elsa questions
75 views
Skip to first unread message
coriumintl
Oct 8, 2013, 3:10:56 PM10/8/13
to securit...@googlegroups.com
I'm having trouble getting basic results.
When I log in to ELSA it reports the following:
1 node(s) with 94868.0 logs indexed and 594542.0 archived
I have 3 sensors and 1 server, so shouldn't I have 3 nodes?
Thanks for the assistance!
Doug Burks
Oct 8, 2013, 3:34:15 PM10/8/13
to securit...@googlegroups.com
When you ran Setup on the sensors, did you select the option to update
Apache on the ELSA server?
What is the output of the following?
grep elsa_node /etc/elsa_web.conf /etc/hosts
nc localhost 50000
nc localhost 50001
nc localhost 50002
nc localhost 50003
nc localhost 50004
nc localhost 50005
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
http://securityonion.blogspot.com
Apache on the ELSA server?
What is the output of the following?
grep elsa_node /etc/elsa_web.conf /etc/hosts
nc localhost 50000
nc localhost 50001
nc localhost 50002
nc localhost 50003
nc localhost 50004
nc localhost 50005
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
http://securityonion.blogspot.com
coriumintl
Oct 9, 2013, 7:47:20 AM10/9/13
to securit...@googlegroups.com
I remember telling each sensor's setup to update the ELSA server, however I grepping the hosts file returns nothing.
xxxxx@GRITSVR29:~$ nc localhost 50000
[
5.5.32-0ubuntu0.12.04.1ë$RQ!L=-gÿ@I0R/1FM1Mndmysql_native_password^C
xxxxx@GRITSVR29:~$ nc localhost 50001
J
2.0.7-id64-dev (rel20-r373!)
PuTTYPuTTY^C
xxxxx@GRITSVR29:~$ nc localhost 50002
[
5.5.32-0ubuntu0.12.04.1±!736X6E7ÿ%PEHyI@Dr6S~mysql_native_password^C
xxxxx@GRITSVR29:~$ nc localhost 50003
J
2.0.7-id64-dev (rel20-r373!)
PuTTYPuTTY^C
xxxxx@GRITSVR29:~$ nc localhost 50004
[
5.5.32-0ubuntu0.12.04.1-æZvds6Qv}ÿ3"QR'hYdkkZ]mysql_native_password^C
cmg_admin@GRITSVR29:~$ nc localhost 50005
J
2.0.7-id64-dev (rel20-r373!)
PuTTYPuTTY^C
xxxxx@GRITSVR29:~$ grep elsa_node /etc/elsa_web.conf /etc/hosts
xxxxx@GRITSVR29:~$
xxxxx@GRITSVR29:~$ nc localhost 50000
[
5.5.32-0ubuntu0.12.04.1ë$RQ!L=-gÿ@I0R/1FM1Mndmysql_native_password^C
xxxxx@GRITSVR29:~$ nc localhost 50001
J
2.0.7-id64-dev (rel20-r373!)
PuTTYPuTTY^C
xxxxx@GRITSVR29:~$ nc localhost 50002
[
5.5.32-0ubuntu0.12.04.1±!736X6E7ÿ%PEHyI@Dr6S~mysql_native_password^C
xxxxx@GRITSVR29:~$ nc localhost 50003
J
2.0.7-id64-dev (rel20-r373!)
PuTTYPuTTY^C
xxxxx@GRITSVR29:~$ nc localhost 50004
[
5.5.32-0ubuntu0.12.04.1-æZvds6Qv}ÿ3"QR'hYdkkZ]mysql_native_password^C
cmg_admin@GRITSVR29:~$ nc localhost 50005
J
2.0.7-id64-dev (rel20-r373!)
PuTTYPuTTY^C
xxxxx@GRITSVR29:~$ grep elsa_node /etc/elsa_web.conf /etc/hosts
xxxxx@GRITSVR29:~$
Doug Burks
Oct 9, 2013, 7:49:20 AM10/9/13
to securit...@googlegroups.com
Please run the following on the SERVER:
sudo securityonion_elsa_register.rb -f
grep elsa_node_ /etc/elsa_web.conf /etc/hosts
sudo service apache2 restart
sudo securityonion_elsa_register.rb -f
grep elsa_node_ /etc/elsa_web.conf /etc/hosts
sudo service apache2 restart
Ben Wright
Oct 9, 2013, 7:54:05 AM10/9/13
to securit...@googlegroups.com
xxxx@GRITSVR29:~$ sudo securityonion_elsa_register.rb -f
[sudo] password for xxxx:
xxxx @GRITSVR29:~$ grep elsa_node_ /etc/elsa_web.conf /etc/hosts
/etc/elsa_web.conf: "elsa_node_001": {
/etc/elsa_web.conf: "elsa_node_002": {
/etc/elsa_web.conf: "elsa_node_003": {
/etc/hosts:127.0.0.1 elsa_node_001 elsa_node_002 elsa_node_003
xxxx @GRITSVR29:~$ sudo service apache2 restart
* Restarting web server apache2
apache2: Could not reliably determine the server's fully qualified
domain name, using 127.0.1.1 for ServerName
[Wed Oct 09 11:50:18 2013] [warn] NameVirtualHost localhost:3154 has no
VirtualHosts
... waiting apache2: Could not reliably determine the server's fully
qualified domain name, using 127.0.1.1 for ServerName
[Wed Oct 09 11:50:19 2013] [warn] NameVirtualHost localhost:3154 has no
VirtualHosts
[ OK ]
Now ELSA reports: 4 node(s) with 44.1 million logs indexed and 132.3
million archived and I'm getting results when I query now!
I must be in the same boat with the failing to register nodes bit then?
CONFIDENTIALITY NOTICE: This e-mail transmission, and any attachments, is intended only for the use of the individual
or entity named above and may contain information that is confidential, privileged and exempt from disclosure under
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution
or use of any of the information contained in this transmission is strictly PROHIBITED.
[sudo] password for xxxx:
xxxx @GRITSVR29:~$ grep elsa_node_ /etc/elsa_web.conf /etc/hosts
/etc/elsa_web.conf: "elsa_node_001": {
/etc/elsa_web.conf: "elsa_node_002": {
/etc/elsa_web.conf: "elsa_node_003": {
/etc/hosts:127.0.0.1 elsa_node_001 elsa_node_002 elsa_node_003
xxxx @GRITSVR29:~$ sudo service apache2 restart
* Restarting web server apache2
apache2: Could not reliably determine the server's fully qualified
domain name, using 127.0.1.1 for ServerName
[Wed Oct 09 11:50:18 2013] [warn] NameVirtualHost localhost:3154 has no
VirtualHosts
... waiting apache2: Could not reliably determine the server's fully
qualified domain name, using 127.0.1.1 for ServerName
[Wed Oct 09 11:50:19 2013] [warn] NameVirtualHost localhost:3154 has no
VirtualHosts
[ OK ]
Now ELSA reports: 4 node(s) with 44.1 million logs indexed and 132.3
million archived and I'm getting results when I query now!
I must be in the same boat with the failing to register nodes bit then?
CONFIDENTIALITY NOTICE: This e-mail transmission, and any attachments, is intended only for the use of the individual
or entity named above and may contain information that is confidential, privileged and exempt from disclosure under
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution
or use of any of the information contained in this transmission is strictly PROHIBITED.
Doug Burks
Oct 9, 2013, 8:13:34 AM10/9/13
to securit...@googlegroups.com
When you ran Setup on the sensor and it prompted you for an SSH
account on the server, did that account have sudo privileges?
account on the server, did that account have sudo privileges?
Ben Wright
Oct 9, 2013, 8:18:24 AM10/9/13
to securit...@googlegroups.com
Grepping the respective histores says I used sudo on all my sensors when
running sosetup. I do X11 forwarding to my analysis VM on them since
they are remote for me.
running sosetup. I do X11 forwarding to my analysis VM on them since
they are remote for me.
Doug Burks
Oct 9, 2013, 8:22:13 AM10/9/13
to securit...@googlegroups.com
That's not what I mean.
After running "sudo sosetup" and selecting "Advanced Setup" and
"Sensor", it should prompt you for address/hostname of the SERVER and
then ask you for a user account on the SERVER that it can use to
establish the autossh tunnel AND do initial configuration of the
SERVER using sudo privileges. Did that account have sudo privileges?
If not, then securityonion_elsa_register.rb would have failed during
Setup.
After running "sudo sosetup" and selecting "Advanced Setup" and
"Sensor", it should prompt you for address/hostname of the SERVER and
then ask you for a user account on the SERVER that it can use to
establish the autossh tunnel AND do initial configuration of the
SERVER using sudo privileges. Did that account have sudo privileges?
If not, then securityonion_elsa_register.rb would have failed during
Setup.
Ben Wright
Oct 9, 2013, 8:24:29 AM10/9/13
to securit...@googlegroups.com
Oh yeah, that account does have sudo privledges.
Doug Burks
Oct 9, 2013, 8:29:59 AM10/9/13
to securit...@googlegroups.com
To clarify, does that account have sudo privileges on the SERVER? To
confirm, please run the following command on the SERVER:
getent group sudo
Does the ssh username appear in the group sudo?
confirm, please run the following command on the SERVER:
getent group sudo
Does the ssh username appear in the group sudo?
Ben Wright
Oct 9, 2013, 8:31:09 AM10/9/13
to securit...@googlegroups.com
Yes, on the server. I'm bad and don't make unique accounts on the server
per sensor...
per sensor...
Doug Burks
Oct 9, 2013, 8:46:01 AM10/9/13
to securit...@googlegroups.com
Another thing that Setup does on the SERVER using sudo privileges is
create symbolic links for sensor rules. Please run the following
(replacing HOSTNAME-INTERFACE with the actual HOSTNAME and INTERFACE
of your new sensor):
ls -alh /nsm/server_data/securityonion/rules/ |grep -i HOSTNAME-INTERFACE
Did the symbolic links get created properly?
create symbolic links for sensor rules. Please run the following
(replacing HOSTNAME-INTERFACE with the actual HOSTNAME and INTERFACE
of your new sensor):
ls -alh /nsm/server_data/securityonion/rules/ |grep -i HOSTNAME-INTERFACE
Did the symbolic links get created properly?
Ben Wright
Oct 9, 2013, 8:48:17 AM10/9/13
to securit...@googlegroups.com
This look correct? Those are my 3 sensors.
xxxxx@GRITSVR29:~$ ls -la /nsm/server_data/securityonion/rules/
total 12
drwxrwxr-x 3 sguil sguil 4096 Sep 18 17:41 .
drwxrwxr-x 5 sguil sguil 4096 Sep 3 13:58 ..
lrwxrwxrwx 1 root root 14 Sep 3 13:58 default -> /etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 3 14:19 GRITSVR26-eth1 ->
/etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 3 14:19 GRITSVR26-eth1-1 ->
/etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 3 14:19 GRITSVR26-eth1-2 ->
/etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 18 17:41 GRITSVR27-eth0 ->
/etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 18 17:41 GRITSVR27-eth0-1 ->
/etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 18 17:41 GRITSVR27-eth0-2 ->
/etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 3 14:39 GRITSVR33-eth3 ->
/etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 3 14:39 GRITSVR33-eth3-1 ->
/etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 3 14:39 GRITSVR33-eth3-2 ->
/etc/nsm/rules
drwxr-xr-x 2 root root 4096 Sep 3 13:58 NULL
xxxxx@GRITSVR29:~$ ls -la /nsm/server_data/securityonion/rules/
total 12
drwxrwxr-x 3 sguil sguil 4096 Sep 18 17:41 .
drwxrwxr-x 5 sguil sguil 4096 Sep 3 13:58 ..
lrwxrwxrwx 1 root root 14 Sep 3 13:58 default -> /etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 3 14:19 GRITSVR26-eth1 ->
/etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 3 14:19 GRITSVR26-eth1-1 ->
/etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 3 14:19 GRITSVR26-eth1-2 ->
/etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 18 17:41 GRITSVR27-eth0 ->
/etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 18 17:41 GRITSVR27-eth0-1 ->
/etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 18 17:41 GRITSVR27-eth0-2 ->
/etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 3 14:39 GRITSVR33-eth3 ->
/etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 3 14:39 GRITSVR33-eth3-1 ->
/etc/nsm/rules
lrwxrwxrwx 1 root root 14 Sep 3 14:39 GRITSVR33-eth3-2 ->
/etc/nsm/rules
drwxr-xr-x 2 root root 4096 Sep 3 13:58 NULL
Doug Burks
Oct 9, 2013, 8:52:52 AM10/9/13
to securit...@googlegroups.com
As long as that includes all sensors and interfaces, then that should
be correct.
be correct.
Reply all
Reply to author
Forward
0 new messages