysemose wrote:
> >
> > > > Hi
> >
> > > >
> >
> > > >
> >
> > > > Your output looks fine from what I can see but could add some more
> RAM since you are swapping a tiny bit.
> >
> > > >
> >
> > > >
> >
> > > > Does you Bro data look fine? Can you search from ELSA?
> >
> > > >
> >
> > > > Have you ever had any alerts from Snort?
> >
> > > > When have it stopped working, any changes made at that time?
> >
> > > > How are you getting for data, TAP or SPAN?
> >
> > > >
> >
> > > > Are you using any BPF filters on Snort?
> >
> > > > Are you using any thresholds, suppression, enablesid, disablesid
> configurations?
> >
> > > > How many rules have you enabled in your downloaded.rules?
> >
> > > >
> >
> > > >
> >
> > > > Regards,
> >
> > > >
> >
> > > > Lysemose
> >
> > > >
> >
> > > >
> >
> > > > On Thu, May 28, 2015 at 11:12 PM, adrian fernandez <
> cisco...@gmail.com> wrote:
> >
> > > > Attached is the sostat output. Thanks.
> >
> > > >
> >
> > > >
> >
> > > >
> >
> > > > On Wednesday, May 27, 2015 at 1:36:24 PM UTC-4, Lysemose wrote:
> >
> > > >
> >
> > > > > Hi
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > Please run sudo sostat-redacted and attach the output here.
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > Thanks,
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > Lysemose
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > On May 27, 2015 18:28, "adrian fernandez" <cisco...@gmail.com>
> wrote:
> >
> > > >
> >
> > > > > Hey everyone,
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > I have an SO IDS that it either picking up traffic and not sending
> the alerts to our syslog server (which i do not think is the case since we
> are getting syslogs from the server, just no ET POLICY alerts of any kind),
> or just not picking up/sniffing traffic at all. I tried a few things that
> have worked in the past for other IDS's that had the same issue, and so far
> nothing as worked:
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > 1. restarted the IDS
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > 2. sudo service nsm restart
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > 3. sudo service syslog-ng restart
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > 4. sudo apt-get update
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > 5. sudo apt-get update && sudo apt-get dist-upgrade
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > 6. sudo apt-get install --reinstall securityonion-pfring-module
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > 7. ran sudo sostat | less to check on disk usage for logs, and i
> have plenty of space avaialable. All services up and running.
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > Trying to see what else i can look at to determine cause of
> issue. Any help would be appreciated.
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > Thanks
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > --
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > You received this message because you are subscribed to the Google
> Groups "security-onion" group.
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > To unsubscribe from this group and stop receiving emails from it,
> send an email to security-onio...@googlegroups.com.
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > To post to this group, send email to securit...@googlegroups.com.
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > Visit this group at http://groups.google.com/group/security-onion.
> >
> > > >
> >
> > > > >
> >
> > > >
> >
> > > > > For more options, visit https://groups.google.com/d/optout.
> >
> > > >
> >
> > > >
> >
> > > >
> >
> > > > --
> >
> > > >
> >
> > > > You received this message because you are subscribed to the Google
> Groups "security-onion" group.
> >
> > > >
> >
> > > > To unsubscribe from this group and stop receiving emails from it,
> send an email to security-onio...@googlegroups.com.
> >
> > > >
> >
> > > > To post to this group, send email to securit...@googlegroups.com.
> >
> > > >
> >
> > > > Visit this group at http://groups.google.com/group/security-onion.
> >
> > > >
> >
> > > > For more options, visit https://groups.google.com/d/optout.
> >
> > >
> >
> > > --
> >
> > > You received this message because you are subscribed to the Google
> Groups "security-onion" group.
> >
> > > To unsubscribe from this group and stop receiving emails from it, send
> an email to security-onio...@googlegroups.com.
> >
> > > To post to this group, send email to securit...@googlegroups.com.
> >
> > > Visit this group at http://groups.google.com/group/security-onion.
> >
> > > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #3 (text/html)]
<p dir="ltr">Okay, so this is a sensor installation. <br>
Can you show me the output from sudo sostat-redacted on the server too? </p>
<p dir="ltr">Regards, <br>
Lysemose </p>
<div class="gmail_quote">On May 29, 2015 20:23, "adrian fernandez" <<a \
href="mailto:ciscotech05@gmail.com">ciscotech05@gmail.com</a>> wrote:<br \
type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">For the last item, here you go:<br> \
sudo rule-update<br> Backing up current local_rules.xml file.<br>
Cleaning up local_rules.xml backup files older than 30 days.<br>
Backing up current downloaded.rules file before it gets overwritten.<br>
Cleaning up downloaded.rules backup files older than 30 days.<br>
Backing up current local.rules file before it gets overwritten.<br>
Cleaning up local.rules backup files older than 30 days.<br>
<br>
local_rules.xml \
0% 0 0.0KB/s --:-- ETA<br> local_rules.xml \
100% 1735 1.7KB/s 00:00<br> Copying rules from 10.55.56.158.<br>
<br>
downloaded.rules \
0% 0 0.0KB/s --:-- ETA<br> downloaded.rules \
13% 2992KB 2.9MB/s 00:06 ETA<br> downloaded.rules \
26% 5872KB 2.9MB/s 00:05 ETA<br> downloaded.rules \
44% 9888KB 3.0MB/s 00:04 ETA<br> downloaded.rules \
50% 11MB 2.8MB/s 00:03 ETA<br> downloaded.rules \
72% 16MB 3.0MB/s 00:01 ETA<br> downloaded.rules \
97% 21MB 3.3MB/s 00:00 ETA<br> downloaded.rules \
100% 22MB 3.6MB/s 00:06<br> <br>
local.rules \
0% 0 0.0KB/s --:-- ETA<br> local.rules \
100% 5999 5.9KB/s 00:00<br> <br>
sid-msg.map \
0% 0 0.0KB/s --:-- ETA<br> sid-msg.map \
69% 4560KB 4.5MB/s 00:00 ETA<br> sid-msg.map \
100% 6550KB 6.4MB/s 00:01<br> <br>
threshold.conf \
0% 0 0.0KB/s --:-- ETA<br> threshold.conf \
100% 217KB 216.8KB/s 00:00<br> <br>
bpf.conf \
100% 0 0.0KB/s 00:00<br> <br>
so_rules.rules \
100% 0 0.0KB/s 00:00<br>
scp: /usr/local/lib/snort_dynamicrules/*: No such file or directory<br>
Restarting Barnyard2.<br>
<br>
[1;34mRestarting: crewsstatebank-wauchula-so-ids-eth1 [0;39m [0;39m<br>
<br>
[0;34m* [0;39m stopping: barnyard2-1 (spooler, unified2 format)<br>
[237C [8D [0;39m[ [1;32m OK [0;39m]<br>
<br>
[0;34m* [0;39m starting: barnyard2-1 (spooler, unified2 format)<br>
[237C [8D [0;39m[ [1;32m OK [0;39m]<br>
<br>
[1;34mRestarting: crewsstatebank-wauchula-so-ids-eth2 [0;39m [0;39m<br>
<br>
[0;34m* [0;39m stopping: barnyard2-1 (spooler, unified2 format)<br>
[237C [8D [0;39m[ [1;32m OK [0;39m]<br>
<br>
[0;34m* [0;39m starting: barnyard2-1 (spooler, unified2 format)<br>
[237C [8D [0;39m[ [1;32m OK [0;39m]<br>
<br>
[1;34mRestarting: crewsstatebank-wauchula-so-ids-eth3 [0;39m [0;39m<br>
<br>
[0;34m* [0;39m stopping: barnyard2-1 (spooler, unified2 format)<br>
[237C [8D [0;39m[ [1;32m OK [0;39m]<br>
<br>
[0;34m* [0;39m starting: barnyard2-1 (spooler, unified2 format)<br>
[237C [8D [0;39m[ [1;32m OK [0;39m]<br>
Restarting IDS Engine.<br>
<br>
[1;34mRestarting: crewsstatebank-wauchula-so-ids-eth1 [0;39m [0;39m<br>
<br>
[0;34m* [0;39m stopping: snort-1 (alert data)<br>
[237C [8D [0;39m[ [1;32m OK [0;39m]<br>
<br>
[0;34m* [0;39m starting: snort-1 (alert data)<br>
[237C [8D [0;39m[ [1;32m OK [0;39m]<br>
<br>
[1;34mRestarting: crewsstatebank-wauchula-so-ids-eth2 [0;39m [0;39m<br>
<br>
[0;34m* [0;39m stopping: snort-1 (alert data)<br>
[237C [8D [0;39m[ [1;32m OK [0;39m]<br>
<br>
[0;34m* [0;39m starting: snort-1 (alert data)<br>
[237C [8D [0;39m[ [1;32m OK [0;39m]<br>
<br>
[1;34mRestarting: crewsstatebank-wauchula-so-ids-eth3 [0;39m [0;39m<br>
<br>
[0;34m* [0;39m stopping: snort-1 (alert data)<br>
[237C [8D [0;39m[ [1;32m OK [0;39m]<br>
<br>
[0;34m* [0;39m starting: snort-1 (alert data)<br>
[237C [8D [0;39m[ [1;32m OK [0;39m]<br>
<br>
On Friday, May 29, 2015 at 1:31:50 PM UTC-4, Lysemose wrote:<br>
> Hi<br>
><br>
> See my replies inline...<br>
><br>
> In general I would encourage you to look through the basic documentation and see \
the videos Doug has posted...<br> ><br>
> Regards,<br>
><br>
> Lysemose<br>
><br>
> On May 29, 2015 18:17, "adrian fernandez" <<a \
href="mailto:cisco...@gmail.com">cisco...@gmail.com</a>> wrote:<br> ><br>
> ><br>
><br>
> > Does you Bro data look fine? Can you search from ELSA?<br>
><br>
> > How do i check if my Bro data is good? How do i use ELSA to search?<br>
><br>
> ><br>
><br>
> You can access the ELSA web interface from SecurityOnion index page on the \
SecurityOnion server. From there you have links to the basic stuff.<br> ><br>
> > Have you ever had any alerts from Snort?<br>
><br>
> > Yes<br>
><br>
> ><br>
><br>
> From your sostat output your Snort output doesn't look very consistent. You \
have large gaps in the dates.<br> ><br>
> > When have it stopped working, any changes made at that time?<br>
><br>
> > It stopped working on 4/23/2015, and no changes have been made to this \
device.<br> ><br>
> ><br>
><br>
> Have any changes been made to the SPAN port of the switch/router?<br>
><br>
> > How are you getting for data, TAP or SPAN?<br>
><br>
> > SPAN<br>
><br>
> ><br>
><br>
> Are you doing any filtering on the SPAN port?<br>
><br>
> > Are you using any BPF filters on Snort?<br>
><br>
> > No<br>
><br>
> ><br>
><br>
> > Are you using any thresholds, suppression, enablesid, disablesid \
configurations?<br> ><br>
> > How do i check this?<br>
><br>
> ><br>
><br>
> You have those files under /etc/pulledpork/ if I remember correctly.<br>
><br>
> > How many rules have you enabled in your downloaded.rules?<br>
><br>
> Do you have Internet access from the server?<br>
><br>
> Can you run sudo rule-update and post the output?<br>
><br>
> > I do not see any rules enabled in there.<br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > On Friday, May 29, 2015 at 5:39:19 AM UTC-4, Lysemose wrote:<br>
><br>
> > > Hi<br>
><br>
> > ><br>
><br>
> > ><br>
><br>
> > > Your output looks fine from what I can see but could add some more RAM \
since you are swapping a tiny bit.<br> ><br>
> > ><br>
><br>
> > ><br>
><br>
> > > Does you Bro data look fine? Can you search from ELSA?<br>
><br>
> > ><br>
><br>
> > > Have you ever had any alerts from Snort?<br>
><br>
> > > When have it stopped working, any changes made at that time?<br>
><br>
> > > How are you getting for data, TAP or SPAN?<br>
><br>
> > ><br>
><br>
> > > Are you using any BPF filters on Snort?<br>
><br>
> > > Are you using any thresholds, suppression, enablesid, disablesid \
configurations?<br> ><br>
> > > How many rules have you enabled in your downloaded.rules?<br>
><br>
> > ><br>
><br>
> > ><br>
><br>
> > > Regards,<br>
><br>
> > ><br>
><br>
> > > Lysemose<br>
><br>
> > ><br>
><br>
> > ><br>
><br>
> > > On Thu, May 28, 2015 at 11:12 PM, adrian fernandez <<a \
href="mailto:cisco...@gmail.com">cisco...@gmail.com</a>> wrote:<br> ><br>
> > > Attached is the sostat output. Thanks.<br>
><br>
> > ><br>
><br>
> > ><br>
><br>
> > ><br>
><br>
> > > On Wednesday, May 27, 2015 at 1:36:24 PM UTC-4, Lysemose wrote:<br>
><br>
> > ><br>
><br>
> > > > Hi<br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > Please run sudo sostat-redacted and attach the output here.<br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > Thanks,<br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > Lysemose<br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > On May 27, 2015 18:28, "adrian fernandez" <<a \
href="mailto:cisco...@gmail.com">cisco...@gmail.com</a>> wrote:<br> ><br>
> > ><br>
><br>
> > > > Hey everyone,<br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > I have an SO IDS that it either picking up traffic and not \
sending the alerts to our syslog server (which i do not think is the case since we \
are getting syslogs from the server, just no ET POLICY alerts of any kind), or just \
not picking up/sniffing traffic at all. I tried a few things that have worked in \
the past for other IDS's that had the same issue, and so far nothing as \
worked:<br> ><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > 1. restarted the IDS<br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > 2. sudo service nsm restart<br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > 3. sudo service syslog-ng restart<br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > 4. sudo apt-get update<br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > 5. sudo apt-get update && sudo apt-get dist-upgrade<br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > 6. sudo apt-get install --reinstall \
securityonion-pfring-module<br> ><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > 7. ran sudo sostat | less to check on disk usage for logs, and \
i have plenty of space avaialable. All services up and running.<br> ><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > Trying to see what else i can look at to determine cause of \
issue. Any help would be appreciated.<br> ><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > Thanks<br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > --<br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > You received this message because you are subscribed to the \
Google Groups "security-onion" group.<br> ><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > To unsubscribe from this group and stop receiving emails from it, \
send an email to <a href="mailto:security-onio...@googlegroups.com">security-onio...@googlegroups.com</a>.<br>
><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com">securit...@googlegroups.com</a>.<br> \
><br> > > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > Visit this group at <a \
href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> ><br>
> > ><br>
><br>
> > > ><br>
><br>
> > ><br>
><br>
> > > > For more options, visit <a \
href="https://groups.google.com/d/optout" \
target="_blank">https://groups.google.com/d/optout</a>.<br> ><br>
> > ><br>
><br>
> > ><br>
><br>
> > ><br>
><br>
> > > --<br>
><br>
> > ><br>
><br>
> > > You received this message because you are subscribed to the Google \
Groups "security-onion" group.<br> ><br>
> > ><br>
><br>
> > > To unsubscribe from this group and stop receiving emails from it, send \
an email to <a href="mailto:security-onio...@googlegroups.com">security-onio...@googlegroups.com</a>.<br>
><br>
> > ><br>
><br>
> > > To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com">securit...@googlegroups.com</a>.<br> \
><br> > > ><br>
><br>
> > > Visit this group at <a \
href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> ><br>
> > ><br>
><br>
> > > For more options, visit <a href="https://groups.google.com/d/optout" \
target="_blank">https://groups.google.com/d/optout</a>.<br> ><br>
> ><br>
><br>
> > --<br>
><br>
> > You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> ><br>
> > To unsubscribe from this group and stop receiving emails from it, send an \
email to <a href="mailto:security-onio...@googlegroups.com">security-onio...@googlegroups.com</a>.<br>
><br>
> > To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com">securit...@googlegroups.com</a>.<br> \
><br> > > Visit this group at <a \
href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> ><br>
> > For more options, visit <a href="https://groups.google.com/d/optout" \
target="_blank">https://groups.google.com/d/optout</a>.<br> <br>
--<br>
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br>
To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br>
Visit this group at <a href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> For more \
options, visit <a href="https://groups.google.com/d/optout" \
target="_blank">https://groups.google.com/d/optout</a>.<br> </blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion+unsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br \
/> To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br \
/> Visit this group at <a \
href="http://groups.google.com/group/security-onion">http://groups.google.com/group/security-onion</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic