weslambert edited this page Apr 18, 2018 · 12 revisions

Having problems? Try the suggestions below.

sudo sostat | less
  • If any of the NSM processes show up as failed, try restarting them:
sudo service nsm restart
  • Check log files in /var/log/nsm/ or other locations for any errors or possible clues:

    • Setup /var/log/nsm/sosetup.log
    • Daily Log / PCAPs /nsm/sensor_data/{ HOSTNAME-INTERFACE }/dailylogs
    • sguil /var/log/nsm/securityonion/sguild.log
    • Suricata /var/log/nsm/{ HOSTNAME-INTERFACE }/suricata.log
    • barnyard2 /var/log/nsm/ { HOSTNAME-INTERFACE }/barnyard2.log
    • netsniff-ng /var/log/nsm/{ HOSTNAME-INTERFACE }/netsniff-ng.log
    • ELSA /nsm/elsa/data/elsa/log/node.log
    • Bro /nsm/bro/logs/current
    • snort_agent /var/log/nsm/{ HOSTNAME-INTERFACE }/snort_agent.log
    • argus /var/log/nsm/{ HOSTNAME-INTERFACE }/argus.log
    • http_agent /var/log/nsm/{ HOSTNAME-INTERFACE }/http_agent.log
    • pads_agent /var/log/nsm/{ HOSTNAME-INTERFACE }/pads_agent.log
    • prads_agent /var/log/nsm/{ HOSTNAME-INTERFACE }/prads.log
    • sancp_agent /var/log/nsm/{ HOSTNAME-INTERFACE }/sancp_agent.log
    • Elasticsearch /var/log/elasticsearch/<hostname>.log
    • Kibana /var/log/kibana/kibana.log
    • Logstash /var/log/logstash/logstash.log
    • Elastalert /var/log/elastalert/elastalert_stderr.log
  • If this is a sensor sending alerts to master server, is autossh running?

pgrep -lf autossh
  • Having trouble with MySQL? Check all databases to see if any tables are are marked as crashed or corrupt.
sudo mysqlcheck -A
  • Check specific MySQL databases by running something similar to the following:
sudo mysqlcheck -c securityonion_db
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.