Help

Doug Burks edited this page Jul 3, 2016 · 10 revisions
Clone this wiki locally

Having problems? Try the suggestions below.

sudo sostat | less
  • If any of the NSM processes show up as failed, try restarting them:
sudo service nsm restart
  • Check log files in /var/log/nsm/ or other locations for any errors or possible clues:

    • Setup /var/log/nsm/sosetup.log
    • Daily Log / PCAPs /nsm/sensor_data/{ HOSTNAME-INTERFACE }/dailylogs
    • sguil /var/log/nsm/securityonion/sguild.log
    • Suricata /var/log/nsm/{ HOSTNAME-INTERFACE }/suricata.log
    • barnyard2 /var/log/nsm/ { HOSTNAME-INTERFACE }/barnyard2.log
    • netsniff-ng /var/log/nsm/{ HOSTNAME-INTERFACE }/netsniff-ng.log
    • ELSA /nsm/elsa/data/elsa/log/node.log
    • Bro /nsm/bro/logs/current
    • snort_agent /var/log/nsm/{ HOSTNAME-INTERFACE }/snort_agent.log
    • argus /var/log/nsm/{ HOSTNAME-INTERFACE }/argus.log
    • http_agent /var/log/nsm/{ HOSTNAME-INTERFACE }/http_agent.log
    • pads_agent /var/log/nsm/{ HOSTNAME-INTERFACE }/pads_agent.log
    • prads_agent /var/log/nsm/{ HOSTNAME-INTERFACE }/prads.log
    • sancp_agent /var/log/nsm/{ HOSTNAME-INTERFACE }/sancp_agent.log
  • If this is a sensor sending alerts to master server, is autossh running?
pgrep -lf autossh
  • Having trouble with MySQL? Check all databases to see if any tables are are marked as crashed or corrupt.
sudo mysqlcheck -A
  • Check specific MySQL databases by running something similar to the following:
sudo mysqlcheck -c securityonion_db