This repository has been archived by the owner on Apr 16, 2021. It is now read-only.
Help
doug edited this page Aug 27, 2019
·
14 revisions
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/Help.
- Are you running the latest version of Security Onion?
- Check the FAQ.
- Search the Security Onion Mailing List.
- Search the documentation and mailing lists of the tools contained within Security Onion: Tools
- Run
sostatfor some diagnostics:
sudo sostat | less
- If any of the NSM processes show up as failed, try restarting them:
sudo service nsm restart
-
Check log files in
/var/log/nsm/or other locations for any errors or possible clues:- Setup
/var/log/nsm/sosetup.log - Daily Log / PCAPs
/nsm/sensor_data/{ HOSTNAME-INTERFACE }/dailylogs - sguil
/var/log/nsm/securityonion/sguild.log - Suricata
/var/log/nsm/{ HOSTNAME-INTERFACE }/suricata.log - barnyard2
/var/log/nsm/ { HOSTNAME-INTERFACE }/barnyard2.log - netsniff-ng
/var/log/nsm/{ HOSTNAME-INTERFACE }/netsniff-ng.log - ELSA
/nsm/elsa/data/elsa/log/node.log - Bro
/nsm/bro/logs/current - snort_agent
/var/log/nsm/{ HOSTNAME-INTERFACE }/snort_agent.log - argus
/var/log/nsm/{ HOSTNAME-INTERFACE }/argus.log - http_agent
/var/log/nsm/{ HOSTNAME-INTERFACE }/http_agent.log - pads_agent
/var/log/nsm/{ HOSTNAME-INTERFACE }/pads_agent.log - prads_agent
/var/log/nsm/{ HOSTNAME-INTERFACE }/prads.log - sancp_agent
/var/log/nsm/{ HOSTNAME-INTERFACE }/sancp_agent.log - Elasticsearch
/var/log/elasticsearch/<hostname>.log - Kibana
/var/log/kibana/kibana.log - Logstash
/var/log/logstash/logstash.log - Elastalert
/var/log/elastalert/elastalert_stderr.log
- Setup
-
If this is a sensor sending alerts to master server, is autossh running?
pgrep -lf autossh
- Having trouble with MySQL? Check all databases to see if any tables are are marked as crashed or corrupt.
sudo mysqlcheck -A
- Check specific MySQL databases by running something similar to the following:
sudo mysqlcheck -c securityonion_db
- Are you able to duplicate the problem on a fresh Security Onion installation?
- Check the Roadmap to see if this is a known issue that we are working on.
- If all else fails, please send an email to our security-onion mailing list.
- Need training or commercial support? https://www.securityonionsolutions.com
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs