'Re: [security-onion] Re: Bro not produce notice.log'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    Re: [security-onion] Re: Bro not produce notice.log
From:       Wes Lambert <wlambertts () gmail ! com>
Date:       2017-04-25 15:21:16
Message-ID: CAHjBB6EuU_iJ_FPc=4rmRvTuO=Y=2iSvRaO9xDZVFkPT3hS4xA () mail ! gmail ! com
[Download RAW message or body]

Sorry, after re-reading the issue, it looks like I misspoke.  Looks like
your issue is not related to intel.log.  For the notice.log, try taking a
look at the following:

https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums


http://mailman.icsi.berkeley.edu/pipermail/bro/2016-April/009803.html

Thanks,
Wes

On Tue, Apr 25, 2017 at 8:39 AM, Wes Lambert <wlambertts@gmail.com> wrote:

> Nikita,
> 
> You may want to try following the steps here:
> 
> https://groups.google.com/d/msg/security-onion/SjYZV6LnzH8/Q8Xsvfq-Z80J
> 
> You'll want to remove the extra commented lines (other than the header),
> so that you have just the header and your un-commented content.
> 
> Thanks,
> Wes
> 
> On Mon, Apr 24, 2017 at 6:23 AM, Nikita Bublikov <nikit6661@gmail.com>
> wrote:
> 
> > пятница, 21 апреля 2017 г., 20:29:59 UTC+3 пользователь
> > theitgu...@gmail.com написал:
> > > On Friday, April 21, 2017 at 9:38:40 AM UTC-4, Nikita Bublikov wrote:
> > > > четверг, 20 апреля 2017 г., 16:11:47 UTC+3 \
> > > > пользователь Wes написал:
> > > > > On Wednesday, April 19, 2017 at 8:34:12 AM UTC-4, Nikita Bublikov
> > wrote:
> > > > > > Bro not produce notice.log at Security Onion sensor
> > > > > > 
> > > > > > I did everything as in this article, but did not help
> > > > > > http://mailman.icsi.berkeley.edu/pipermail/bro/2016-April/00
> > 9803.html
> > > > > > 
> > > > > > But other logs, such as conn,dns,dhcp,weird, etc... exist in
> > system
> > > > > > 
> > > > > > May you can help!?
> > > > > 
> > > > > Nikita,
> > > > > 
> > > > > Have you tried generating traffic, so that a notice would be
> > produced?
> > > > > 
> > > > > Ex: https://www.bro.org/bro-workshop-2011/solutions/notices/
> > > > > 
> > > > > Thanks,
> > > > > Wes
> > > > 
> > > > Of course, my network generate traffic and sensor capture him and
> > send to master server Security Onion. I see other logs in /nsm/bro/logs/
> > ,but no notice.log
> > > 
> > > I've had an issue similar to this before. My problem was that I had
> > spaces in my intel.dat file. You might want to check to make sure. With vi
> > editor, just type : set list (it will show you spaces and tabs).
> > > 
> > > Also, check /nsm/bro/logs/current to see if there is a reporter.log
> > file. If you problem is with your intel file it should tell you.
> > 
> > Here is my reporter.log and intel.dat
> > It`s looks good?
> > 
> > --
> > Follow Security Onion on Twitter!
> > https://twitter.com/securityonion
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "security-onion" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to security-onion+unsubscribe@googlegroups.com.
> > To post to this group, send email to security-onion@googlegroups.com.
> > Visit this group at https://groups.google.com/group/security-onion.
> > For more options, visit https://groups.google.com/d/optout.
> > 
> 
> 

-- 
Follow Security Onion on Twitter!
https://twitter.com/securityonion
--- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
https://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.


[Attachment #3 (text/html)]

<div dir="ltr">Sorry, after re-reading the issue, it looks like I misspoke.   Looks \
like your issue is not related to intel.log.   For the notice.log, try taking a look \
at the following:<div><br></div><div><a \
href="https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-ex \
pect-a-note-about-checksums">https://www.bro.org/documentation/faq.html#why-isn-t-bro- \
producing-the-logs-i-expect-a-note-about-checksums</a><br></div><div><br></div><div><a \
href="http://mailman.icsi.berkeley.edu/pipermail/bro/2016-April/009803.html">http://ma \
ilman.icsi.berkeley.edu/pipermail/bro/2016-April/009803.html</a><br></div><div><br></div><div>Thanks,</div><div>Wes</div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 25, 2017 at 8:39 AM, Wes \
Lambert <span dir="ltr">&lt;<a href="mailto:wlambertts@gmail.com" \
target="_blank">wlambertts@gmail.com</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Nikita,<div><br></div><div>You may want to try \
following the steps here:</div><div><br></div><div><a \
href="https://groups.google.com/d/msg/security-onion/SjYZV6LnzH8/Q8Xsvfq-Z80J" \
target="_blank">https://groups.google.com/d/<wbr>msg/security-onion/<wbr>SjYZV6LnzH8/Q8Xsvfq-Z80J</a><br></div><div><br></div><div>You&#39;ll \
want to remove the extra commented lines (other than the header), so that you have \
just the header and your un-commented \
content.</div><div><br></div><div>Thanks,</div><div>Wes</div></div><div \
class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div \
class="gmail_quote">On Mon, Apr 24, 2017 at 6:23 AM, Nikita Bublikov <span \
dir="ltr">&lt;<a href="mailto:nikit6661@gmail.com" \
target="_blank">nikit6661@gmail.com</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">пятница, 21 апреля 2017 г., 20:29:59 UTC+3 \
пользователь <a href="mailto:theitgu...@gmail.com" \
target="_blank">theitgu...@gmail.com</a> написал:<br> <span>&gt; On Friday, \
April 21, 2017 at 9:38:40 AM UTC-4, Nikita Bublikov wrote:<br> &gt; &gt; \
четверг, 20 апреля 2017 г., 16:11:47 UTC+3 пользователь Wes \
написал:<br> &gt; &gt; &gt; On Wednesday, April 19, 2017 at 8:34:12 AM UTC-4, \
Nikita Bublikov wrote:<br> &gt; &gt; &gt; &gt; Bro not produce notice.log at Security \
Onion sensor<br> &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; I did everything as in this article, but did not help<br>
&gt; &gt; &gt; &gt; <a \
href="http://mailman.icsi.berkeley.edu/pipermail/bro/2016-April/009803.html" \
rel="noreferrer" target="_blank">http://mailman.icsi.berkeley.e<wbr>du/pipermail/bro/2016-April/00<wbr>9803.html</a><br>
 &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; But other logs, such as conn,dns,dhcp,weird, etc... exist in \
system<br> &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; May you can help!?<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; Nikita,<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; Have you tried generating traffic, so that a notice would be \
produced?<br> &gt; &gt; &gt;<br>
&gt; &gt; &gt; Ex: <a href="https://www.bro.org/bro-workshop-2011/solutions/notices/" \
rel="noreferrer" target="_blank">https://www.bro.org/bro-worksh<wbr>op-2011/solutions/notices/</a><br>
 &gt; &gt; &gt;<br>
&gt; &gt; &gt; Thanks,<br>
&gt; &gt; &gt; Wes<br>
&gt; &gt;<br>
&gt; &gt; Of course, my network generate traffic and sensor capture him and send to \
master server Security Onion. I see other logs in /nsm/bro/logs/   ,but no \
notice.log<br> &gt;<br>
&gt; I&#39;ve had an issue similar to this before. My problem was that I had spaces \
in my intel.dat file. You might want to check to make sure. With vi editor, just type \
: set list (it will show you spaces and tabs).<br> &gt;<br>
&gt; Also, check /nsm/bro/logs/current to see if there is a reporter.log file. If you \
problem is with your intel file it should tell you.<br> <br>
</span>Here is my reporter.log and intel.dat<br>
It`s looks good?<br>
<div class="m_1024799195250581497HOEnZb"><div class="m_1024799195250581497h5"><br>
--<br>
Follow Security Onion on Twitter!<br>
<a href="https://twitter.com/securityonion" rel="noreferrer" \
                target="_blank">https://twitter.com/securityon<wbr>ion</a><br>
---<br>
You received this message because you are subscribed to the Google Groups \
&quot;security-onion&quot; group.<br> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com" \
target="_blank">security-onion+unsubscribe@goo<wbr>glegroups.com</a>.<br> To post to \
this group, send email to <a href="mailto:security-onion@googlegroups.com" \
target="_blank">security-onion@googlegroups.co<wbr>m</a>.<br> Visit this group at <a \
href="https://groups.google.com/group/security-onion" rel="noreferrer" \
target="_blank">https://groups.google.com/grou<wbr>p/security-onion</a>.<br> For more \
options, visit <a href="https://groups.google.com/d/optout" rel="noreferrer" \
target="_blank">https://groups.google.com/d/op<wbr>tout</a>.<br> \
</div></div></blockquote></div><br></div> </div></div></blockquote></div><br></div>

<p></p>

-- <br />
Follow Security Onion on Twitter!<br />
<a href="https://twitter.com/securityonion">https://twitter.com/securityonion</a><br \
                />
--- <br />
You received this message because you are subscribed to the Google Groups \
&quot;security-onion&quot; group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion+unsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br \
/> To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br \
/> Visit this group at <a \
href="https://groups.google.com/group/security-onion">https://groups.google.com/group/security-onion</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic