[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] Re: No forward node data in Kibana, but does show in squert
From: Dan Hoyle <dhoyle1 () gmail ! com>
Date: 2019-05-30 19:24:41
Message-ID: CAA1S6bdBM1K7d_m_deVb-NWG3YNWGEgsEJVhBNK91_UR6=7C_Q () mail ! gmail ! com
[Download RAW message or body]
Ah okay, that makes sense. I ran tcpdump/netstat and don't see auto-ssh
traffic from the forward node. Even after rerunning setup. The ssh -i
command you provided earlier still works and I as I mentioned, this was a
fully working forward node.
Any other ideas before I do a full re-install?
Dan
On Thu, May 30, 2019 at 9:11 AM Wes <wlambertts@gmail.com> wrote:
> On Wednesday, May 29, 2019 at 1:20:51 PM UTC-4, Dan Hoyle wrote:
> > Hi Wes,
> >
> >
> > I ran tcpdump on both the forward node and master for TCP 6050 and I
> don't see traffic on either. It seem the forward node isn't even
> attempting to send out on that port. I only see established sessions on
> TCP 7736. Even after a reboot.
> >
> >
> > I may have to try re-running setup on the forward node and starting over
> with it.
> >
> >
> > Dan
> >
> >
> >
> >
> > On Wed, May 29, 2019 at 8:38 AM Wes Lambert <wlamb...@gmail.com> wrote:
> >
> > Hi Dan,
> >
> >
> > Sguild has a dedicated port to receive alert data from forward nodes, so
> that should explain why you are still seeing alerts. I am curious if there
> is an issue with the syslog being sent from the forward node to Logstash,
> port 6050 on the the master. Are you able to run tcpdump on the master to
> see if logs are being forwarded by syslog-ng from the forward node?
> >
> >
> > Last., have you tried simply rebooting the forward node?
> >
> >
> > Thanks,
> > Wes
> >
> >
> > On Tue, May 28, 2019 at 10:49 AM Dan Hoyle <dho...@gmail.com> wrote:
> >
> > Hi Wes,
> >
> >
> > I am sending windows logs directly to the master using NXLog. These
> windows logs are working normally and creating indices on the storage node
> and I can search normally in Kibana. The issue seems to only be with logs
> from the forward node which is only spanned traffic.
> >
> >
> > I assume logs from the forward node are getting to the master as current
> data is getting into Squert and I admittedly don't know how that differs
> from data getting into Kibana.
> >
> >
> > Dan
> >
> >
> >
> >
> > On Tue, May 28, 2019 at 10:20 AM Wes Lambert <wlamb...@gmail.com> wrote:
> >
> > Hi Dan,
> >
> >
> > The only config that should be using the direct event references
> (instead of event.get/set) are a Windows config file and a Suricata config
> file that aren't really used. I wonder if some of your Windows logs are
> hitting the Windows config file, and causing an issue. However, I'm not
> sure how this would affect Bro indices not being created and others would
> be created locally. Are you sending Windows logs directly to the storage
> node, or to the master?
> >
> >
> > Thanks,
> > Wes
> >
> >
> > On Tue, May 28, 2019 at 9:20 AM Dan Hoyle <dho...@gmail.com> wrote:
> >
> > Hi Wes,
> >
> >
> > Yes the dates on the forward node bro logs are current. I can 'tail -f'
> the dns log for example and see current data being spanned from the switch.
> >
> >
> > Syslog-ng is running on the forward node.
> >
> >
> > I have confirmed with tcpdump and netstat that the forward node has
> established connections with the master on TCP 7736.
> >
> >
> > The ids indices are not being created on the storage node which is also
> what I am seeing with the bro indices. The last date was the 23rd.
> >
> >
> > The data in Squert is current and continually being updated with data
> from the forward node.
> >
> >
> > I am able to log into the master from the forward without being prompted.
> >
> >
> > I am still seeing a lot of the same errors in the storage node
> logstash. [ERROR][logstash.filters.ruby.......
> >
> >
> > thanks
> >
> >
> > Dan
> >
> >
> >
> >
> > On Tue, May 28, 2019 at 8:41 AM Wes Lambert <wlamb...@gmail.com> wrote:
> >
> > Hi Dan,
> >
> >
> > Are the dates on the Bro logs on the forward node current?
> >
> >
> > Is syslog-ng on the forward node running?
> >
> >
> > Are you still receiving alert data from the forward node, and are ids
> indices still being created?
> >
> >
> > Are you able to login to the master from the forward node from doing
> something like the following, without being prompted for the password?
> >
> >
> > sudo -i
> > ssh -i /root/.ssh/securityonion forwardnodeuser@masterserver
> >
> >
> > Thanks,
> > Wes
> >
> >
> > On Mon, May 27, 2019 at 2:34 PM Dan Hoyle <dho...@gmail.com> wrote:
> >
> > I also noticed that a new bro index hasn't been created since the 23rd
> when I was having the initial issues:
> >
> >
> > # curl -s localhost:9200/_cat/indices | grep open | grep bro
> >
> > green open logstash-bro-2019.05.16 4DdITMI6SM6nK9QHaA9TIQ 1 0
> 41502565 0 65.4gb 65.4gb
> > green open logstash-bro-2019.05.09 CTaGHVXeTxyczbKOPZdIzQ 1 0
> 16229158 0 25.4gb 25.4gb
> > green open logstash-bro-2019.05.17 HfysHUE_RNmtOkZk8vdMTQ 1 0
> 37917727 0 57.2gb 57.2gb
> > green open logstash-bro-2019.05.21 cFFSimKUTJS9P_71hmY4fg 1 0
> 31405226 0 48.6gb 48.6gb
> > green open logstash-bro-2019.05.13 OaB29-sCSmukrGTP6qtMfw 1 0
> 39185750 0 62.6gb 62.6gb
> > green open logstash-bro-2019.05.10 OgR9xfUBQESaNmrlli5YsQ 1 0
> 36041843 0 57.5gb 57.5gb
> > green open logstash-bro-2019.05.11 8VBD9H83Su-pkDAWr3MUFQ 1 0
> 26111610 0 42gb 42gb
> > green open logstash-bro-2019.05.23 MOf8qKlcR3-A0hcsflSEOA 1 0
> 2209695 0 3.4gb 3.4gb
> > green open logstash-bro-2019.05.14 ypUvaF-mThyXlHNhHKV8Ww 1 0
> 41099287 0 65.4gb 65.4gb
> > green open logstash-bro-2019.05.22 3363XGnDQJyK73xcwRLO6A 1 0
> 22173290 0 34.2gb 34.2gb
> > green open logstash-bro-2019.05.20 geSW3SRGTJCgxM9_aTcx9g 1 0
> 18756329 0 28.8gb 28.8gb
> > green open logstash-bro-2019.05.08 jWgn1wyKTDueE6RgLIamiQ 1 0
> 39007398 0 62.1gb 62.1gb
> > green open logstash-bro-2019.05.18 VGudMHoISCyIm1i8vk_qmg 1 0
> 24673989 0 38.1gb 38.1gb
> > green open logstash-bro-2019.05.12 77hcT2X3RA6vsuFzxirQJA 1 0
> 21770857 0 34.9gb 34.9gb
> > green open logstash-bro-2019.05.19 3vD4b_FrRQuuL31Z5F1JgA 1 0
> 19271902 0 29.6gb 29.6gb
> > green open logstash-bro-2019.05.15 BDiuGLyHTSyeutcOR3bvDQ 1 0
> 41110558 0 65.2gb 65.2gb
> >
> >
> > Other indices such as syslog and windows are being creating daily.
> >
> >
> >
> >
> > Dan
> >
> >
> >
> >
> >
> >
> > On Mon, May 27, 2019 at 1:09 PM Dan Hoyle <dho...@gmail.com> wrote:
> >
> > Hi,
> >
> >
> > I am seeing a strange issue with forward node data not showing in
> Kibana, but data from the same forward node is showing up in Squert. Other
> data from WEF server, DNS server etc.. is showing up in Kibana.
> >
> >
> > This was an operating distributed environment. I did have an issue with
> excessive load and found the redis queue on the master was increasing. I
> was not seeing any data at all in Kibana. I was able to recover the
> environment by running soup on the master, storage, forward nodes, but
> since then I am not able to see forward node data in Kibana.
> >
> >
> > Forward Node:
> > - data is being stored in /nsm/bro/logs/current
> > - no errors in syslog
> > - auto-ssh status is normal
> >
> >
> > Master Node:
> > - Data is showing in Kibana for nxlog, syslog being sent directly to the
> master
> > - no apparent errors in logstash
> > - redis queue value remains low as expected
> >
> >
> >
> >
> > Storage Node:
> > - No issue with space
> > - so-status values are all OK
> > - I do however see the following error in Logstash:
> >
> >
> > [ERROR][logstash.filters.ruby ] Ruby exception occurred: Direct event
> field references (i.e. event['field']) have been disabled
> > in favor of using event get and set methods (e.g. event.get('field')).
> Please consult the Logstash 5.0 breaking changes documentation
> > for more details
> >
> >
> >
> > thanks in advance
> >
> >
> > Dan
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> >
> > Follow Security Onion on Twitter!
> >
> > https://twitter.com/securityonion
> >
> > ---
> >
> > You received this message because you are subscribed to the Google
> Groups "security-onion" group.
> >
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to securit...@googlegroups.com.
> >
> > To post to this group, send email to securit...@googlegroups.com.
> >
> > Visit this group at https://groups.google.com/group/security-onion.
> >
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/security-onion/CAA1S6bf5SuXsLRfwpTxwWmKNDW-j3%2BgBNgyt-vu%2BA3r%3DbCryAA%40mail.gmail.com
>
> .
> >
> > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> >
> > --
> >
> >
> > https://twitter.com/therealwlambert
> >
> > https://securityonion.net/
> >
> >
> >
> >
> >
> > --
> >
> > Follow Security Onion on Twitter!
> >
> > https://twitter.com/securityonion
> >
> > ---
> >
> > You received this message because you are subscribed to the Google
> Groups "security-onion" group.
> >
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to securit...@googlegroups.com.
> >
> > To post to this group, send email to securit...@googlegroups.com.
> >
> > Visit this group at https://groups.google.com/group/security-onion.
> >
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/security-onion/CAHjBB6HYUHeKE98hqG0zTvUq%3D76FQBYVPU39aKHCX%3DeriHjMww%40mail.gmail.com
>
> .
> >
> > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> >
> >
> >
> > --
> >
> > Follow Security Onion on Twitter!
> >
> > https://twitter.com/securityonion
> >
> > ---
> >
> > You received this message because you are subscribed to the Google
> Groups "security-onion" group.
> >
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to securit...@googlegroups.com.
> >
> > To post to this group, send email to securit...@googlegroups.com.
> >
> > Visit this group at https://groups.google.com/group/security-onion.
> >
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/security-onion/CAA1S6betsYK9_R2UswcKDaEJAbhJFBUhewszwhCChAsaR8xuwA%40mail.gmail.com
>
> .
> >
> > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> >
> > --
> >
> >
> > https://twitter.com/therealwlambert
> >
> > https://securityonion.net/
> >
> >
> >
> >
> >
> > --
> >
> > Follow Security Onion on Twitter!
> >
> > https://twitter.com/securityonion
> >
> > ---
> >
> > You received this message because you are subscribed to the Google
> Groups "security-onion" group.
> >
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to securit...@googlegroups.com.
> >
> > To post to this group, send email to securit...@googlegroups.com.
> >
> > Visit this group at https://groups.google.com/group/security-onion.
> >
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/security-onion/CAHjBB6Hu8T%2B1hNGHVxAd%2B7PS_Sh1D6q2iadZH3W10P%2Bas4A6fQ%40mail.gmail.com
>
> .
> >
> > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> >
> >
> >
> > --
> >
> > Follow Security Onion on Twitter!
> >
> > https://twitter.com/securityonion
> >
> > ---
> >
> > You received this message because you are subscribed to the Google
> Groups "security-onion" group.
> >
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to securit...@googlegroups.com.
> >
> > To post to this group, send email to securit...@googlegroups.com.
> >
> > Visit this group at https://groups.google.com/group/security-onion.
> >
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/security-onion/CAA1S6bdFqW0CkmonF%3DFf6U0Smn7ePrkDjV16bKhSj6t_TcNeWA%40mail.gmail.com
>
> .
> >
> > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> >
> > --
> >
> >
> > https://twitter.com/therealwlambert
> >
> > https://securityonion.net/
> >
> >
> >
> >
> >
> > --
> >
> > Follow Security Onion on Twitter!
> >
> > https://twitter.com/securityonion
> >
> > ---
> >
> > You received this message because you are subscribed to the Google
> Groups "security-onion" group.
> >
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to securit...@googlegroups.com.
> >
> > To post to this group, send email to securit...@googlegroups.com.
> >
> > Visit this group at https://groups.google.com/group/security-onion.
> >
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/security-onion/CAHjBB6FHH%3DJ70KM9DUe0rFZU6k5dBYOxChm%3D%3DhEF7up7WGx5Eg%40mail.gmail.com
>
> .
> >
> > For more options, visit https://groups.google.com/d/optout.
>
> Hi Dan
>
> Keep in mind 6050 is on the local interface, and not externally facing
> one. Syslog-ng forwards logs to Logstash through an AutoSSH tunnel to the
> local 6050 port on the master.
>
> Thanks,
> Wes
>
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/security-onion/1cff334e-ca8f-4276-8496-8d73ff05b7db%40googlegroups.com
>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
https://groups.google.com/group/security-onion. To view this discussion on the web \
visit https://groups.google.com/d/msgid/security-onion/CAA1S6bdBM1K7d_m_deVb-NWG3YNWGEgsEJVhBNK91_UR6%3D7C_Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
[Attachment #3 (text/html)]
<div dir="ltr">Ah okay, that makes sense. I ran tcpdump/netstat and don't see \
auto-ssh traffic from the forward node. Even after rerunning setup. The ssh -i \
command you provided earlier still works and I as I mentioned, this was a fully \
working forward node.<div><br></div><div>Any other ideas before I do a full \
re-install? <br><div><br></div><div>Dan</div><div><br></div><div><br></div></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 30, 2019 at 9:11 AM \
Wes <<a href="mailto:wlambertts@gmail.com">wlambertts@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wednesday, May 29, \
2019 at 1:20:51 PM UTC-4, Dan Hoyle wrote:<br> > Hi Wes,<br>
> <br>
> <br>
> I ran tcpdump on both the forward node and master for TCP 6050 and I don't \
see traffic on either. It seem the forward node isn't even attempting to send \
out on that port. I only see established sessions on TCP 7736. Even after a \
reboot. <br> > <br>
> <br>
> I may have to try re-running setup on the forward node and starting over with \
it.<br> > <br>
> <br>
> Dan<br>
> <br>
> <br>
> <br>
> <br>
> On Wed, May 29, 2019 at 8:38 AM Wes Lambert <<a \
href="mailto:wlamb...@gmail.com" target="_blank">wlamb...@gmail.com</a>> \
wrote:<br> > <br>
> Hi Dan,<br>
> <br>
> <br>
> Sguild has a dedicated port to receive alert data from forward nodes, so that \
should explain why you are still seeing alerts. I am curious if there is an issue \
with the syslog being sent from the forward node to Logstash, port 6050 on the the \
master. Are you able to run tcpdump on the master to see if logs are being \
forwarded by syslog-ng from the forward node?<br> > <br>
> <br>
> Last., have you tried simply rebooting the forward node?<br>
> <br>
> <br>
> Thanks,<br>
> Wes<br>
> <br>
> <br>
> On Tue, May 28, 2019 at 10:49 AM Dan Hoyle <<a href="mailto:dho...@gmail.com" \
target="_blank">dho...@gmail.com</a>> wrote:<br> > <br>
> Hi Wes,<br>
> <br>
> <br>
> I am sending windows logs directly to the master using NXLog. These windows \
logs are working normally and creating indices on the storage node and I can search \
normally in Kibana. The issue seems to only be with logs from the forward node \
which is only spanned traffic. <br> > <br>
> <br>
> I assume logs from the forward node are getting to the master as current data is \
getting into Squert and I admittedly don't know how that differs from data \
getting into Kibana. <br> > <br>
> <br>
> Dan<br>
> <br>
> <br>
> <br>
> <br>
> On Tue, May 28, 2019 at 10:20 AM Wes Lambert <<a \
href="mailto:wlamb...@gmail.com" target="_blank">wlamb...@gmail.com</a>> \
wrote:<br> > <br>
> Hi Dan,<br>
> <br>
> <br>
> The only config that should be using the direct event references (instead of \
event.get/set) are a Windows config file and a Suricata config file that aren't \
really used. I wonder if some of your Windows logs are hitting the Windows config \
file, and causing an issue. However, I'm not sure how this would affect Bro \
indices not being created and others would be created locally. Are you sending \
Windows logs directly to the storage node, or to the master?<br> > <br>
> <br>
> Thanks,<br>
> Wes<br>
> <br>
> <br>
> On Tue, May 28, 2019 at 9:20 AM Dan Hoyle <<a href="mailto:dho...@gmail.com" \
target="_blank">dho...@gmail.com</a>> wrote:<br> > <br>
> Hi Wes,<br>
> <br>
> <br>
> Yes the dates on the forward node bro logs are current. I can 'tail \
-f' the dns log for example and see current data being spanned from the \
switch.<br> > <br>
> <br>
> Syslog-ng is running on the forward node.<br>
> <br>
> <br>
> I have confirmed with tcpdump and netstat that the forward node has established \
connections with the master on TCP 7736.<br> > <br>
> <br>
> The ids indices are not being created on the storage node which is also what I \
am seeing with the bro indices. The last date was the 23rd. <br> > <br>
> <br>
> The data in Squert is current and continually being updated with data from the \
forward node.<br> > <br>
> <br>
> I am able to log into the master from the forward without being prompted.<br>
> <br>
> <br>
> I am still seeing a lot of the same errors in the storage node logstash. \
[ERROR][logstash.filters.ruby.......<br> > <br>
> <br>
> thanks<br>
> <br>
> <br>
> Dan<br>
> <br>
> <br>
> <br>
> <br>
> On Tue, May 28, 2019 at 8:41 AM Wes Lambert <<a \
href="mailto:wlamb...@gmail.com" target="_blank">wlamb...@gmail.com</a>> \
wrote:<br> > <br>
> Hi Dan,<br>
> <br>
> <br>
> Are the dates on the Bro logs on the forward node current?<br>
> <br>
> <br>
> Is syslog-ng on the forward node running?<br>
> <br>
> <br>
> Are you still receiving alert data from the forward node, and are ids indices \
still being created?<br> > <br>
> <br>
> Are you able to login to the master from the forward node from doing something \
like the following, without being prompted for the password?<br> > <br>
> <br>
> sudo -i<br>
> ssh -i /root/.ssh/securityonion forwardnodeuser@masterserver<br>
> <br>
> <br>
> Thanks,<br>
> Wes<br>
> <br>
> <br>
> On Mon, May 27, 2019 at 2:34 PM Dan Hoyle <<a href="mailto:dho...@gmail.com" \
target="_blank">dho...@gmail.com</a>> wrote:<br> > <br>
> I also noticed that a new bro index hasn't been created since the 23rd when \
I was having the initial issues:<br> > <br>
> <br>
> # curl -s localhost:9200/_cat/indices | grep open | grep bro<br>
> <br>
> green open logstash-bro-2019.05.16 4DdITMI6SM6nK9QHaA9TIQ 1 0 \
41502565 0 65.4gb 65.4gb<br> > green open logstash-bro-2019.05.09 \
CTaGHVXeTxyczbKOPZdIzQ 1 0 16229158 0 25.4gb 25.4gb<br> > green open \
logstash-bro-2019.05.17 HfysHUE_RNmtOkZk8vdMTQ 1 0 37917727 0 57.2gb \
57.2gb<br> > green open logstash-bro-2019.05.21 cFFSimKUTJS9P_71hmY4fg 1 \
0 31405226 0 48.6gb 48.6gb<br> > green open logstash-bro-2019.05.13 \
OaB29-sCSmukrGTP6qtMfw 1 0 39185750 0 62.6gb 62.6gb<br> > green open \
logstash-bro-2019.05.10 OgR9xfUBQESaNmrlli5YsQ 1 0 36041843 0 57.5gb \
57.5gb<br> > green open logstash-bro-2019.05.11 8VBD9H83Su-pkDAWr3MUFQ 1 \
0 26111610 0 42gb 42gb<br> > green open logstash-bro-2019.05.23 \
MOf8qKlcR3-A0hcsflSEOA 1 0 2209695 0 3.4gb 3.4gb<br> > green open \
logstash-bro-2019.05.14 ypUvaF-mThyXlHNhHKV8Ww 1 0 41099287 0 65.4gb \
65.4gb<br> > green open logstash-bro-2019.05.22 3363XGnDQJyK73xcwRLO6A 1 \
0 22173290 0 34.2gb 34.2gb<br> > green open logstash-bro-2019.05.20 \
geSW3SRGTJCgxM9_aTcx9g 1 0 18756329 0 28.8gb 28.8gb<br> > green open \
logstash-bro-2019.05.08 jWgn1wyKTDueE6RgLIamiQ 1 0 39007398 0 62.1gb \
62.1gb<br> > green open logstash-bro-2019.05.18 VGudMHoISCyIm1i8vk_qmg 1 \
0 24673989 0 38.1gb 38.1gb<br> > green open logstash-bro-2019.05.12 \
77hcT2X3RA6vsuFzxirQJA 1 0 21770857 0 34.9gb 34.9gb<br> > green open \
logstash-bro-2019.05.19 3vD4b_FrRQuuL31Z5F1JgA 1 0 19271902 0 29.6gb \
29.6gb<br> > green open logstash-bro-2019.05.15 BDiuGLyHTSyeutcOR3bvDQ 1 \
0 41110558 0 65.2gb 65.2gb<br> > <br>
> <br>
> Other indices such as syslog and windows are being creating daily.<br>
> <br>
> <br>
> <br>
> <br>
> Dan<br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> On Mon, May 27, 2019 at 1:09 PM Dan Hoyle <<a href="mailto:dho...@gmail.com" \
target="_blank">dho...@gmail.com</a>> wrote:<br> > <br>
> Hi,<br>
> <br>
> <br>
> I am seeing a strange issue with forward node data not showing in Kibana, but \
data from the same forward node is showing up in Squert. Other data from WEF \
server, DNS server etc.. is showing up in Kibana.<br> > <br>
> <br>
> This was an operating distributed environment. I did have an issue with \
excessive load and found the redis queue on the master was increasing. I was not \
seeing any data at all in Kibana. I was able to recover the environment by \
running soup on the master, storage, forward nodes, but since then I am not able to \
see forward node data in Kibana.<br> > <br>
> <br>
> Forward Node:<br>
> - data is being stored in /nsm/bro/logs/current<br>
> - no errors in syslog<br>
> - auto-ssh status is normal<br>
> <br>
> <br>
> Master Node:<br>
> - Data is showing in Kibana for nxlog, syslog being sent directly to the \
master<br> > - no apparent errors in logstash<br>
> - redis queue value remains low as expected <br>
> <br>
> <br>
> <br>
> <br>
> Storage Node:<br>
> - No issue with space<br>
> - so-status values are all OK<br>
> - I do however see the following error in Logstash:<br>
> <br>
> <br>
> [ERROR][logstash.filters.ruby ] Ruby exception occurred: Direct event field \
references (i.e. event['field']) have been disabled <br> > in favor of \
using event get and set methods (e.g. event.get('field')). Please consult the \
Logstash 5.0 breaking changes documentation <br> > for more details<br>
> <br>
> <br>
> <br>
> thanks in advance<br>
> <br>
> <br>
> Dan<br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> -- <br>
> <br>
> Follow Security Onion on Twitter!<br>
> <br>
> <a href="https://twitter.com/securityonion" rel="noreferrer" \
target="_blank">https://twitter.com/securityonion</a><br> > <br>
> --- <br>
> <br>
> You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> > <br>
> To unsubscribe from this group and stop receiving emails from it, send an email \
to <a href="mailto:securit...@googlegroups.com" \
target="_blank">securit...@googlegroups.com</a>.<br> > <br>
> To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com" \
target="_blank">securit...@googlegroups.com</a>.<br> > <br>
> Visit this group at <a href="https://groups.google.com/group/security-onion" \
rel="noreferrer" target="_blank">https://groups.google.com/group/security-onion</a>.<br>
> <br>
> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/CAA1S6bf5SuXsLRfwpTxwWmKNDW-j3%2BgBNgyt-vu%2BA3r%3DbCryAA%40mail.gmail.com" \
rel="noreferrer" target="_blank">https://groups.google.com/d/msgid/security-onion/CAA1S6bf5SuXsLRfwpTxwWmKNDW-j3%2BgBNgyt-vu%2BA3r%3DbCryAA%40mail.gmail.com</a>.<br>
> <br>
> For more options, visit <a href="https://groups.google.com/d/optout" \
rel="noreferrer" target="_blank">https://groups.google.com/d/optout</a>.<br> > \
<br> > <br>
> <br>
> <br>
> -- <br>
> <br>
> <br>
> <a href="https://twitter.com/therealwlambert" rel="noreferrer" \
target="_blank">https://twitter.com/therealwlambert</a><br> > <br>
> <a href="https://securityonion.net/" rel="noreferrer" \
target="_blank">https://securityonion.net/</a><br> > <br>
> <br>
> <br>
> <br>
> <br>
> -- <br>
> <br>
> Follow Security Onion on Twitter!<br>
> <br>
> <a href="https://twitter.com/securityonion" rel="noreferrer" \
target="_blank">https://twitter.com/securityonion</a><br> > <br>
> --- <br>
> <br>
> You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> > <br>
> To unsubscribe from this group and stop receiving emails from it, send an email \
to <a href="mailto:securit...@googlegroups.com" \
target="_blank">securit...@googlegroups.com</a>.<br> > <br>
> To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com" \
target="_blank">securit...@googlegroups.com</a>.<br> > <br>
> Visit this group at <a href="https://groups.google.com/group/security-onion" \
rel="noreferrer" target="_blank">https://groups.google.com/group/security-onion</a>.<br>
> <br>
> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/CAHjBB6HYUHeKE98hqG0zTvUq%3D76FQBYVPU39aKHCX%3DeriHjMww%40mail.gmail.com" \
rel="noreferrer" target="_blank">https://groups.google.com/d/msgid/security-onion/CAHjBB6HYUHeKE98hqG0zTvUq%3D76FQBYVPU39aKHCX%3DeriHjMww%40mail.gmail.com</a>.<br>
> <br>
> For more options, visit <a href="https://groups.google.com/d/optout" \
rel="noreferrer" target="_blank">https://groups.google.com/d/optout</a>.<br> > \
<br> > <br>
> <br>
> <br>
> <br>
> <br>
> -- <br>
> <br>
> Follow Security Onion on Twitter!<br>
> <br>
> <a href="https://twitter.com/securityonion" rel="noreferrer" \
target="_blank">https://twitter.com/securityonion</a><br> > <br>
> --- <br>
> <br>
> You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> > <br>
> To unsubscribe from this group and stop receiving emails from it, send an email \
to <a href="mailto:securit...@googlegroups.com" \
target="_blank">securit...@googlegroups.com</a>.<br> > <br>
> To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com" \
target="_blank">securit...@googlegroups.com</a>.<br> > <br>
> Visit this group at <a href="https://groups.google.com/group/security-onion" \
rel="noreferrer" target="_blank">https://groups.google.com/group/security-onion</a>.<br>
> <br>
> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/CAA1S6betsYK9_R2UswcKDaEJAbhJFBUhewszwhCChAsaR8xuwA%40mail.gmail.com" \
rel="noreferrer" target="_blank">https://groups.google.com/d/msgid/security-onion/CAA1S6betsYK9_R2UswcKDaEJAbhJFBUhewszwhCChAsaR8xuwA%40mail.gmail.com</a>.<br>
> <br>
> For more options, visit <a href="https://groups.google.com/d/optout" \
rel="noreferrer" target="_blank">https://groups.google.com/d/optout</a>.<br> > \
<br> > <br>
> <br>
> <br>
> -- <br>
> <br>
> <br>
> <a href="https://twitter.com/therealwlambert" rel="noreferrer" \
target="_blank">https://twitter.com/therealwlambert</a><br> > <br>
> <a href="https://securityonion.net/" rel="noreferrer" \
target="_blank">https://securityonion.net/</a><br> > <br>
> <br>
> <br>
> <br>
> <br>
> -- <br>
> <br>
> Follow Security Onion on Twitter!<br>
> <br>
> <a href="https://twitter.com/securityonion" rel="noreferrer" \
target="_blank">https://twitter.com/securityonion</a><br> > <br>
> --- <br>
> <br>
> You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> > <br>
> To unsubscribe from this group and stop receiving emails from it, send an email \
to <a href="mailto:securit...@googlegroups.com" \
target="_blank">securit...@googlegroups.com</a>.<br> > <br>
> To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com" \
target="_blank">securit...@googlegroups.com</a>.<br> > <br>
> Visit this group at <a href="https://groups.google.com/group/security-onion" \
rel="noreferrer" target="_blank">https://groups.google.com/group/security-onion</a>.<br>
> <br>
> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/CAHjBB6Hu8T%2B1hNGHVxAd%2B7PS_Sh1D6q2iadZH3W10P%2Bas4A6fQ%40mail.gmail.com" \
rel="noreferrer" target="_blank">https://groups.google.com/d/msgid/security-onion/CAHjBB6Hu8T%2B1hNGHVxAd%2B7PS_Sh1D6q2iadZH3W10P%2Bas4A6fQ%40mail.gmail.com</a>.<br>
> <br>
> For more options, visit <a href="https://groups.google.com/d/optout" \
rel="noreferrer" target="_blank">https://groups.google.com/d/optout</a>.<br> > \
<br> > <br>
> <br>
> <br>
> <br>
> <br>
> -- <br>
> <br>
> Follow Security Onion on Twitter!<br>
> <br>
> <a href="https://twitter.com/securityonion" rel="noreferrer" \
target="_blank">https://twitter.com/securityonion</a><br> > <br>
> --- <br>
> <br>
> You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> > <br>
> To unsubscribe from this group and stop receiving emails from it, send an email \
to <a href="mailto:securit...@googlegroups.com" \
target="_blank">securit...@googlegroups.com</a>.<br> > <br>
> To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com" \
target="_blank">securit...@googlegroups.com</a>.<br> > <br>
> Visit this group at <a href="https://groups.google.com/group/security-onion" \
rel="noreferrer" target="_blank">https://groups.google.com/group/security-onion</a>.<br>
> <br>
> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/CAA1S6bdFqW0CkmonF%3DFf6U0Smn7ePrkDjV16bKhSj6t_TcNeWA%40mail.gmail.com" \
rel="noreferrer" target="_blank">https://groups.google.com/d/msgid/security-onion/CAA1S6bdFqW0CkmonF%3DFf6U0Smn7ePrkDjV16bKhSj6t_TcNeWA%40mail.gmail.com</a>.<br>
> <br>
> For more options, visit <a href="https://groups.google.com/d/optout" \
rel="noreferrer" target="_blank">https://groups.google.com/d/optout</a>.<br> > \
<br> > <br>
> <br>
> <br>
> -- <br>
> <br>
> <br>
> <a href="https://twitter.com/therealwlambert" rel="noreferrer" \
target="_blank">https://twitter.com/therealwlambert</a><br> > <br>
> <a href="https://securityonion.net/" rel="noreferrer" \
target="_blank">https://securityonion.net/</a><br> > <br>
> <br>
> <br>
> <br>
> <br>
> -- <br>
> <br>
> Follow Security Onion on Twitter!<br>
> <br>
> <a href="https://twitter.com/securityonion" rel="noreferrer" \
target="_blank">https://twitter.com/securityonion</a><br> > <br>
> --- <br>
> <br>
> You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> > <br>
> To unsubscribe from this group and stop receiving emails from it, send an email \
to <a href="mailto:securit...@googlegroups.com" \
target="_blank">securit...@googlegroups.com</a>.<br> > <br>
> To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com" \
target="_blank">securit...@googlegroups.com</a>.<br> > <br>
> Visit this group at <a href="https://groups.google.com/group/security-onion" \
rel="noreferrer" target="_blank">https://groups.google.com/group/security-onion</a>.<br>
> <br>
> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/CAHjBB6FHH%3DJ70KM9DUe0rFZU6k5dBYOxChm%3D%3DhEF7up7WGx5Eg%40mail.gmail.com" \
rel="noreferrer" target="_blank">https://groups.google.com/d/msgid/security-onion/CAHjBB6FHH%3DJ70KM9DUe0rFZU6k5dBYOxChm%3D%3DhEF7up7WGx5Eg%40mail.gmail.com</a>.<br>
> <br>
> For more options, visit <a href="https://groups.google.com/d/optout" \
rel="noreferrer" target="_blank">https://groups.google.com/d/optout</a>.<br> <br>
Hi Dan<br>
<br>
Keep in mind 6050 is on the local interface, and not externally facing one. \
Syslog-ng forwards logs to Logstash through an AutoSSH tunnel to the local 6050 port \
on the master.<br> <br>
Thanks,<br>
Wes<br>
<br>
-- <br>
Follow Security Onion on Twitter!<br>
<a href="https://twitter.com/securityonion" rel="noreferrer" \
target="_blank">https://twitter.com/securityonion</a><br>
--- <br>
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com" \
target="_blank">security-onion+unsubscribe@googlegroups.com</a>.<br> To post to this \
group, send email to <a href="mailto:security-onion@googlegroups.com" \
target="_blank">security-onion@googlegroups.com</a>.<br> Visit this group at <a \
href="https://groups.google.com/group/security-onion" rel="noreferrer" \
target="_blank">https://groups.google.com/group/security-onion</a>.<br> To view this \
discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/1cff334e-ca8f-4276-8496-8d73ff05b7db%40googlegroups.com" \
rel="noreferrer" target="_blank">https://groups.google.com/d/msgid/security-onion/1cff334e-ca8f-4276-8496-8d73ff05b7db%40googlegroups.com</a>.<br>
For more options, visit <a href="https://groups.google.com/d/optout" \
rel="noreferrer" target="_blank">https://groups.google.com/d/optout</a>.<br> \
</blockquote></div>
<p></p>
-- <br />
Follow Security Onion on Twitter!<br />
<a href="https://twitter.com/securityonion">https://twitter.com/securityonion</a><br \
/>
--- <br />
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion+unsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br \
/> To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br \
/> Visit this group at <a \
href="https://groups.google.com/group/security-onion">https://groups.google.com/group/security-onion</a>.<br \
/> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/CAA1S6bdBM1K7d_m_deVb-NWG3YNWGE \
gsEJVhBNK91_UR6%3D7C_Q%40mail.gmail.com?utm_medium=email&utm_source=footer">https://gr \
oups.google.com/d/msgid/security-onion/CAA1S6bdBM1K7d_m_deVb-NWG3YNWGEgsEJVhBNK91_UR6%3D7C_Q%40mail.gmail.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic