Re: [security-onion] Sguil refuses to start

[Doug Burks]

Hi Danny,

Did you have a power outage or other ungraceful shutdown?

Have you tried "sudo sguil-db-purge"?

Once you get the database back up and running, you'll want to review
our Best Practices page:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Best-Practices

On Tue, Feb 16, 2016 at 3:35 PM, Danny Stephens <syc...@gmail.com> wrote:
> Around 4 am local sguil stopped
> I have checked every file and log with with nothing
> I also chcked the MYSQL db everything comes back "ok"
> any help would be greatly appreciated
>
> this is SOSTAT-redacted
>
> =========================================================================
> Service Status
> =========================================================================
> Status: securityonion
> * SO-user server[ FAIL ]
> * stale PID file found, process will be restarted at the next 5-minute interval!
> Status: HIDS
> * ossec_agent (SO-user)[ OK ]
>
> =========================================================================
> Interface Status
> =========================================================================
> eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
> UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>
> eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
> UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>
> eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
> UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>
> eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
> inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
> inet6 addr: X.X.X.X/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:73587 errors:0 dropped:0 overruns:0 frame:0
> TX packets:82407 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:7273490 (7.2 MB) TX bytes:62002547 (62.0 MB)
>
> eth4 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
> UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> Memory:c7600000-c7700000
>
> eth5 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
> UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> Memory:c7500000-c7600000
>
> lo Link encap:Local Loopback
> inet addr:X.X.X.X Mask:X.X.X.X
> inet6 addr: X.X.X.X/128 Scope:Host
> UP LOOPBACK RUNNING MTU:65536 Metric:1
> RX packets:8998 errors:0 dropped:0 overruns:0 frame:0
> TX packets:8998 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:1013855 (1.0 MB) TX bytes:1013855 (1.0 MB)
>
>
> =========================================================================
> Link Statistics
> =========================================================================
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
> RX: bytes packets errors dropped overrun mcast
> 1013855 8998 0 0 0 0
> RX errors: length crc frame fifo missed
> 0 0 0 0 0
> TX: bytes packets errors dropped carrier collsns
> 1013855 8998 0 0 0 0
> TX errors: aborted fifo window heartbeat
> 0 0 0 0
> 2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN qlen 1000
> link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
> RX: bytes packets errors dropped overrun mcast
> 0 0 0 0 0 0
> RX errors: length crc frame fifo missed
> 0 0 0 0 0
> TX: bytes packets errors dropped carrier collsns
> 0 0 0 0 0 0
> TX errors: aborted fifo window heartbeat
> 0 0 0 0
> 3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN qlen 1000
> link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
> RX: bytes packets errors dropped overrun mcast
> 0 0 0 0 0 0
> RX errors: length crc frame fifo missed
> 0 0 0 0 0
> TX: bytes packets errors dropped carrier collsns
> 0 0 0 0 0 0
> TX errors: aborted fifo window heartbeat
> 0 0 0 0
> 4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN qlen 1000
> link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
> RX: bytes packets errors dropped overrun mcast
> 0 0 0 0 0 0
> RX errors: length crc frame fifo missed
> 0 0 0 0 0
> TX: bytes packets errors dropped carrier collsns
> 0 0 0 0 0 0
> TX errors: aborted fifo window heartbeat
> 0 0 0 0
> 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
> link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
> RX: bytes packets errors dropped overrun mcast
> 7273490 73587 0 0 0 0
> RX errors: length crc frame fifo missed
> 0 0 0 0 0
> TX: bytes packets errors dropped carrier collsns
> 62002547 82407 0 0 0 0
> TX errors: aborted fifo window heartbeat
> 0 0 0 0
> 6: eth4: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN qlen 1000
> link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
> RX: bytes packets errors dropped overrun mcast
> 0 0 0 0 0 0
> RX errors: length crc frame fifo missed
> 0 0 0 0 0
> TX: bytes packets errors dropped carrier collsns
> 0 0 0 0 0 0
> TX errors: aborted fifo window heartbeat
> 0 0 0 0
> 7: eth5: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN qlen 1000
> link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
> RX: bytes packets errors dropped overrun mcast
> 0 0 0 0 0 0
> RX errors: length crc frame fifo missed
> 0 0 0 0 0
> TX: bytes packets errors dropped carrier collsns
> 0 0 0 0 0 0
> TX errors: aborted fifo window heartbeat
> 0 0 0 0
>
> =========================================================================
> Disk Usage
> =========================================================================
> Filesystem Size Used Avail Use% Mounted on
> /dev/sda2 9.1G 6.0G 2.7G 70% /
> udev 48G 4.0K 48G 1% /dev
> tmpfs 9.5G 836K 9.5G 1% /run
> none 5.0M 0 5.0M 0% /run/lock
> none 48G 0 48G 0% /run/shm
> /dev/sda5 5.1T 33M 5.1T 1% /NSM
> /dev/sda6 4.1T 65G 4.0T 2% /var
> /dev/sda3 4.1G 8.5M 3.8G 1% /tmp
> /dev/sda1 453M 41M 385M 10% /boot
>
> =========================================================================
> Network Sockets
> =========================================================================
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> avahi-dae 3126 avahi 12u IPv4 14508 0t0 UDP *:5353
> avahi-dae 3126 avahi 13u IPv6 14509 0t0 UDP *:5353
> avahi-dae 3126 avahi 14u IPv4 14510 0t0 UDP *:52283
> avahi-dae 3126 avahi 15u IPv6 14511 0t0 UDP *:34654
> cupsd 3174 root 8u IPv6 762 0t0 TCP [X.X.X.X]:631 (LISTEN)
> cupsd 3174 root 9u IPv4 763 0t0 TCP X.X.X.X:631 (LISTEN)
> sshd 3200 root 3u IPv4 16612 0t0 TCP *:ssh_port (LISTEN)
> sshd 3200 root 4u IPv6 16614 0t0 TCP *:ssh_port (LISTEN)
> salt-mini 3355 root 10u IPv4 15482 0t0 TCP X.X.X.X:37506->X.X.X.X:4506 (ESTABLISHED)
> salt-mini 3355 root 22u IPv4 16953 0t0 TCP X.X.X.X:45002->X.X.X.X:4505 (ESTABLISHED)
> syslog-ng 3424 root 9u IPv4 48218 0t0 TCP *:514 (LISTEN)
> syslog-ng 3424 root 10u IPv4 48219 0t0 UDP *:514
> mysqld 3524 mysql 10u IPv4 17606 0t0 TCP X.X.X.X:3306 (LISTEN)
> searchd 3568 sphinxsearch 7u IPv4 833 0t0 TCP *:9306 (LISTEN)
> searchd 3568 sphinxsearch 8u IPv4 834 0t0 TCP *:9312 (LISTEN)
> ossec-csy 3592 ossecm 5u IPv4 867 0t0 UDP X.X.X.X:54466->X.X.X.X:514
> sshd 3636 root 3u IPv4 49466 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:54950 (ESTABLISHED)
> salt-mast 3986 root 12u IPv4 12586 0t0 TCP *:4505 (LISTEN)
> salt-mast 3986 root 14u IPv4 52317 0t0 TCP X.X.X.X:4505->X.X.X.X:54984 (ESTABLISHED)
> salt-mast 3986 root 15u IPv4 52320 0t0 TCP X.X.X.X:4505->X.X.X.X:35295 (ESTABLISHED)
> salt-mast 3986 root 16u IPv4 52321 0t0 TCP X.X.X.X:4505->X.X.X.X:45002 (ESTABLISHED)
> salt-mast 3986 root 17u IPv4 52322 0t0 TCP X.X.X.X:4505->X.X.X.X:33377 (ESTABLISHED)
> salt-mast 3986 root 18u IPv4 52329 0t0 TCP X.X.X.X:4505->X.X.X.X:59318 (ESTABLISHED)
> salt-mast 3986 root 19u IPv4 52420 0t0 TCP X.X.X.X:4505->X.X.X.X:50622 (ESTABLISHED)
> salt-mast 3986 root 20u IPv4 52489 0t0 TCP X.X.X.X:4505->X.X.X.X:35172 (ESTABLISHED)
> salt-mast 3998 root 20u IPv4 19626 0t0 TCP *:4506 (LISTEN)
> salt-mast 3998 root 22u IPv4 13567 0t0 TCP X.X.X.X:4506->X.X.X.X:37506 (ESTABLISHED)
> /usr/sbin 4187 root 4u IPv4 49631 0t0 TCP *:443 (LISTEN)
> /usr/sbin 4187 root 5u IPv4 49634 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 4187 root 6u IPv4 49636 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 4187 root 7u IPv4 49640 0t0 TCP *:444 (LISTEN)
> sshd 4798 SO-user 3u IPv4 49466 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:54950 (ESTABLISHED)
> sshd 4798 SO-user 9u IPv6 50767 0t0 TCP [X.X.X.X]:50004 (LISTEN)
> sshd 4798 SO-user 10u IPv4 50768 0t0 TCP X.X.X.X:50004 (LISTEN)
> sshd 5352 root 3u IPv4 52421 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:49127 (ESTABLISHED)
> sshd 5517 root 3u IPv4 50894 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:60707 (ESTABLISHED)
> sshd 5528 SO-user 3u IPv4 52421 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:49127 (ESTABLISHED)
> sshd 5528 SO-user 9u IPv6 50907 0t0 TCP [X.X.X.X]:50003 (LISTEN)
> sshd 5528 SO-user 10u IPv4 50908 0t0 TCP X.X.X.X:50003 (LISTEN)
> sshd 5750 SO-user 3u IPv4 50894 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:60707 (ESTABLISHED)
> sshd 5750 SO-user 9u IPv6 24712 0t0 TCP [X.X.X.X]:50002 (LISTEN)
> sshd 5750 SO-user 10u IPv4 24713 0t0 TCP X.X.X.X:50002 (LISTEN)
> sshd 5865 root 3u IPv4 52452 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46548 (ESTABLISHED)
> sshd 6090 SO-user 3u IPv4 52452 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46548 (ESTABLISHED)
> sshd 6090 SO-user 9u IPv6 22621 0t0 TCP [X.X.X.X]:50000 (LISTEN)
> sshd 6090 SO-user 10u IPv4 22622 0t0 TCP X.X.X.X:50000 (LISTEN)
> sshd 11406 root 3u IPv4 61914 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:35604 (ESTABLISHED)
> sshd 11593 SO-user 3u IPv4 61914 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:35604 (ESTABLISHED)
> sshd 11593 SO-user 9u IPv6 59383 0t0 TCP [X.X.X.X]:50001 (LISTEN)
> sshd 11593 SO-user 10u IPv4 59384 0t0 TCP X.X.X.X:50001 (LISTEN)
> ntpd 11992 ntp 16u IPv4 62311 0t0 UDP *:123
> ntpd 11992 ntp 17u IPv6 62312 0t0 UDP *:123
> ntpd 11992 ntp 18u IPv4 62318 0t0 UDP X.X.X.X:123
> ntpd 11992 ntp 19u IPv4 62319 0t0 UDP X.X.X.X:123
> ntpd 11992 ntp 20u IPv6 62320 0t0 UDP [X.X.X.X]:123
> ntpd 11992 ntp 21u IPv6 62321 0t0 UDP [X.X.X.X]:123
> sshd 13984 root 3u IPv4 65050 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:55237 (ESTABLISHED)
> sshd 14156 SO-user 3u IPv4 65050 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:55237 (ESTABLISHED)
> sshd 14156 SO-user 9u IPv6 65062 0t0 TCP [X.X.X.X]:6010 (LISTEN)
> sshd 14156 SO-user 10u IPv4 65063 0t0 TCP X.X.X.X:6010 (LISTEN)
> /usr/sbin 17007 www-data 4u IPv4 49631 0t0 TCP *:443 (LISTEN)
> /usr/sbin 17007 www-data 5u IPv4 49634 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 17007 www-data 6u IPv4 49636 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 17007 www-data 7u IPv4 49640 0t0 TCP *:444 (LISTEN)
> /usr/sbin 17015 www-data 4u IPv4 49631 0t0 TCP *:443 (LISTEN)
> /usr/sbin 17015 www-data 5u IPv4 49634 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 17015 www-data 6u IPv4 49636 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 17015 www-data 7u IPv4 49640 0t0 TCP *:444 (LISTEN)
> /usr/sbin 17018 www-data 4u IPv4 49631 0t0 TCP *:443 (LISTEN)
> /usr/sbin 17018 www-data 5u IPv4 49634 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 17018 www-data 6u IPv4 49636 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 17018 www-data 7u IPv4 49640 0t0 TCP *:444 (LISTEN)
> /usr/sbin 17021 www-data 4u IPv4 49631 0t0 TCP *:443 (LISTEN)
> /usr/sbin 17021 www-data 5u IPv4 49634 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 17021 www-data 6u IPv4 49636 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 17021 www-data 7u IPv4 49640 0t0 TCP *:444 (LISTEN)
> /usr/sbin 17022 www-data 4u IPv4 49631 0t0 TCP *:443 (LISTEN)
> /usr/sbin 17022 www-data 5u IPv4 49634 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 17022 www-data 6u IPv4 49636 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 17022 www-data 7u IPv4 49640 0t0 TCP *:444 (LISTEN)
> /usr/sbin 17033 www-data 4u IPv4 49631 0t0 TCP *:443 (LISTEN)
> /usr/sbin 17033 www-data 5u IPv4 49634 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 17033 www-data 6u IPv4 49636 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 17033 www-data 7u IPv4 49640 0t0 TCP *:444 (LISTEN)
>
> =========================================================================
> IDS Rules Update
> =========================================================================
> Tue Feb 16 13:01:01 GMT-6 2016
> Backing up current local_rules.xml file.
> Cleaning up local_rules.xml backup files older than 30 days.
> Backing up current downloaded.rules file before it gets overwritten.
> Cleaning up downloaded.rules backup files older than 30 days.
> Backing up current local.rules file before it gets overwritten.
> Cleaning up local.rules backup files older than 30 days.
> Sleeping for 30 minutes to avoid overwhelming rule sites.
> ENGINE=suricata, so we'll execute PulledPork with the -T option to avoid adding soid rules to downloaded.rules.
> Running PulledPork.
> http://code.google.com/p/pulledpork/
> _____ ____
> `----,\ )
> `--==\\ / PulledPork v0.7.0 - Swine Flu!
> `--==\\/
> .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
> @_/ / 66\_ cumm...@gmail.com
> | \ \ _(")
> \ /-| ||'--' Rules give me wings!
> \_\ \_\\
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Checking latest MD5 for emerging.rules.tar.gz....
> No Match
> Done
> Rules tarball download of emerging.rules.tar.gz....
> They Match
> Done!
> Prepping rules from emerging.rules.tar.gz for work....
> Done!
> Reading rules...
> Reading rules...
> Modifying Sids....
> Done!
> Processing /etc/nsm/pulledpork/enablesid.conf....
> Modified 0 rules
> Done
> Processing /etc/nsm/pulledpork/dropsid.conf....
> Modified 0 rules
> Done
> Processing /etc/nsm/pulledpork/disablesid.conf....
> Modified 2 rules
> Done
> Setting Flowbit State....
> Enabled 43 flowbits
> Done
> Writing /etc/nsm/rules/downloaded.rules....
> Done
> Generating sid-msg.map....
> Done
> Writing v1 /etc/nsm/rules/sid-msg.map....
> Done
> Writing /var/log/nsm/sid_changes.log....
> Done
> Rule Stats...
> New:-------5
> Deleted:---5
> Enabled Rules:----18416
> Dropped Rules:----0
> Disabled Rules:---4240
> Total Rules:------22656
> No IP Blacklist Changes
> Done
> Please review /var/log/nsm/sid_changes.log for additional details
> Fly Piggy Fly!
> Updating Snorby's sig_reference table...
> =========================================================================
> CPU Usage
> =========================================================================
> Load average for the last 1, 5, and 15 minutes:
> 0.81 0.66 0.41
> Processing units: 40
> If load average is higher than processing units,
> then tune until load average is lower than processing units.
>
> top - 20:26:29 up 33 min, 1 user, load average: 0.81, 0.66, 0.41
> Tasks: 545 total, 1 running, 531 sleeping, 11 stopped, 2 zombie
> Cpu(s): 0.5%us, 0.1%sy, 0.0%ni, 99.1%id, 0.3%wa, 0.0%hi, 0.0%si, 0.0%st
> Mem: 98897312k total, 47291516k used, 51605796k free, 49312k buffers
> Swap: 96323272k total, 0k used, 96323272k free, 44510256k cached
>
> %CPU %MEM COMMAND
> 14.1 0.3 /usr/sbin/mysqld
> 1.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
> 0.7 0.1 delayed_job
> 0.7 0.0 /var/ossec/bin/ossec-syscheckd
> 0.4 0.0 /usr/bin/python /usr/bin/salt-master
> 0.3 0.0 /var/ossec/bin/ossec-analysisd
> 0.3 0.0 cat node.log
> 0.2 0.0 sshd: SO-user@pts/0
> 0.2 0.4 /usr/bin/searchd --nodetach
> 0.1 0.0 /usr/sbin/lightdm-gtk-greeter
> 0.1 0.0 [kipmi0]
> 0.1 0.0 /sbin/init
> 0.1 0.1 /usr/sbin/apache2 -k start
> 0.1 0.0 /usr/bin/python /usr/bin/salt-master
> 0.1 0.0 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
> 0.1 0.0 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
> 0.1 0.0 [kworker/1:2]
> 0.0 0.0 /usr/bin/python /usr/bin/salt-master
> 0.0 0.0 [rcu_sched]
> 0.0 0.0 /usr/bin/python /usr/bin/salt-master
> 0.0 0.0 /usr/sbin/irqbalance
> 0.0 0.0 /usr/bin/python /usr/bin/salt-master
> 0.0 0.0 [kworker/2:2]
> 0.0 0.0 -bash
> 0.0 0.0 /usr/bin/python /usr/bin/salt-master
> 0.0 0.0 [xfsaild/sda6]
> 0.0 0.0 /usr/bin/python /usr/bin/salt-minion
> 0.0 0.0 [rcuos/20]
> 0.0 0.0 [kworker/3:1]
> 0.0 0.0 mysqlcheck -A
> 0.0 0.0 [kworker/1:1]
> 0.0 0.0 [rcuos/0]
> 0.0 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
> 0.0 0.0 [rcuos/2]
> 0.0 0.0 [rcuos/31]
> 0.0 0.0 [kworker/9:1]
> 0.0 0.0 [kworker/0:1]
> 0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
> 0.0 0.0 /usr/bin/python /usr/bin/salt-master
> 0.0 0.0 [rcuos/21]
> 0.0 0.0 [migration/21]
> 0.0 0.0 /sbin/udevd --daemon
> 0.0 0.0 [migration/31]
> 0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
> 0.0 0.0 [kworker/21:1]
> 0.0 0.0 [kworker/u81:5]
> 0.0 0.0 [migration/0]
> 0.0 0.0 [migration/1]
> 0.0 0.0 [migration/2]
> 0.0 0.0 [migration/3]
> 0.0 0.0 [migration/4]
> 0.0 0.0 [migration/5]
> 0.0 0.0 [migration/6]
> 0.0 0.0 [migration/7]
> 0.0 0.0 [migration/8]
> 0.0 0.0 [migration/9]
> 0.0 0.0 [migration/10]
> 0.0 0.0 [migration/11]
> 0.0 0.0 [migration/12]
> 0.0 0.0 [migration/13]
> 0.0 0.0 [migration/14]
> 0.0 0.0 [migration/15]
> 0.0 0.0 [migration/16]
> 0.0 0.0 [migration/17]
> 0.0 0.0 [migration/18]
> 0.0 0.0 [migration/19]
> 0.0 0.0 [migration/20]
> 0.0 0.0 [migration/22]
> 0.0 0.0 [migration/23]
> 0.0 0.0 [migration/24]
> 0.0 0.0 [migration/25]
> 0.0 0.0 [migration/26]
> 0.0 0.0 [migration/27]
> 0.0 0.0 [migration/28]
> 0.0 0.0 [migration/29]
> 0.0 0.0 [migration/30]
> 0.0 0.0 [migration/32]
> 0.0 0.0 [migration/33]
> 0.0 0.0 [migration/34]
> 0.0 0.0 [migration/35]
> 0.0 0.0 [migration/36]
> 0.0 0.0 [migration/37]
> 0.0 0.0 [migration/38]
> 0.0 0.0 [migration/39]
> 0.0 0.0 [rcuos/3]
> 0.0 0.0 [khugepaged]
> 0.0 0.0 [rcuos/13]
> 0.0 0.0 [kworker/31:1]
> 0.0 0.0 [rcuos/10]
> 0.0 0.0 [rcuos/12]
> 0.0 0.0 [kworker/4:1]
> 0.0 0.0 upstart-udev-bridge --daemon
> 0.0 0.0 [kworker/10:1]
> 0.0 0.0 [rcuos/4]
> 0.0 0.0 [kworker/2:1]
> 0.0 0.0 [kworker/12:1]
> 0.0 0.0 [kworker/13:1]
> 0.0 0.0 [rcuos/30]
> 0.0 0.0 ./dema -d /opt/xplico -b sqlite
> 0.0 0.0 [kworker/11:1]
> 0.0 0.0 [kworker/7:1]
> 0.0 0.0 [rcuos/1]
> 0.0 0.0 [kworker/18:1]
> 0.0 0.0 [kworker/14:1]
> 0.0 0.0 dbus-daemon --system --fork --activation=upstart
> 0.0 0.0 [kworker/19:1]
> 0.0 0.0 [kworker/15:1]
> 0.0 0.0 [kworker/16:1]
> 0.0 0.0 [kworker/17:1]
> 0.0 0.0 [rcuos/11]
> 0.0 0.0 [rcuos/14]
> 0.0 0.0 [kworker/u82:0]
> 0.0 0.0 sshd: SO-user [priv]
> 0.0 0.0 /usr/bin/python /usr/bin/salt-master
> 0.0 0.0 [rcuos/7]
> 0.0 0.0 [kworker/5:2]
> 0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
> 0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
> 0.0 0.0 /var/ossec/bin/ossec-logcollector
> 0.0 0.0 /usr/lib/accountsservice/accounts-daemon
> 0.0 0.0 [jbd2/sda2-8]
> 0.0 0.0 [rcuos/15]
> 0.0 0.0 [rcuos/16]
> 0.0 0.0 [rcuos/29]
> 0.0 0.0 [kworker/30:1]
> 0.0 0.0 [kworker/5:1]
> 0.0 0.0 [rcuos/5]
> 0.0 0.0 [rcuos/6]
> 0.0 0.0 [rcuos/8]
> 0.0 0.0 sudo sostat
> 0.0 0.0 less
> 0.0 0.0 /bin/bash /usr/bin/sostat
> 0.0 0.0 Passenger spawn server
> 0.0 0.0 /usr/lib/upower/upowerd
> 0.0 0.0 [kworker/10:1H]
> 0.0 0.0 [rcuos/17]
> 0.0 0.0 [rcuos/18]
> 0.0 0.0 [rcuos/22]
> 0.0 0.0 [rcuos/32]
> 0.0 0.0 cron
> 0.0 0.0 [rcuos/9]
> 0.0 0.0 [kworker/0:2]
> 0.0 0.0 PassengerHelperAgent
> 0.0 0.0 [rcuos/19]
> 0.0 0.0 [rcuos/23]
> 0.0 0.0 [rcuos/24]
> 0.0 0.0 [rcuos/25]
> 0.0 0.0 [rcuos/33]
> 0.0 0.0 [rcuos/34]
> 0.0 0.0 [rcuos/39]
> 0.0 0.0 [kworker/29:1]
> 0.0 0.0 [kworker/22:1]
> 0.0 0.0 [kworker/6:1]
> 0.0 0.0 [kworker/20:1]
> 0.0 0.0 sshd: SO-user
> 0.0 0.0 [ksoftirqd/0]
> 0.0 0.0 [rcuos/26]
> 0.0 0.0 [rcuos/27]
> 0.0 0.0 [rcuos/28]
> 0.0 0.0 [rcuos/35]
> 0.0 0.0 [rcuos/36]
> 0.0 0.0 [rcuos/37]
> 0.0 0.0 [rcuos/38]
> 0.0 0.0 [ksoftirqd/19]
> 0.0 0.0 [kworker/39:1]
> 0.0 0.0 [kworker/27:1]
> 0.0 0.0 [kworker/8:1]
> 0.0 0.0 [jbd2/sda3-8]
> 0.0 0.0 [kworker/0:1H]
> 0.0 0.0 /usr/sbin/cupsd -F
> 0.0 0.0 /usr/sbin/sshd -D
> 0.0 0.0 lightdm
> 0.0 0.0 /var/ossec/bin/ossec-csyslogd
> 0.0 0.0 lightdm --session-child 16 19
> 0.0 0.0 /usr/bin/python /usr/bin/salt-master
> 0.0 0.0 [kthreadd]
> 0.0 0.0 [kworker/0:0H]
> 0.0 0.0 [kworker/u80:0]
> 0.0 0.0 [rcu_bh]
> 0.0 0.0 [rcuob/0]
> 0.0 0.0 [rcuob/1]
> 0.0 0.0 [rcuob/2]
> 0.0 0.0 [rcuob/3]
> 0.0 0.0 [rcuob/4]
> 0.0 0.0 [rcuob/5]
> 0.0 0.0 [rcuob/6]
> 0.0 0.0 [rcuob/7]
> 0.0 0.0 [rcuob/8]
> 0.0 0.0 [rcuob/9]
> 0.0 0.0 [rcuob/10]
> 0.0 0.0 [rcuob/11]
> 0.0 0.0 [rcuob/12]
> 0.0 0.0 [rcuob/13]
> 0.0 0.0 [rcuob/14]
> 0.0 0.0 [rcuob/15]
> 0.0 0.0 [rcuob/16]
> 0.0 0.0 [rcuob/17]
> 0.0 0.0 [rcuob/18]
> 0.0 0.0 [rcuob/19]
> 0.0 0.0 [rcuob/20]
> 0.0 0.0 [rcuob/21]
> 0.0 0.0 [rcuob/22]
> 0.0 0.0 [rcuob/23]
> 0.0 0.0 [rcuob/24]
> 0.0 0.0 [rcuob/25]
> 0.0 0.0 [rcuob/26]
> 0.0 0.0 [rcuob/27]
> 0.0 0.0 [rcuob/28]
> 0.0 0.0 [rcuob/29]
> 0.0 0.0 [rcuob/30]
> 0.0 0.0 [rcuob/31]
> 0.0 0.0 [rcuob/32]
> 0.0 0.0 [rcuob/33]
> 0.0 0.0 [rcuob/34]
> 0.0 0.0 [rcuob/35]
> 0.0 0.0 [rcuob/36]
> 0.0 0.0 [rcuob/37]
> 0.0 0.0 [rcuob/38]
> 0.0 0.0 [rcuob/39]
> 0.0 0.0 [watchdog/0]
> 0.0 0.0 [watchdog/1]
> 0.0 0.0 [ksoftirqd/1]
> 0.0 0.0 [kworker/1:0H]
> 0.0 0.0 [watchdog/2]
> 0.0 0.0 [ksoftirqd/2]
> 0.0 0.0 [kworker/2:0H]
> 0.0 0.0 [watchdog/3]
> 0.0 0.0 [ksoftirqd/3]
> 0.0 0.0 [kworker/3:0]
> 0.0 0.0 [kworker/3:0H]
> 0.0 0.0 [watchdog/4]
> 0.0 0.0 [ksoftirqd/4]
> 0.0 0.0 [kworker/4:0]
> 0.0 0.0 [kworker/4:0H]
> 0.0 0.0 [watchdog/5]
> 0.0 0.0 [ksoftirqd/5]
> 0.0 0.0 [kworker/5:0H]
> 0.0 0.0 [watchdog/6]
> 0.0 0.0 [ksoftirqd/6]
> 0.0 0.0 [kworker/6:0]
> 0.0 0.0 [kworker/6:0H]
> 0.0 0.0 [watchdog/7]
> 0.0 0.0 [ksoftirqd/7]
> 0.0 0.0 [kworker/7:0]
> 0.0 0.0 [kworker/7:0H]
> 0.0 0.0 [watchdog/8]
> 0.0 0.0 [ksoftirqd/8]
> 0.0 0.0 [kworker/8:0]
> 0.0 0.0 [kworker/8:0H]
> 0.0 0.0 [watchdog/9]
> 0.0 0.0 [ksoftirqd/9]
> 0.0 0.0 [kworker/9:0]
> 0.0 0.0 [kworker/9:0H]
> 0.0 0.0 [watchdog/10]
> 0.0 0.0 [ksoftirqd/10]
> 0.0 0.0 [kworker/10:0]
> 0.0 0.0 [kworker/10:0H]
> 0.0 0.0 [watchdog/11]
> 0.0 0.0 [ksoftirqd/11]
> 0.0 0.0 [kworker/11:0]
> 0.0 0.0 [kworker/11:0H]
> 0.0 0.0 [watchdog/12]
> 0.0 0.0 [ksoftirqd/12]
> 0.0 0.0 [kworker/12:0]
> 0.0 0.0 [kworker/12:0H]
> 0.0 0.0 [watchdog/13]
> 0.0 0.0 [ksoftirqd/13]
> 0.0 0.0 [kworker/13:0]
> 0.0 0.0 [kworker/13:0H]
> 0.0 0.0 [watchdog/14]
> 0.0 0.0 [ksoftirqd/14]
> 0.0 0.0 [kworker/14:0]
> 0.0 0.0 [kworker/14:0H]
> 0.0 0.0 [watchdog/15]
> 0.0 0.0 [ksoftirqd/15]
> 0.0 0.0 [kworker/15:0]
> 0.0 0.0 [kworker/15:0H]
> 0.0 0.0 [watchdog/16]
> 0.0 0.0 [ksoftirqd/16]
> 0.0 0.0 [kworker/16:0]
> 0.0 0.0 [kworker/16:0H]
> 0.0 0.0 [watchdog/17]
> 0.0 0.0 [ksoftirqd/17]
> 0.0 0.0 [kworker/17:0]
> 0.0 0.0 [kworker/17:0H]
> 0.0 0.0 [watchdog/18]
> 0.0 0.0 [ksoftirqd/18]
> 0.0 0.0 [kworker/18:0]
> 0.0 0.0 [kworker/18:0H]
> 0.0 0.0 [watchdog/19]
> 0.0 0.0 [kworker/19:0]
> 0.0 0.0 [kworker/19:0H]
> 0.0 0.0 [watchdog/20]
> 0.0 0.0 [ksoftirqd/20]
> 0.0 0.0 [kworker/20:0]
> 0.0 0.0 [kworker/20:0H]
> 0.0 0.0 [watchdog/21]
> 0.0 0.0 [ksoftirqd/21]
> 0.0 0.0 [kworker/21:0]
> 0.0 0.0 [kworker/21:0H]
> 0.0 0.0 [watchdog/22]
> 0.0 0.0 [ksoftirqd/22]
> 0.0 0.0 [kworker/22:0]
> 0.0 0.0 [kworker/22:0H]
> 0.0 0.0 [watchdog/23]
> 0.0 0.0 [ksoftirqd/23]
> 0.0 0.0 [kworker/23:0]
> 0.0 0.0 [kworker/23:0H]
> 0.0 0.0 [watchdog/24]
> 0.0 0.0 [ksoftirqd/24]
> 0.0 0.0 [kworker/24:0]
> 0.0 0.0 [kworker/24:0H]
> 0.0 0.0 [watchdog/25]
> 0.0 0.0 [ksoftirqd/25]
> 0.0 0.0 [kworker/25:0]
> 0.0 0.0 [kworker/25:0H]
> 0.0 0.0 [watchdog/26]
> 0.0 0.0 [ksoftirqd/26]
> 0.0 0.0 [kworker/26:0]
> 0.0 0.0 [kworker/26:0H]
> 0.0 0.0 [watchdog/27]
> 0.0 0.0 [ksoftirqd/27]
> 0.0 0.0 [kworker/27:0]
> 0.0 0.0 [kworker/27:0H]
> 0.0 0.0 [watchdog/28]
> 0.0 0.0 [ksoftirqd/28]
> 0.0 0.0 [kworker/28:0]
> 0.0 0.0 [kworker/28:0H]
> 0.0 0.0 [watchdog/29]
> 0.0 0.0 [ksoftirqd/29]
> 0.0 0.0 [kworker/29:0]
> 0.0 0.0 [kworker/29:0H]
> 0.0 0.0 [watchdog/30]
> 0.0 0.0 [ksoftirqd/30]
> 0.0 0.0 [kworker/30:0]
> 0.0 0.0 [kworker/30:0H]
> 0.0 0.0 [watchdog/31]
> 0.0 0.0 [ksoftirqd/31]
> 0.0 0.0 [kworker/31:0]
> 0.0 0.0 [kworker/31:0H]
> 0.0 0.0 [watchdog/32]
> 0.0 0.0 [ksoftirqd/32]
> 0.0 0.0 [kworker/32:0]
> 0.0 0.0 [kworker/32:0H]
> 0.0 0.0 [watchdog/33]
> 0.0 0.0 [ksoftirqd/33]
> 0.0 0.0 [kworker/33:0]
> 0.0 0.0 [kworker/33:0H]
> 0.0 0.0 [watchdog/34]
> 0.0 0.0 [ksoftirqd/34]
> 0.0 0.0 [kworker/34:0]
> 0.0 0.0 [kworker/34:0H]
> 0.0 0.0 [watchdog/35]
> 0.0 0.0 [ksoftirqd/35]
> 0.0 0.0 [kworker/35:0]
> 0.0 0.0 [kworker/35:0H]
> 0.0 0.0 [watchdog/36]
> 0.0 0.0 [ksoftirqd/36]
> 0.0 0.0 [kworker/36:0]
> 0.0 0.0 [kworker/36:0H]
> 0.0 0.0 [watchdog/37]
> 0.0 0.0 [ksoftirqd/37]
> 0.0 0.0 [kworker/37:0]
> 0.0 0.0 [kworker/37:0H]
> 0.0 0.0 [watchdog/38]
> 0.0 0.0 [ksoftirqd/38]
> 0.0 0.0 [kworker/38:0]
> 0.0 0.0 [kworker/38:0H]
> 0.0 0.0 [watchdog/39]
> 0.0 0.0 [ksoftirqd/39]
> 0.0 0.0 [kworker/39:0]
> 0.0 0.0 [kworker/39:0H]
> 0.0 0.0 [khelper]
> 0.0 0.0 [kdevtmpfs]
> 0.0 0.0 [netns]
> 0.0 0.0 [writeback]
> 0.0 0.0 [kintegrityd]
> 0.0 0.0 [bioset]
> 0.0 0.0 [kworker/u83:0]
> 0.0 0.0 [kworker/u84:0]
> 0.0 0.0 [kworker/u85:0]
> 0.0 0.0 [kblockd]
> 0.0 0.0 [ata_sff]
> 0.0 0.0 [khubd]
> 0.0 0.0 [md]
> 0.0 0.0 [devfreq_wq]
> 0.0 0.0 [khungtaskd]
> 0.0 0.0 [kswapd0]
> 0.0 0.0 [kswapd1]
> 0.0 0.0 [ksmd]
> 0.0 0.0 [fsnotify_mark]
> 0.0 0.0 [ecryptfs-kthrea]
> 0.0 0.0 [crypto]
> 0.0 0.0 [kthrotld]
> 0.0 0.0 [kworker/u80:1]
> 0.0 0.0 [deferwq]
> 0.0 0.0 [charger_manager]
> 0.0 0.0 [kworker/24:1]
> 0.0 0.0 [kworker/35:1]
> 0.0 0.0 [kworker/32:1]
> 0.0 0.0 [kworker/33:1]
> 0.0 0.0 [kworker/37:1]
> 0.0 0.0 [kworker/34:1]
> 0.0 0.0 [kworker/38:1]
> 0.0 0.0 [kworker/36:1]
> 0.0 0.0 [kworker/26:1]
> 0.0 0.0 [kworker/28:1]
> 0.0 0.0 [kworker/23:1]
> 0.0 0.0 [scsi_eh_0]
> 0.0 0.0 [fc_exch_workque]
> 0.0 0.0 [fc_rport_eq]
> 0.0 0.0 [fnic_event_wq]
> 0.0 0.0 [fnic_fip_q]
> 0.0 0.0 [scsi_eh_1]
> 0.0 0.0 [scsi_eh_2]
> 0.0 0.0 [scsi_eh_3]
> 0.0 0.0 [scsi_eh_4]
> 0.0 0.0 [scsi_eh_5]
> 0.0 0.0 [scsi_eh_6]
> 0.0 0.0 [scsi_eh_7]
> 0.0 0.0 [kworker/u81:4]
> 0.0 0.0 [scsi_wq_1]
> 0.0 0.0 [scsi_eh_8]
> 0.0 0.0 [scsi_wq_8]
> 0.0 0.0 [kworker/25:1]
> 0.0 0.0 [scsi_eh_9]
> 0.0 0.0 [scsi_wq_9]
> 0.0 0.0 [scsi_eh_10]
> 0.0 0.0 [scsi_wq_10]
> 0.0 0.0 [bioset]
> 0.0 0.0 [ext4-rsv-conver]
> 0.0 0.0 /sbin/udevd --daemon
> 0.0 0.0 /sbin/udevd --daemon
> 0.0 0.0 [xfsalloc]
> 0.0 0.0 [xfs_mru_cache]
> 0.0 0.0 [xfslogd]
> 0.0 0.0 [xfs-data/sda5]
> 0.0 0.0 [xfs-conv/sda5]
> 0.0 0.0 [xfs-cil/sda5]
> 0.0 0.0 [kworker/32:1H]
> 0.0 0.0 [xfsaild/sda5]
> 0.0 0.0 [kmpathd]
> 0.0 0.0 [kmpath_handlerd]
> 0.0 0.0 [kvm-irqfd-clean]
> 0.0 0.0 [kworker/u82:2]
> 0.0 0.0 [kworker/18:1H]
> 0.0 0.0 [xfs-data/sda6]
> 0.0 0.0 [xfs-conv/sda6]
> 0.0 0.0 [xfs-cil/sda6]
> 0.0 0.0 [kworker/37:1H]
> 0.0 0.0 [kworker/19:1H]
> 0.0 0.0 [ext4-rsv-conver]
> 0.0 0.0 [kworker/31:1H]
> 0.0 0.0 [jbd2/sda1-8]
> 0.0 0.0 [ext4-rsv-conver]
> 0.0 0.0 [kworker/15:1H]
> 0.0 0.0 [kworker/16:1H]
> 0.0 0.0 [kworker/17:1H]
> 0.0 0.0 [kworker/11:1H]
> 0.0 0.0 [kworker/12:1H]
> 0.0 0.0 [kworker/13:1H]
> 0.0 0.0 [kworker/14:1H]
> 0.0 0.0 upstart-socket-bridge --daemon
> 0.0 0.0 /usr/sbin/bluetoothd
> 0.0 0.0 avahi-daemon: running [SO-server.local]
> 0.0 0.0 avahi-daemon: chroot helper
> 0.0 0.0 [krfcommd]
> 0.0 0.0 /sbin/getty -8 38400 tty4
> 0.0 0.0 /sbin/getty -8 38400 tty5
> 0.0 0.0 [kworker/35:1H]
> 0.0 0.0 /sbin/getty -8 38400 tty2
> 0.0 0.0 /sbin/getty -8 38400 tty3
> 0.0 0.0 /sbin/getty -8 38400 tty6
> 0.0 0.0 [kworker/38:1H]
> 0.0 0.0 [kworker/36:1H]
> 0.0 0.0 atd
> 0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
> 0.0 0.0 supervising syslog-ng
> 0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
> 0.0 0.0 [kworker/33:1H]
> 0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
> 0.0 0.0 /var/ossec/bin/ossec-execd
> 0.0 0.0 [kworker/u84:1]
> 0.0 0.0 /var/ossec/bin/ossec-monitord
> 0.0 0.0 sshd: SO-user [priv]
> 0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
> 0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
> 0.0 0.0 /usr/lib/gvfs/gvfsd
> 0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
> 0.0 0.0 /usr/bin/python /usr/bin/salt-master
> 0.0 0.0 /usr/bin/python /usr/bin/salt-master
> 0.0 0.0 PassengerWatchdog
> 0.0 0.0 PassengerLoggingAgent
> 0.0 0.0 lightdm --session-child 12 19
> 0.0 0.0 /sbin/getty -8 38400 tty1
> 0.0 0.0 sshd: SO-user
> 0.0 0.0 [kworker/u85:1]
> 0.0 0.0 [kworker/2:1H]
> 0.0 0.0 sshd: SO-user [priv]
> 0.0 0.0 sshd: SO-user [priv]
> 0.0 0.0 sshd: SO-user
> 0.0 0.0 sshd: SO-user [priv]
> 0.0 0.0 sshd: SO-user
> 0.0 0.0 [kworker/39:1H]
> 0.0 0.0 [kworker/21:1H]
> 0.0 0.0 sshd: SO-user [priv]
> 0.0 0.0 sshd: SO-user
> 0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
> 0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
> 0.0 0.0 [kworker/8:1H]
> 0.0 0.0 [kworker/9:1H]
> 0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
> 0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
> 0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
> 0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
> 0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
> 0.0 0.0 mysql -uroot -Dsecurityonion_db -e select count(*) as Total from event where event.signature_gen != 10001 and event.signature_id != 420042;
> 0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
> 0.0 0.0 sudo cat node.log
> 0.0 0.0 [kworker/4:2]
> 0.0 0.0 sudo mysqlcheck -A
> 0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
> 0.0 0.0 sudo sostat __help
> 0.0 0.0 /bin/bash /usr/bin/sostat __help
> 0.0 0.0 mysql -uroot -Dsecurityonion_db -e select count(*) as Totals, CONCAT(event.signature_gen, ':', event.signature_id) as 'GenID:SigID', event.signature as Signature from event where event.signature_gen != 10001 and event.signature_id != 420042 group by event.signature order by Totals desc limit 50;
> 0.0 0.1 /usr/sbin/apache2 -k start
> 0.0 0.1 /usr/sbin/apache2 -k start
> 0.0 0.1 /usr/sbin/apache2 -k start
> 0.0 0.1 /usr/sbin/apache2 -k start
> 0.0 0.1 /usr/sbin/apache2 -k start
> 0.0 0.1 /usr/sbin/apache2 -k start
> 0.0 0.0 [host-deny.sh] <defunct>
> 0.0 0.0 [firewall-drop.s] <defunct>
> 0.0 0.0 sudo sostat-redacted
> 0.0 0.0 /bin/bash /usr/bin/sostat-redacted
> 0.0 0.0 /bin/bash /usr/bin/sostat
> 0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
> 0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
> 0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
> 0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
> 0.0 0.0 sed -r s/SO-server/SO-server/g
> 0.0 0.0 sed -r s/SO-node|SO-node|SO-node|SO-node|SO-node|SO-node/SO-node/g
> 0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user|SO-user|SO-user/SO-user/g
> 0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
>
> =========================================================================
> Sguil Uncategorized Events
> =========================================================================
> COUNT(*)
> 93
>
> =========================================================================
> Sguil events summary for yesterday
> =========================================================================
> Totals GenID:SigID Signature
> 28108 1:2200038 SURICATA UDP packet too small
> 9 1:2200027 SURICATA ICMPv4 unknown version
> 3 1:2200036 SURICATA TCP option invalid length
> 1 1:2200040 SURICATA UDP invalid header length
> 1 1:2200034 SURICATA TCP header length too small
> Total
> 28122
>
> =========================================================================
> Top 50 All time Sguil Events
> =========================================================================
> Totals GenID:SigID Signature
> 1343603 1:2200038 SURICATA UDP packet too small
> 81655 1:2210020 SURICATA STREAM ESTABLISHED packet out of window
> 49754 1:2210000 SURICATA STREAM 3way handshake with ack in wrong dir
> 44681 1:2210045 SURICATA STREAM Packet with invalid ack
> 44137 1:2210021 SURICATA STREAM ESTABLISHED retransmission packet before last ack
> 43659 1:2210029 SURICATA STREAM ESTABLISHED invalid ack
> 28688 1:2210010 SURICATA STREAM 3way handshake wrong seq wrong ack
> 769 1:2210046 SURICATA STREAM SHUTDOWN RST invalid ack
> 472 1:2200027 SURICATA ICMPv4 unknown version
> 326 1:2230003 SURICATA TLS invalid handshake message
> 318 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
> 254 1:2210030 SURICATA STREAM FIN invalid ack
> 119 1:2200036 SURICATA TCP option invalid length
> 114 1:2210038 SURICATA STREAM FIN out of window
> 90 1:2220004 SURICATA SMTP invalid pipelined sequence
> 83 1:2200034 SURICATA TCP header length too small
> 82 1:2200035 SURICATA TCP invalid option length
> 46 1:2210002 SURICATA STREAM 3way handshake right seq wrong ack evasion
> 11 1:2220006 SURICATA SMTP no server welcome message
> 11 1:2210012 SURICATA STREAM 4way handshake SYNACK with wrong SYN
> 10 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
> 9 1:2200025 SURICATA ICMPv4 unknown code
> 4 10000:1 PADS New Asset - unknown @https
> 3 1:2210016 SURICATA STREAM CLOSEWAIT FIN out of window
> 3 1:2100158 GPL VOIP SIP INVITE message flooding
> 1 1:2018918 ET POLICY possible Xiaomi phone data leakage DNS
> 1 1:2200024 SURICATA ICMPv4 unknown type
> 1 1:2200040 SURICATA UDP invalid header length
> Total
> 1638904
>
> =========================================================================
> Top 50 URLs for yesterday
> =========================================================================
> Totals Signature
> 60559 URL crl.microsoft.com
> 40722 URL rhn.redhat.com
> 28062 URL gets-wps-services-test.csgov.com
> 18837 URL bpm.tags.bigpondmedia.com
> 18678 URL ads.adaptv.advertising.com
> 17381 URL data.t.bleacherreport.com
> 17313 URL ctldl.windowsupdate.com
> 14616 URL events.dashbida.com
> 9479 URL weather.yahooapis.com
> 8375 URL b.scorecardresearch.com
> 8136 URL www.fly.faa.gov
> 7853 URL www.microsoft.com
> 7695 URL www.learncertification.com
> 7664 URL pagead2.googlesyndication.com
> 7469 URL www.wmata.com
> 7229 URL exchange.basebanner.com
> 6592 URL pixel.quantserve.com
> 6131 URL ad4.liverail.com
> 6015 URL ecx.images-amazon.com
> 5714 URL c2s-openrtb.liverail.com
> 5499 URL log.adaptv.advertising.com
> 5427 URL www.amazon.com
> 5298 URL video.moatads.com
> 5004 URL quote.cnbc.com
> 4944 URL www.google-analytics.com
> 4931 URL redir.adap.tv
> 4432 URL v4.moatads.com
> 4381 URL ping.chartbeat.net
> 4336 URL t4.liverail.com
> 4235 URL ocsp.verisign.com
> 4232 URL ib.adnxs.com
> 3945 URL ac.eu.angsrvr.com
> 3749 URL search.spotxchange.com
> 3730 URL data.coremetrics.com
> 3401 URL phds-live.cdn.turner.com
> 3338 URL as.eu.angsrvr.com
> 3228 URL www.freep.com
> 3203 URL weather.noaa.gov
> 3038 URL ws-raps.personifycloud.com
> 2989 URL ctgardens.com
> 2923 URL www.google.com
> 2912 URL X.X.X.X
> 2811 URL hds2.pro12.lv3.hbogo.com
> 2767 URL thumbs.ebaystatic.com
> 2747 URL X.X.X.X
> 2650 URL afs.moatads.com
> 2632 URL cloudvid.cachefly.net
> 2613 URL fls-na.amazon.com
> 2592 URL X.X.X.X
> 2577 URL www13.glam.com
> Total
> 909662
>
> =========================================================================
> Snorby Events Summary for yesterday
> =========================================================================
> Totals GenID:SigID SignatureName
> 28108 1:2200038 SURICATA UDP packet too small
> 9 1:2200027 SURICATA ICMPv4 unknown version
> 3 1:2200036 SURICATA TCP option invalid length
> 1 1:2200034 SURICATA TCP header length too small
> 1 1:2200040 SURICATA UDP invalid header length
> Total
> 28122
>
> =========================================================================
> Top 50 All Time Snorby Events
> =========================================================================
> Totals GenID:SigID SignatureName
> 1343604 1:2200038 SURICATA UDP packet too small
> 266103 1:2210000 SURICATA STREAM 3way handshake with ack in wrong dir
> 150636 1:2210010 SURICATA STREAM 3way handshake wrong seq wrong ack
> 99725 1:2210020 SURICATA STREAM ESTABLISHED packet out of window
> 62646 1:2210021 SURICATA STREAM ESTABLISHED retransmission packet before last ack
> 54046 1:2210045 SURICATA STREAM Packet with invalid ack
> 52793 1:2210029 SURICATA STREAM ESTABLISHED invalid ack
> 2368 1:2210041 SURICATA STREAM RST recv but no session
> 944 1:2210046 SURICATA STREAM SHUTDOWN RST invalid ack
> 578 1:2210048 SURICATA STREAM reassembly sequence GAP -- missing packet(s)
> 515 1:2210037 SURICATA STREAM FIN recv but no session
> 507 1:2200027 SURICATA ICMPv4 unknown version
> 423 1:2230003 SURICATA TLS invalid handshake message
> 419 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
> 309 1:2210030 SURICATA STREAM FIN invalid ack
> 182 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
> 124 1:2210038 SURICATA STREAM FIN out of window
> 119 1:2200036 SURICATA TCP option invalid length
> 90 1:2220004 SURICATA SMTP invalid pipelined sequence
> 83 1:2200035 SURICATA TCP invalid option length
> 83 1:2200034 SURICATA TCP header length too small
> 48 1:2210002 SURICATA STREAM 3way handshake right seq wrong ack evasion
> 31 1:2210012 SURICATA STREAM 4way handshake SYNACK with wrong SYN
> 22 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
> 11 1:2220006 SURICATA SMTP no server welcome message
> 9 1:2200025 SURICATA ICMPv4 unknown code
> 7 1:2100486 GPL ICMP_INFO Destination Unreachable Communication with Destination Host is Administratively Prohibited
> 6 1:2000328 ET POLICY Outbound Multiple Non-SMTP Server Emails
> 3 1:2200040 SURICATA UDP invalid header length
> 3 1:2210016 SURICATA STREAM CLOSEWAIT FIN out of window
> 3 1:2100158 GPL VOIP SIP INVITE message flooding
> 1 1:2100498 GPL ATTACK_RESPONSE id check returned root
> 1 1:2210017 SURICATA STREAM CLOSEWAIT invalid ACK
> 1 1:2210032 SURICATA STREAM FIN1 FIN with wrong seq
> 1 1:2200024 SURICATA ICMPv4 unknown type
> 1 1:2018918 ET POLICY possible Xiaomi phone data leakage DNS
> Total
> 2036445
>
> =========================================================================
> Last update
> =========================================================================
>
> Start-Date: 2016-02-16 15:32:52
> Commandline: apt-get install mysqltuner
> Install: mysqltuner:amd64 (1.1.0)
> End-Date: 2016-02-16 15:32:57
>
> =========================================================================
> ELSA
> =========================================================================
> Syslog-ng
> Checking for process:
> 3423 supervising syslog-ng
> 3424 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
> Checking for connection:
> Connection to localhost 514 port [tcp/shell] succeeded!
>
> MySQL
> Checking for process:
> 3524 /usr/sbin/mysqld
> 15645 mysql -uroot -Dsecurityonion_db -e select count(*) as Total from event where event.signature_gen != 10001 and event.signature_id != 420042;
> 16264 sudo mysqlcheck -A
> 16265 mysqlcheck -A
> 16897 mysql -uroot -Dsecurityonion_db -e select count(*) as Totals, CONCAT(event.signature_gen, ':', event.signature_id) as 'GenID:SigID', event.signature as Signature from event where event.signature_gen != 10001 and event.signature_id != 420042 group by event.signature order by Totals desc limit 50;
> Checking for connection:
> Connection to localhost 3306 port [tcp/mysql] succeeded!
>
> Sphinx
> Checking for process:
> 3422 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
> Checking for connection:
> Connection to localhost 9306 port [tcp/*] succeeded!
>
> ELSA Buffers in Queue:
> 2
> If this number is consistently higher than 20, please see:
> https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
>
> ELSA Directory Sizes:
> 1.4G /nsm/elsa/data
> 23M /var/lib/mysql/syslog
> 32K /var/lib/mysql/syslog_data
>
> ELSA Index Date Range:
> MIN(start) MAX(end)
> 2016-01-04 22:50:10 2016-02-16 20:25:41
>
> ELSA Log Node SSH Tunnels:
> PORT NODE IP/STATUS
> 50000 SO-node X.X.X.X
> 50001 SO-node X.X.X.X
> 50002 SO-node X.X.X.X
> 50003 SO-node X.X.X.X
> 50004 SO-node X.X.X.X
>
>
> /var/log/nsm/securityonion$ cat sguild.log |more
> Executing: /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g
> /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/c
> erts
> 2016-02-16 13:29:01 pid(17954) Loading access list: /etc/nsm/securityonion/sguild.access
> 2016-02-16 13:29:01 pid(17954) Sensor access list set to ALLOW ANY.
> 2016-02-16 13:29:01 pid(17954) Client access list set to ALLOW ANY.
> 2016-02-16 13:29:01 pid(17954) Email Configuration:
> 2016-02-16 13:29:01 pid(17954) Config file: /etc/sguild/sguild.email
> 2016-02-16 13:29:01 pid(17954) Enabled: No
> 2016-02-16 13:29:01 pid(17954) Connecting to localhost on 3306 as sguil
> 2016-02-16 13:29:01 pid(17954) MySQL Version: version 5.5.44-0ubuntu0.12.04.1
> 2016-02-16 13:29:01 pid(17954) SguilDB Version: 0.14
> 2016-02-16 13:29:01 pid(17954) Adding AutoCat Rule: 1 {} {} {} {} {} {} %%REGEXP%%^URL 1 {}
> 2016-02-16 13:29:01 pid(17954) Adding AutoCat Rule: 2 {} 0.0.0.0 {} 0.0.0.0 {} {} {[OSSEC] Received 0 pac
> kets in designated time interval (defined in ossec.conf). Please check interface, cabling, and tap/span!}
> 1 {}
> 2016-02-16 13:29:01 pid(17954) Adding AutoCat Rule: 19 {} 10.180.187.24 {} 0.0.0.0 {} {} {%%REGEXP%%[^OSS
> EC]+[SSHD (?=authentication)]} 1 {[AutoCat]Misconfigured Bro IDS}
> 2016-02-16 13:29:01 pid(17954) Adding AutoCat Rule: 23 {} 63.158.227.56 80 131.131.0.0/16 {} 6 {SURICATA
> STREAM ESTABLISHED retransmission packet before last ack} 1 {Possible Microsoft ForeFront Update Traffic}
> 2016-02-16 13:29:01 pid(17954) Adding AutoCat Rule: 24 {} 63.158.227.56 80 131.131.0.0/16 {} 6 {SURICATA
> STREAM ESTABLISHED packet out of window} 1 {Possible Microsoft ForeFront Update Traffic}
> 2016-02-16 13:29:01 pid(17954) Adding AutoCat Rule: 30 {} 189.250.22.196 0 {} 1 {} {SURICATA UDP packet t
> oo small} 1 {IP from Mexico, blocked by firewall}
> 2016-02-16 13:29:01 pid(17954) Adding AutoCat Rule: 31 {} 189.250.54.192 0 {} 1 {} {SURICATA UDP packet t
> oo small} 1 {IP from Mexico, blocked by firewall}
> 2016-02-16 13:29:01 pid(17954) Adding AutoCat Rule: 33 {} 106.39.223.82 {} {} {} {} {SURICATA UDP packet
> too small} 1 {106.39.223.82 blocking 2}
> 2016-02-16 13:29:01 pid(17954) Adding AutoCat Rule: 34 {} 189.250.82.82 {} {} {} {} {SURICATA UDP packet
> too small} 1 {IP from mexico, blocked by IP}
> 2016-02-16 13:29:01 pid(17954) Adding AutoCat Rule: 35 {} 153.173.164.224 {} {} {} {} {SURICATA UDP packe
> t too small} 1 {IP from Japan, blocked by firewall}
> 2016-02-16 13:29:01 pid(17954) Adding AutoCat Rule: 36 {} 148.246.172.168 {} {} {} {} {SURICATA UDP packe
> t too small} 1 {Possible Fragmentation DoS attack attempt. Connection seen, no reply.}
> 2016-02-16 13:29:01 pid(17954) Adding AutoCat Rule: 37 {} 189.250.22.196 {} 131.131.131.17 {} {} {SURICAT
> A UDP packet too small} 1 {Possible Fragments Dos attack attempt.}
> 2016-02-16 13:29:01 pid(17954) Adding AutoCat Rule: 38 {} 189.250.69.35 {} {} {} {} {SURICATA UDP packet
> too small} 1 {More possible DoS attempts}
> 2016-02-16 13:29:01 pid(17954) Adding AutoCat Rule: 39 {} 189.130.89.209 {} {} {} {} {SURICATA UDP packet
> too small} 1 {More possible DoS attempts}
> 2016-02-16 13:29:01 pid(17954) Adding AutoCat Rule: 40 {} 187.171.237.58 {} {} {} {} {SURICATA UDP packet
> too small} 1 {More possible DoS attempts}
> 2016-02-16 13:29:01 pid(17954) Creating event MERGE table.
> 2016-02-16 13:29:01 pid(17954) Creating tcphdr MERGE table.
> 2016-02-16 13:29:01 pid(17954) Creating udphdr MERGE table.
> 2016-02-16 13:29:01 pid(17954) Creating icmphdr MERGE table.
> 2016-02-16 13:29:02 pid(17954) Creating data MERGE table.
> 2016-02-16 13:29:02 pid(17954) loaderd: Creating sancp MERGE table.
> 2016-02-16 13:29:02 pid(17961) Loaderd Forked
> 2016-02-16 13:29:02 pid(17954) Retrieving DB info...
> 2016-02-16 13:29:02 pid(17954) SELECT sid, net_name, hostname, agent_type FROM sensor WHERE active='Y'
> ORDER BY net_name, sid ASC
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=308
> 2016-02-16 13:29:02 pid(17962) Queryd Forked
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM pads WHERE sid=318
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=353
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=355
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=356
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=358
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=359
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=360
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=361
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=362
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=363
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=364
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=365
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=366
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=367
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=368
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=369
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM pads WHERE sid=325
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=326
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=329
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=331
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=333
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=334
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=336
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=338
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=340
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=342
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=344
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=346
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=347
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=348
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=349
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=350
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=351
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=311
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM pads WHERE sid=312
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=319
> 2016-02-16 13:29:02 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=320
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=322
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=323
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=324
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=327
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=330
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=332
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=335
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=337
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=339
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=341
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=343
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=345
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=370
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=307
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=310
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=313
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=314
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=316
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=317
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=321
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM pads WHERE sid=352
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=357
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=371
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=372
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=373
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=374
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=375
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=376
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=377
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=378
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=306
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=268
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=269
> 2016-02-16 13:29:03 pid(17954) SELECT MAX(timestamp) FROM event WHERE sid=271
>
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=272
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=273
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=274
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=275
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=276
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=277
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=278
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=279
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=280
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=281
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=282
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=283
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=286
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=293
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=239
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=242
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=244
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=246
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=247
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=249
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=251
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=253
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=255
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=257
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=259
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=260
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=261
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=262
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=263
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=264
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=265
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=234
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=235
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=236
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=237
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=238
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=240
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=243
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=245
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=248
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=250
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=252
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=254
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=256
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=258
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=284
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=289
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=295
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=383
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=384
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=385
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=386
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=387
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=388
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=266
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=270
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=285
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=287
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=288
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=290
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=292
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=296
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=297
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=298
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=299
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=300
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=301
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=302
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=303
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=304
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=305
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=233
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=163
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=165
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=172
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=177
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=181
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=185
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=188
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=191
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=224
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=225
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=226
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=227
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=228
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=229
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=230
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=231
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=232
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=160
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=162
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=168
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=169
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=170
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=171
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=174
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=175
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=176
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=178
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=180
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=182
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=184
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=187
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=190
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=193
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=194
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=166
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=167
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=197
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=199
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=210
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=211
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=212
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=213
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=214
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=215
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=216
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=217
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=218
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=219
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=220
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=221
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=223
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=173
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=179
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=183
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=186
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=189
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=192
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=196
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=200
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=201
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=202
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=203
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=204
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=205
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=206
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=207
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=208
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=209
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=222
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=1
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=3
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=4
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=5
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=7
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=8
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=9
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=10
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=12
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=2
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=14
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=15
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=16
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=18
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=19
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=20
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=21
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=23
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=13
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=36
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=37
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=38
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=40
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=41
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=42
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=43
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=45
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=35
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=25
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=26
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=27
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=29
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=30
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=31
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=32
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=34
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=24
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=88
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=102
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=105
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=109
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=112
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=115
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=118
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=121
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=124
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=127
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=130
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=132
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=133
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=134
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=135
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=136
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=138
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=89
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=93
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=95
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=96
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=98
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=101
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=104
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=108
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=111
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=114
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=117
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=120
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=123
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=126
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=129
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=131
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=144
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=90
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=141
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=143
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=145
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=146
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=147
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=148
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=149
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=150
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=151
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=152
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=153
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=154
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=155
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=156
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=157
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=159
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=91
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=92
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=94
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=97
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=99
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=100
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=103
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=107
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=110
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=113
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=116
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=119
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=122
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=125
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=128
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=137
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=140
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=158
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=62
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=63
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=66
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=67
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=69
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=70
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=73
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=74
> 2016-02-16 13:34:03 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=75
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=379
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=49
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=53
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=57
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=61
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=68
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=71
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=72
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=80
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=82
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=380
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=48
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=52
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=55
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=56
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=60
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=83
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=84
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=85
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=86
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=381
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=46
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=47
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=50
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=51
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=54
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=58
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=64
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM pads WHERE sid=76
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=78
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=382
> 2016-02-16 13:34:04 pid(18911) SELECT MAX(timestamp) FROM event WHERE sid=79
> 2016-02-16 13:34:04 pid(18911) Querying DB for archived events...
> 2016-02-16 13:34:04 pid(18911) SELECT event.status, event.priority, event.class, sensor.hostname,
> event.timestamp, event.sid, event.cid, event.signature,
> INET_NTOA(event.src_ip), INET_NTOA(event.dst_ip), event.ip_proto,
> event.src_port, event.dst_port, event.signature_gen, event.signature_id,
> event.signature_rev, event.unified_event_id, unified_event_ref
> FROM event
> FORCE INDEX (status)
> JOIN sensor ON event.sid=sensor.sid
> WHERE event.status=0 ORDER BY event.timestamp ASC
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 3 unknown solo02-eth0 {2016-02-14 18:03:07} 26 944714 {S
> URICATA ICMPv4 unknown version} 91.123.16.15 131.131.131.131 1 {} {} 1 2200027 1 606537 606537
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 3 unknown solo02-eth0 {2016-02-14 18:28:15} 26 944731 {S
> URICATA ICMPv4 unknown version} 91.123.16.15 131.131.131.131 1 {} {} 1 2200027 1 606554 606554
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 3 unknown solo02-eth0 {2016-02-14 18:37:13} 26 944736 {S
> URICATA ICMPv4 unknown version} 91.123.16.15 131.131.131.131 1 {} {} 1 2200027 1 606559 606559
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 3 unknown solo02-eth0 {2016-02-14 19:12:58} 26 944753 {S
> URICATA ICMPv4 unknown version} 91.123.16.15 131.131.131.131 1 {} {} 1 2200027 1 606576 606576
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 3 unknown solo02-eth0 {2016-02-14 19:29:00} 26 944769 {S
> URICATA ICMPv4 unknown version} 91.123.16.15 131.131.129.128 1 {} {} 1 2200027 1 606592 606592
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-14 19:51:31} 42 1017714 {
> SURICATA TCP invalid option length} 85.174.78.47 131.131.149.122 6 0 0 1 2200035 1 2085615 2085615
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-15 00:23:20} 42 1031458 {
> SURICATA TCP option invalid length} 178.175.27.156 131.131.155.229 6 49027 20012 1 2200036 1 2099359 20993
> 59
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 3 unknown solo02-eth0 {2016-02-15 04:46:01} 26 959100 {S
> URICATA ICMPv4 unknown version} 108.63.128.1 131.131.151.139 1 {} {} 1 2200027 1 620923 620923
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:02:24} 1 35258 {[O
> SSEC] SSHD authentication failed.} 10.180.187.21 0.0.0.0 0 {} {} 10001 5716 1 35258 35258
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:02:26} 1 35262 {[O
> SSEC] SSHD authentication failed.} 10.180.187.21 0.0.0.0 0 {} {} 10001 5716 1 35262 35262
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:02:26} 1 35261 {[O
> SSEC] SSHD authentication failed.} 10.180.187.21 0.0.0.0 0 {} {} 10001 5716 1 35261 35261
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:02:26} 1 35260 {[O
> SSEC] SSHD authentication failed.} 10.180.187.21 0.0.0.0 0 {} {} 10001 5716 1 35260 35260
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:02:26} 1 35259 {[O
> SSEC] SSHD authentication failed.} 10.180.187.21 0.0.0.0 0 {} {} 10001 5716 1 35259 35259
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:02:28} 1 35264 {[O
> SSEC] SSHD authentication failed.} 10.180.187.21 0.0.0.0 0 {} {} 10001 5716 1 35264 35264
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:02:28} 1 35263 {[O
> SSEC] SSHD authentication failed.} 10.180.187.21 0.0.0.0 0 {} {} 10001 5716 1 35263 35263
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:05:41} 1 35266 {[O
> SSEC] SSHD authentication failed.} 10.180.187.23 0.0.0.0 0 {} {} 10001 5716 1 35266 35266
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:05:41} 1 35265 {[O
> SSEC] SSHD authentication failed.} 10.180.187.23 0.0.0.0 0 {} {} 10001 5716 1 35265 35265
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:05:43} 1 35270 {[O
> SSEC] SSHD authentication failed.} 10.180.187.23 0.0.0.0 0 {} {} 10001 5716 1 35270 35270
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:05:43} 1 35269 {[O
> SSEC] SSHD authentication failed.} 10.180.187.23 0.0.0.0 0 {} {} 10001 5716 1 35269 35269
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:05:43} 1 35268 {[O
> SSEC] SSHD authentication failed.} 10.180.187.23 0.0.0.0 0 {} {} 10001 5716 1 35268 35268
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:05:43} 1 35267 {[O
> SSEC] SSHD authentication failed.} 10.180.187.23 0.0.0.0 0 {} {} 10001 5716 1 35267 35267
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:05:45} 1 35271 {[O
> SSEC] SSHD authentication failed.} 10.180.187.23 0.0.0.0 0 {} {} 10001 5716 1 35271 35271
> 2016-02-16 13:34:04 pid(18911) Archived Alert: 0 7 {} coilite-sensor03-ossec {2016-02-16 00:10:18} 2 1148
> 2 {[OSSEC] Received 0 packets in designated time interval (defined in ossec.conf). Please check interface
> , cabling, and tap/span!} 0.0.0.0 0.0.0.0 0 {} {} 10001 111112 1 11482 11482
> 2016-02-16 13:34:04 pid(18911) AUTO MARKING EVENT AS : 1
> 2016-02-16 13:34:04 pid(18911) UPDATE `event_coilite-sensor03-ossec_20160216` SET status=1, last_modified
> ='2016-02-16 13:34:04', last_uid='1' WHERE sid=2 AND cid=11482
> mysqlexec/db server: Table 'securityonion_db.event_coilite-sensor03-ossec_20160216' doesn't exist
> while executing
> "mysqlexec $MAIN_DB_SOCKETID $updateString"
> (procedure "UpdateDBStatus" line 11)
> invoked from within
> "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] [lindex $data 6] [GetCurrentTimeStamp]
> $AUTOID $acCat($rid)"
> (procedure "AutoCat" line 43)
> invoked from within
> "AutoCat $row"
> ("foreach" body line 6)
> invoked from within
> "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] {
>
> InfoMessage "Archived Alert: $row"
> set LAST_EVENT_ID([lindex $row 3]) "[li..."
> invoked from within
> "if { $mergeTableListArray(event) != "" } {
>
> # Get the archived alerts
> LogMessage "Querying DB for archived events..."
> set MAJOR_MYSQL_VERS..."
> (file "/usr/bin/sguild" line 737)
> 2016-02-16 13:34:04 pid(18916) loaderd: Received:
> 2016-02-16 13:34:04 pid(18916) Unknown command received from sguild:
>
>
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks

[Doug Burks]

On Tue, Feb 16, 2016 at 4:25 PM, Danny Stephens <syc...@gmail.com> wrote:
> Where can i find the sguil PID so that I can remove it ??

You shouldn't need to remove the PID file manually. You can try
restarting sguild as follows (which should automatically remove the
stale PID):
sudo nsm_server_ps-start

But it will most likely say the same thing until the MySQL issue is resolved.

[Doug Burks]

On Tue, Feb 16, 2016 at 4:33 PM, Danny Stephens <syc...@gmail.com> wrote:
> The data base is up and running and checks out

The sguild log file says:

mysqlexec/db server: Table
'securityonion_db.event_coilite-sensor03-ossec_20160216' doesn't exist

so something is wrong with the database.

Have you tried lowering DAYSTOKEEP in /etc/nsm/securityonion.conf and
re-running "sudo sguil-db-purge"?


--
Doug Burks

[Doug Burks]

Right, mysqlcheck thinks the database is OK, but sguild thinks it's
not OK. Have you tried lowering DAYSTOKEEP in

/etc/nsm/securityonion.conf and re-running "sudo sguil-db-purge"?

On Tue, Feb 16, 2016 at 4:39 PM, Danny Stephens <syc...@gmail.com> wrote:
> # mysqlcheck -u root -p --auto-repair -c -o --all-databases
>
> and this came back all "ok's"

[Doug Burks]

Yes, it may take a while. Please be patient and allow it to complete.

On Tue, Feb 16, 2016 at 4:46 PM, Danny Stephens <syc...@gmail.com> wrote:
> On Tuesday, February 16, 2016 at 3:44:41 PM UTC-6, Danny Stephens wrote:

>> DAYSTOKEEP was set at 30 I changed it to 10 running the purge again
>
> it is just sitting there now
>
> /etc/nsm$ sudo sguil-db-purge
> Tue Feb 16 21:44:40 GMT-7 2016
> Retention policy set to 10 days (deleting data prior to 20160206).
> Repair policy set to 2 days (repairing tables back to 20160214).
> Uncat policy set to 1000 uncategorized events (categorizing events until we get down to 1000).
> Stopping: securityonion
> * stopping: sguil server (not running) [ WARN ]
> - stale PID file found, deleting!
> There are 93 uncategorized events, which does not exceed the max of 1000.

[Doug Burks]

Yes, as I mentioned before, it may take a while. Please be patient

and allow it to complete.

On Tue, Feb 16, 2016 at 5:09 PM, Danny Stephens <syc...@gmail.com> wrote:

> Doug should it still be running in the same spot there has been no change

[Wes]

On Tuesday, February 16, 2016 at 7:42:37 PM UTC-5, Danny Stephens wrote:
> tailed the sguild.log
>
>
> 016-02-16 17:39:08 pid(18129) Querying DB for archived events...
> 2016-02-16 17:39:08 pid(18129) SELECT event.status, event.priority, event.class, sensor.hostname,

> event.timestamp, event.sid, event.cid, event.signature,
> INET_NTOA(event.src_ip), INET_NTOA(event.dst_ip), event.ip_proto,
> event.src_port, event.dst_port, event.signature_gen, event.signature_id,
> event.signature_rev, event.unified_event_id, unified_event_ref
> FROM event
> FORCE INDEX (status)
> JOIN sensor ON event.sid=sensor.sid
> WHERE event.status=0 ORDER BY event.timestamp ASC

> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 3 unknown solo02-eth0 {2016-02-14 18:03:07} 26 944714 {SURICATA ICMPv4 unknown version} 91.123.16.15 131.131.131.131 1 {} {} 1 2200027 1 606537 606537
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 3 unknown solo02-eth0 {2016-02-14 18:28:15} 26 944731 {SURICATA ICMPv4 unknown version} 91.123.16.15 131.131.131.131 1 {} {} 1 2200027 1 606554 606554
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 3 unknown solo02-eth0 {2016-02-14 18:37:13} 26 944736 {SURICATA ICMPv4 unknown version} 91.123.16.15 131.131.131.131 1 {} {} 1 2200027 1 606559 606559
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 3 unknown solo02-eth0 {2016-02-14 19:12:58} 26 944753 {SURICATA ICMPv4 unknown version} 91.123.16.15 131.131.131.131 1 {} {} 1 2200027 1 606576 606576
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 3 unknown solo02-eth0 {2016-02-14 19:29:00} 26 944769 {SURICATA ICMPv4 unknown version} 91.123.16.15 131.131.129.128 1 {} {} 1 2200027 1 606592 606592
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-14 19:51:31} 42 1017714 {SURICATA TCP invalid option length} 85.174.78.47 131.131.149.122 6 0 0 1 2200035 1 2085615 2085615
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-15 00:23:20} 42 1031458 {SURICATA TCP option invalid length} 178.175.27.156 131.131.155.229 6 49027 20012 1 2200036 1 2099359 2099359
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 3 unknown solo02-eth0 {2016-02-15 04:46:01} 26 959100 {SURICATA ICMPv4 unknown version} 108.63.128.1 131.131.151.139 1 {} {} 1 2200027 1 620923 620923
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:02:24} 1 35258 {[OSSEC] SSHD authentication failed.} 10.180.187.21 0.0.0.0 0 {} {} 10001 5716 1 35258 35258
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:02:26} 1 35262 {[OSSEC] SSHD authentication failed.} 10.180.187.21 0.0.0.0 0 {} {} 10001 5716 1 35262 35262
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:02:26} 1 35261 {[OSSEC] SSHD authentication failed.} 10.180.187.21 0.0.0.0 0 {} {} 10001 5716 1 35261 35261
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:02:26} 1 35260 {[OSSEC] SSHD authentication failed.} 10.180.187.21 0.0.0.0 0 {} {} 10001 5716 1 35260 35260
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:02:26} 1 35259 {[OSSEC] SSHD authentication failed.} 10.180.187.21 0.0.0.0 0 {} {} 10001 5716 1 35259 35259
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:02:28} 1 35264 {[OSSEC] SSHD authentication failed.} 10.180.187.21 0.0.0.0 0 {} {} 10001 5716 1 35264 35264
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:02:28} 1 35263 {[OSSEC] SSHD authentication failed.} 10.180.187.21 0.0.0.0 0 {} {} 10001 5716 1 35263 35263
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:05:41} 1 35266 {[OSSEC] SSHD authentication failed.} 10.180.187.23 0.0.0.0 0 {} {} 10001 5716 1 35266 35266
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:05:41} 1 35265 {[OSSEC] SSHD authentication failed.} 10.180.187.23 0.0.0.0 0 {} {} 10001 5716 1 35265 35265
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:05:43} 1 35270 {[OSSEC] SSHD authentication failed.} 10.180.187.23 0.0.0.0 0 {} {} 10001 5716 1 35270 35270
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:05:43} 1 35269 {[OSSEC] SSHD authentication failed.} 10.180.187.23 0.0.0.0 0 {} {} 10001 5716 1 35269 35269
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:05:43} 1 35268 {[OSSEC] SSHD authentication failed.} 10.180.187.23 0.0.0.0 0 {} {} 10001 5716 1 35268 35268
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:05:43} 1 35267 {[OSSEC] SSHD authentication failed.} 10.180.187.23 0.0.0.0 0 {} {} 10001 5716 1 35267 35267
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-15 19:05:45} 1 35271 {[OSSEC] SSHD authentication failed.} 10.180.187.23 0.0.0.0 0 {} {} 10001 5716 1 35271 35271
> 2016-02-16 17:39:08 pid(18129) Archived Alert: 0 7 {} coilite-sensor03-ossec {2016-02-16 00:10:18} 2 11482 {[OSSEC] Received 0 packets in designated time interval (defined in ossec.conf). Please check interface, cabling, and tap/span!} 0.0.0.0 0.0.0.0 0 {} {} 10001 111112 1 11482 11482
> 2016-02-16 17:39:08 pid(18129) AUTO MARKING EVENT AS : 1
> 2016-02-16 17:39:08 pid(18129) UPDATE `event_coilite-sensor03-ossec_20160216` SET status=1, last_modified='2016-02-16 17:39:08', last_uid='1' WHERE sid=2 AND cid=11482

> mysqlexec/db server: Table 'securityonion_db.event_coilite-sensor03-ossec_20160216' doesn't exist

> while executing
> "mysqlexec $MAIN_DB_SOCKETID $updateString"
> (procedure "UpdateDBStatus" line 11)
> invoked from within
> "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)"
> (procedure "AutoCat" line 43)
> invoked from within
> "AutoCat $row"
> ("foreach" body line 6)
> invoked from within
> "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] {
>
> InfoMessage "Archived Alert: $row"
> set LAST_EVENT_ID([lindex $row 3]) "[li..."
> invoked from within
> "if { $mergeTableListArray(event) != "" } {
>
> # Get the archived alerts
> LogMessage "Querying DB for archived events..."
> set MAJOR_MYSQL_VERS..."
> (file "/usr/bin/sguild" line 737)

> 2016-02-16 17:39:08 pid(18132) loaderd: Received:
> 2016-02-16 17:39:08 pid(18132) Unknown command received from sguild:

Danny,

Have added an autocat entry for Squil lately? It looks like it may be a rule failing:

https://groups.google.com/forum/#!searchin/security-onion/sguil$20stale$20pid/security-onion/GkJFrrO1G8w/v_iWiKE04cMJ

You could try removing it.

Thanks,
Wes

[Doug Burks]

Replies inline.

On Wed, Feb 17, 2016 at 9:34 AM, Danny Stephens <syc...@gmail.com> wrote:
> As of this second sostat indicates that sguil server is runing with an [OK]

Have you verified that there are no more errors in
/var/log/nsm/securityonion/sguild.log?

Are you able to log into the Sguil client?

> but the web interface is not working

What exactly do you mean?

Which web interface?

Does it prompt for username/password?

Does it display any error messages?


--
Doug Burks

[Doug Burks]

Here are some things you can try:

- lower DAYSTOKEEP to 1 and re-run "sudo sguil-db-purge"

- manually disable/remove the autocat entries at the database level

On Wed, Feb 17, 2016 at 10:37 AM, Danny Stephens <syc...@gmail.com> wrote:

> It looks like Im still missing the table
> securityonion_db.event_coilite-sensor03-ossec_20160216
> Is there a way I can just make the table in the sql db so that is can see it and move on? My only worry would be that that is going to corrupt the db and make this worse.

[Doug Burks]

Let's try the first option first and see how that goes.

On Wed, Feb 17, 2016 at 12:29 PM, Danny Stephens <syc...@gmail.com> wrote:

> On Wednesday, February 17, 2016 at 11:19:57 AM UTC-6, Doug Burks wrote:
>> Here are some things you can try:
>>
>> - lower DAYSTOKEEP to 1 and re-run "sudo sguil-db-purge"
>>

> I will give this a try

>
>> - manually disable/remove the autocat entries at the database level
>>

> can you point me to how to manually remove this from the database im not a seasoned DBA

[Doug Burks]

Sguil won't create a new table for today until the database issue is
resolved and new events are received.

On Wed, Feb 17, 2016 at 12:32 PM, Danny Stephens <syc...@gmail.com> wrote:

> On Wednesday, February 17, 2016 at 11:19:57 AM UTC-6, Doug Burks wrote:
>> Here are some things you can try:
>>
>> - lower DAYSTOKEEP to 1 and re-run "sudo sguil-db-purge"
>>

> Looking at the database there is no new table for today the 17th
> why is this and when do the new tables get created

[Doug Burks]

Yes, if everything is working properly, then you can increase
DAYSTOKEEP back to 30.

Please review the Best Practices page:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Best-Practices

On Wed, Feb 17, 2016 at 1:11 PM, Danny Stephens <syc...@gmail.com> wrote:

> Doug that fixed everything alerts are flooding in now
>
> i deleted the autocats from the day it died
>
> can i change the daystokeep back up?

[Doug Burks]

Please try the following:

# stop sguild:
sudo nsm_server_ps-stop

# show all of the autocat entries you've added:
mysql -uroot -Dsecurityonion_db -e 'delete from autocat where autoid>1;'

# based on the error message relating to the ossec event, you most
likely have an autocat for ossec events, find the autoid of that
autocat
# delete that one autocat using the following (replacing YOUR_AUTOID
with the actual autoid):
mysql -uroot -Dsecurityonion_db -e 'select * from autocat where
autoid=YOUR_AUTOID;'

# OR if you don't mind removing all of your autocat entries, you can
remove them all as follows:
mysql -uroot -Dsecurityonion_db -e 'select * from autocat where autoid>1;'

# then start sguild:
sudo nsm_server_ps-start

# watch the log file and see if it still errors on the ossec event:
tail -f /var/log/nsm/securityonion/sguild.log

On Wed, Feb 17, 2016 at 2:45 PM, Danny Stephens <syc...@gmail.com> wrote:
> I rebooted the server and truth be told I sudo service nsm restart several times
> and sguil has been running for about an hour now but im not getting any alerts in squert and elsa loads the blue bar to the left but nothing else

[Doug Burks]

Replies inline.

On Thu, Feb 18, 2016 at 9:44 AM, Danny Stephens <syc...@gmail.com> wrote:
>> # show all of the autocat entries you've added:
>> mysql -uroot -Dsecurityonion_db -e 'delete from autocat where autoid>1;'
>>

> This line here deletes all the autocats

My apologies. That was a bad copy/paste.

>> # based on the error message relating to the ossec event, you most
>> likely have an autocat for ossec events, find the autoid of that
>> autocat
>> # delete that one autocat using the following (replacing YOUR_AUTOID
>> with the actual autoid):
>> mysql -uroot -Dsecurityonion_db -e 'select * from autocat where
>> autoid=YOUR_AUTOID;'
>>
>> # OR if you don't mind removing all of your autocat entries, you can
>> remove them all as follows:
>> mysql -uroot -Dsecurityonion_db -e 'select * from autocat where autoid>1;'
>>
>> # then start sguild:
>> sudo nsm_server_ps-start
>>

> started fine

>
>> # watch the log file and see if it still errors on the ossec event:
>> tail -f /var/log/nsm/securityonion/sguild.log
>>

> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:04} 42 90815 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289957 2289957
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:05} 42 90816 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289958 2289958
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:10} 42 90817 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289959 2289959
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:12} 42 90818 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2289960 2289960
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:14} 42 90819 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2289961 2289961
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:17} 42 90820 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289962 2289962
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:20} 42 90821 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2289963 2289963
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:22} 42 90822 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2289964 2289964
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:25} 42 90823 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289965 2289965
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:25} 42 90824 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2289966 2289966
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:28} 42 90825 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289967 2289967
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:29} 42 90826 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2289968 2289968
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:45} 42 90827 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2289969 2289969
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:46} 42 90828 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289970 2289970
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:46} 42 90829 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289971 2289971
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:48} 42 90830 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289972 2289972
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:48} 42 90831 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2289973 2289973
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:50} 42 90832 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2289974 2289974
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:52} 42 90833 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289975 2289975
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:52} 42 90834 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289976 2289976
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:56} 42 90835 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2289977 2289977
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:56} 42 90836 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289978 2289978
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:57} 42 90837 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2289979 2289979
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:58} 42 90838 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2289980 2289980
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:58} 42 90839 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289981 2289981
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:56:58} 42 90840 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2289982 2289982
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:03} 42 90841 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289983 2289983
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:08} 42 90842 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2289984 2289984
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:13} 42 90843 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2289985 2289985
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:13} 42 90844 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289986 2289986
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:14} 42 90845 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2289987 2289987
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:15} 42 90846 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289988 2289988
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:18} 42 90847 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289989 2289989
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:20} 42 90848 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2289990 2289990
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:21} 42 90849 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289991 2289991
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:22} 42 90850 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2289992 2289992
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:24} 42 90851 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289993 2289993
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:26} 42 90852 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289994 2289994
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:28} 42 90853 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2289995 2289995
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:29} 42 90854 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289996 2289996
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:30} 42 90855 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2289997 2289997
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:37} 42 90856 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2289998 2289998
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:40} 42 90857 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2289999 2289999
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:40} 42 90858 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290000 2290000
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:41} 42 90859 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2290001 2290001
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:43} 42 90860 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290002 2290002
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:44} 42 90861 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290003 2290003
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:46} 42 90862 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290004 2290004
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:50} 42 90863 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290005 2290005
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:50} 42 90864 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290006 2290006
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:51} 42 90865 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290007 2290007
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:53} 42 90866 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290008 2290008
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:56} 42 90867 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2290009 2290009
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:56} 42 90868 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290010 2290010
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:57:59} 42 90869 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290011 2290011
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:01} 42 90870 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290012 2290012
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:01} 42 90871 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290013 2290013
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:02} 42 90872 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290014 2290014
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:04} 42 90873 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290015 2290015
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:06} 42 90874 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290016 2290016
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:10} 42 90875 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290017 2290017
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:13} 42 90876 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290018 2290018
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:14} 42 90877 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290019 2290019
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:16} 42 90878 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290020 2290020
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:23} 42 90879 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290021 2290021
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:25} 42 90880 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290022 2290022
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:29} 42 90881 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290023 2290023
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:29} 42 90882 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290024 2290024
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:29} 42 90883 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290025 2290025
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:29} 42 90884 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2290026 2290026
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:34} 42 90885 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2290027 2290027
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:36} 42 90886 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290028 2290028
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:37} 42 90887 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290029 2290029
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:38} 42 90888 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290030 2290030
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:39} 42 90889 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2290031 2290031
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 1 policy-violation solo02-eth0 {2016-02-18 04:58:42} 26 997557 {ET POLICY possible Xiaomi phone data leakage DNS} 182.146.2.210 131.131.131.208 17 39711 53 1 2018918 1 249 249
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 7 {} VADER03-ossec {2016-02-18 04:58:42} 79 9 {[OSSEC] Received 0 packets in designated time interval (defined in ossec.conf). Please check interface, cabling, and tap/span!} 0.0.0.0 0.0.0.0 0 {} {} 10001 111112 1 9 9
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:46} 42 90890 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290032 2290032
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:48} 42 90891 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290033 2290033
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:50} 42 90892 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290034 2290034
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:50} 42 90893 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2290035 2290035
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:52} 42 90894 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2290036 2290036
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:54} 42 90895 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290037 2290037
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:55} 42 90896 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290038 2290038
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:55} 42 90897 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290039 2290039
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:55} 42 90898 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290040 2290040
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 7 {} coilite-sensor06-ossec {2016-02-18 04:58:57} 13 3 {[OSSEC] Received 0 packets in designated time interval (defined in ossec.conf). Please check interface, cabling, and tap/span!} 0.0.0.0 0.0.0.0 0 {} {} 10001 111112 1 3 3
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:58} 42 90899 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2290041 2290041
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:58:59} 42 90900 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290042 2290042
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:01} 42 90901 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290043 2290043
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:01} 42 90902 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290044 2290044
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:01} 42 90903 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290045 2290045
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:06} 42 90904 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2290046 2290046
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:07} 42 90905 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290047 2290047
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:07} 42 90906 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290048 2290048
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:09} 42 90907 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290049 2290049
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:09} 42 90908 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290050 2290050
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:12} 42 90909 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290051 2290051
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:17} 42 90910 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290052 2290052
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:17} 42 90911 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290053 2290053
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:18} 42 90912 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290054 2290054
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:18} 42 90913 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290055 2290055
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:19} 42 90914 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290056 2290056
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:20} 42 90915 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290057 2290057
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:20} 42 90916 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290058 2290058
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:22} 42 90917 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290059 2290059
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:22} 42 90918 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290060 2290060
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:22} 42 90919 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290061 2290061
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:27} 42 90925 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290067 2290067
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:29} 42 90926 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290068 2290068
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:29} 42 90927 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290069 2290069
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:31} 42 90928 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290070 2290070
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:31} 42 90929 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2290071 2290071
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:37} 42 90930 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290072 2290072
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:38} 42 90931 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2290073 2290073
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:41} 42 90932 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290074 2290074
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:43} 42 90933 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290075 2290075
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 04:59:51} 42 90934 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2290076 2290076
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 05:00:00} 42 90935 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290077 2290077
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 05:00:04} 42 90936 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290078 2290078
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 05:00:07} 42 90937 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290079 2290079
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 05:00:07} 42 90938 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.17 17 0 0 1 2200038 1 2290080 2290080
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 05:00:07} 42 90939 {SURICATA UDP packet too small} 118.165.24.221 131.131.129.65 17 0 0 1 2200038 1 2290081 2290081
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 05:00:08} 42 90940 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290082 2290082
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 unknown solo01-eth3 {2016-02-18 05:00:11} 42 90941 {SURICATA UDP packet too small} 189.250.91.44 131.131.131.253 17 0 0 1 2200038 1 2290083 2290083
> 2016-02-18 07:39:04 pid(32441) Archived Alert: 0 3 misc-activity BOBAFETT01-eth7 {2016-02-18 05:00:12} 357 3229 {URL crl.microsoft.com} 131.131.64.210 23.15.7.114 6 4334 80 10001 420042 1 3229 3229
> 2016-02-18 07:39:04 pid(32441) AUTO MARKING EVENT AS : 1
> 2016-02-18 07:39:04 pid(32441) UPDATE `event_BOBAFETT01-eth7_20160218` SET status=1, last_modified='2016-02-18 07:39:04', last_uid='1' WHERE sid=357 AND cid=3229
> mysqlexec/db server: Table 'securityonion_db.event_BOBAFETT01-eth7_20160218' doesn't exist

Based on this output, it looks like you removed the OSSEC autocat, but
left some other autocats in place. Have you tried removing this
autocat that is failing now?



--
Doug Burks

[Doug Burks]

Let's try disabling all unnecessary services on all boxes:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Best-Practices

Once all unnecessary services have been disabled on all boxes, reboot
your master server and then watch the log file.

On Thu, Feb 18, 2016 at 11:10 AM, Danny Stephens <syc...@gmail.com> wrote:
> Doug
> I only have the one auto cat this is my autocat.conf
>
> 1 # $Id: autocat.conf,v 1.9 2005/02/10 19:51:37 bamm Exp $ #
> 2 #
> 3 # This file is read by sguild on start up. It's contents
> 4 # are used to create filters for the auto categorization
> 5 # function.
> 6 #
> 7 # Format:
> 8 #
> 9 # <erase time>||<sensorName>||<src_ip>||<src_port>||<dst_ip>||<dst_port>||<proto>||<sig msg>||<cat value>
> 10 #
> 11 # - <erase time> is the time the filter will be removed in
> 12 # YYYY-MM-DD TT:TT:TT format. Use 'none' if you wish to make
> 13 # the rule permanant.
> 14 #
> 15 # - Sensor name is the name of the sensor to filter on. Can by 'any'
> 16 #
> 17 # - The value of 'any' can be used for any of the ip, port, and sig msg fields.
> 18 #
> 19 # - proto can be 'any' or the int value for the proto (6 == TCP, 17 == UDP, 1 == ICMP)
> 20 #
> 21 # - The <cat value> is the value for that category in the DB.
> 22 # Cat I - VII == 11 - 17 : NA == 1
> 23 #
> 24 # - The src_ip and dest_ip can be networks in CIDR notation (eg: 10.0.0.0/24)
> 25 #
> 26 # - sig msg can use TCL regexp format. To make a sig msg a regexp begin the rule with %%REGEXP%%
> 27 # Do not use / / syntax. Matching is case sensitive unless
> 28 # the string is preceded by a (?i). Use ^ to match the beginning of the line and $ for the end.
> 29 # Examples:
> 30 # - '%%REGEXP%%Testing' would match '123Testing123' but not '123testing123'
> 31 # - '%%REGEXP%%(?i)testing' would match both '123Testing123' and '123testing123'
> 32 # - '%%REGEXP%%^Testing' would match 'Testing' but not '123Testing' and not 'testing'
> 33 # - '%%REGEXP%%(?i)^testing would match 'Testing' and 'testing' but not '123testing'
> 34 # - if you don't use %%REGEXP%% the string you type in the sig must EXACTLY match the rule.
> 35 #
> 36 # Examples:
> 37 #
> 38 # Mark all portscans to port 135 as Category VI (Reconn/Probes/Scans)
> 39 # none||ANY||ANY||ANY||ANY||135||6||spp_portscan: Portscan Detected||16
> 40 #
> 41 # Mark 'ICMP Destination Unreachable (Undefined Code!)' as NA (no
> 42 # further action required) until Halloween from 192.168.8.4 on sensor bozo.
> 43 # 2003-10-31||bozo||192.168.8.4||any||any||any||any||ICMP Destination Unreachable (Undefined Code!)||1
> 44 #
> 45 # Mark any rule that begins SNMP as CAT III
> 46 # none||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^SNMP||13
> 47 #
> 48 #
> 49 none||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^URL||1
> ~
> ~

[Doug Burks]

Just to confirm, did you disable those services on the master server
AND all sensor boxes as well?

Did you also disable the Snorby output in all barnyard config files on
the master server AND all sensor boxes as well?

What does the sguild log file say now?



On Mon, Feb 22, 2016 at 10:26 AM, Danny Stephens <syc...@gmail.com> wrote:
> To do so, stop the required service/s:
>
> sudo nsm_sensor_ps-stop --only-prads
> sudo nsm_sensor_ps-stop --only-pads-agent
> sudo nsm_sensor_ps-stop --only-sancp-agent
> sudo nsm_sensor_ps-stop --only-argus
> sudo nsm_sensor_ps-stop --only-http-agent
>
> And then disable them so they don't start on reboot:
>
> sudo sed -i 's|PRADS_ENABLED="yes"|PRADS_ENABLED="no"|g' /etc/nsm/*/sensor.conf
> sudo sed -i 's|PADS_AGENT_ENABLED="yes"|PADS_AGENT_ENABLED="no"|g' /etc/nsm/*/sensor.conf
> sudo sed -i 's|SANCP_AGENT_ENABLED="yes"|SANCP_AGENT_ENABLED="no"|g' /etc/nsm/*/sensor.conf
> sudo sed -i 's|ARGUS_ENABLED="yes"|ARGUS_ENABLED="no"|g' /etc/nsm/*/sensor.conf
> sudo sed -i 's|HTTP_AGENT_ENABLED="yes"|HTTP_AGENT_ENABLED="no"|g' /etc/nsm/*/sensor.conf
>
>
>
> has been completed sorry for the wait many other fires had to be put out
>
> Service Status
> =========================================================================
> Status: securityonion
> * sguil server[ OK ]
> Status: HIDS
> * ossec_agent (sguil)[ OK ]
>
>
> but ELSA just sits there waiting for available socket and squert will not load and new alerts as well as you cant not cat any events

[Wes]

On Monday, February 22, 2016 at 11:43:15 AM UTC-5, Danny Stephens wrote:
> Just to confirm, did you disable those services on the master server
> AND all sensor boxes as well?
>
>
>

> Yes on both non of those are running
>
>
>  Did you also disable the Snorby output in all barnyard config files onthe master server AND all sensor boxes as well?
>
>
> just double checked and yes Snorby and barnyard config files are disabled 
>
>
> and the squild log tail out put 
>
>
>
> 2016-02-22 09:40:45 pid(40154)    SELECT MAX(timestamp) FROM event WHERE sid=50
> 2016-02-22 09:40:45 pid(40154)    SELECT MAX(timestamp) FROM event WHERE sid=51
> 2016-02-22 09:40:45 pid(40154)    SELECT MAX(timestamp) FROM event WHERE sid=54
> 2016-02-22 09:40:45 pid(40154)    SELECT MAX(timestamp) FROM event WHERE sid=58
> 2016-02-22 09:40:45 pid(40154)    SELECT MAX(timestamp) FROM event WHERE sid=64
> 2016-02-22 09:40:45 pid(40154)    SELECT MAX(timestamp) FROM pads WHERE sid=76
> 2016-02-22 09:40:45 pid(40154)    SELECT MAX(timestamp) FROM event WHERE sid=78
> 2016-02-22 09:40:45 pid(40154)    SELECT MAX(timestamp) FROM event WHERE sid=382
> 2016-02-22 09:40:45 pid(40154)    SELECT MAX(timestamp) FROM event WHERE sid=79
> 2016-02-22 09:40:45 pid(40154)  Querying DB for archived events...
> 2016-02-22 09:40:45 pid(40154)  SELECT event.status, event.priority, event.class, sensor.hostname,

>  event.timestamp, event.sid, event.cid, event.signature,
>  INET_NTOA(event.src_ip), INET_NTOA(event.dst_ip), event.ip_proto,
>  event.src_port, event.dst_port, event.signature_gen, event.signature_id,
>  event.signature_rev, event.unified_event_id, unified_event_ref
>  FROM event
>  FORCE INDEX (status)
>  JOIN sensor ON event.sid=sensor.sid
>  WHERE event.status=0 ORDER BY event.timestamp ASC

> 2016-02-22 09:40:45 pid(40154)  Archived Alert: 0 3 misc-activity solo02-eth0 {2016-02-22 00:01:52} 29 170 {URL 131.131.144.74} 128.232.110.28 131.131.144.74 6 59942 80 10001 420042 1 170 170
> 2016-02-22 09:40:45 pid(40154)  AUTO MARKING EVENT AS : 1
> 2016-02-22 09:40:45 pid(40154)  UPDATE `event_solo02-eth0_20160222` SET status=1, last_modified='2016-02-22 09:40:45', last_uid='1' WHERE sid=29 AND cid=170
> 2016-02-22 09:40:45 pid(40154)  Archived Alert: 0 3 misc-activity BOBAFETT01-eth7 {2016-02-22 00:01:56} 357 66336 {URL weather.yahooapis.com} 131.131.64.210 216.115.98.124 6 35459 80 10001 420042 1 66336 66336
> 2016-02-22 09:40:45 pid(40154)  AUTO MARKING EVENT AS : 1
> 2016-02-22 09:40:45 pid(40154)  UPDATE `event_BOBAFETT01-eth7_20160222` SET status=1, last_modified='2016-02-22 09:40:45', last_uid='1' WHERE sid=357 AND cid=66336
> mysqlexec/db server: Table 'securityonion_db.event_BOBAFETT01-eth7_20160222' doesn't exist

>     while executing
> "mysqlexec $MAIN_DB_SOCKETID $updateString"
>     (procedure "UpdateDBStatus" line 11)
>     invoked from within
> "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)"
>     (procedure "AutoCat" line 43)
>     invoked from within
> "AutoCat $row"
>     ("foreach" body line 6)
>     invoked from within
> "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] {
>
>
>         InfoMessage "Archived Alert: $row"
>         set LAST_EVENT_ID([lindex $row 3]) "[li..."
>     invoked from within
> "if { $mergeTableListArray(event) != "" } {
>
>
>     # Get the archived alerts
>     LogMessage "Querying DB for archived events..."
>     set MAJOR_MYSQL_VERS..."
>     (file "/usr/bin/sguild" line 737)

> 2016-02-22 09:40:45 pid(40157)  loaderd: Received:
> 2016-02-22 09:40:45 pid(40157)  Unknown command received from sguild:

> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
>
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/touCa1eR_EE/unsubscribe.
>
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.

>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

Danny,

Have you tried looking to see if this event/table exists in securityonion_db?

2016-02-22 09:40:45 pid(40154) UPDATE `event_BOBAFETT01-eth7_20160222` SET status=1, last_modified='2016-02-22 09:40:45', last_uid='1' WHERE sid=357 AND cid=66336
mysqlexec/db server: Table 'securityonion_db.event_BOBAFETT01-eth7_20160222' doesn't exist

Thanks,
Wes

[Wes]

On Tuesday, February 23, 2016 at 10:49:52 AM UTC-5, Danny Stephens wrote:
> >
> > Danny,
> >
> > Have you tried looking to see if this event/table exists in securityonion_db?
> >
> > 2016-02-22 09:40:45 pid(40154) UPDATE `event_BOBAFETT01-eth7_20160222` SET status=1, last_modified='2016-02-22 09:40:45', last_uid='1' WHERE sid=357 AND cid=66336
> > mysqlexec/db server: Table 'securityonion_db.event_BOBAFETT01-eth7_20160222' doesn't exist
> >
> > Thanks,
> > Wes
>

> Wes this is what I have in mysql db
>
> And yes the table is there I committed it to high light it
>
> mysql> show tables;
> +-----------------------------------------+
> | Tables_in_securityonion_db |
> +-----------------------------------------+
> | autocat |
> | data |
> | data_BOBAFETT01-eth7_20160222 |
> | data_BOBAFETT01-eth7_20160223 |
> | data_BOBAFETT01-ossec_20160222 |
> | data_BOBAFETT01-ossec_20160223 |
> | data_BOBAFETT03-ossec_20160222 |
> | data_BOBAFETT03-ossec_20160223 |
> | data_VADER01-ossec_20160222 |
> | data_VADER01-ossec_20160223 |
> | data_VADER03-ossec_20160222 |
> | data_VADER03-ossec_20160223 |
> | data_coilite-mgr-ossec_20160222 |
> | data_coilite-sensor03-ossec_20160222 |
> | data_coilite-sensor03-ossec_20160223 |
> | data_coilite-sensor06-ossec_20160222 |
> | data_coilite-sensor06-ossec_20160223 |
> | data_solo01-eth3_20160222 |
> | data_solo01-eth3_20160223 |
> | data_solo01-ossec_20160222 |
> | data_solo01-ossec_20160223 |
> | data_solo02-eth0_20160222 |
> | data_solo02-eth0_20160223 |
> | data_solo02-ossec_20160222 |
> | data_solo02-ossec_20160223 |
> | event |
> ######| event_BOBAFETT01-eth7_20160222 |#########
> | event_BOBAFETT01-eth7_20160223 |
> | event_BOBAFETT01-ossec_20160222 |
> | event_BOBAFETT01-ossec_20160223 |
> | event_BOBAFETT03-ossec_20160222 |
> | event_BOBAFETT03-ossec_20160223 |
> | event_VADER01-ossec_20160222 |
> | event_VADER01-ossec_20160223 |
> | event_VADER03-ossec_20160222 |
> | event_VADER03-ossec_20160223 |
> | event_coilite-mgr-ossec_20160222 |
> | event_coilite-sensor03-ossec_20160222 |
> | event_coilite-sensor03-ossec_20160223 |
> | event_coilite-sensor06-ossec_20160222 |
> | event_coilite-sensor06-ossec_20160223 |
> | event_solo01-eth3_20160222 |
> | event_solo01-eth3_20160223 |
> | event_solo01-ossec_20160222 |
> | event_solo01-ossec_20160223 |
> | event_solo02-eth0_20160222 |
> | event_solo02-eth0_20160223 |
> | event_solo02-ossec_20160222 |
> | event_solo02-ossec_20160223 |
> | filters |
> | history |
> | icmphdr |
> | icmphdr_BOBAFETT01-eth7_20160222 |
> | icmphdr_BOBAFETT01-eth7_20160223 |
> | icmphdr_BOBAFETT01-ossec_20160222 |
> | icmphdr_BOBAFETT01-ossec_20160223 |
> | icmphdr_BOBAFETT03-ossec_20160222 |
> | icmphdr_BOBAFETT03-ossec_20160223 |
> | icmphdr_VADER01-ossec_20160222 |
> | icmphdr_VADER01-ossec_20160223 |
> | icmphdr_VADER03-ossec_20160222 |
> | icmphdr_VADER03-ossec_20160223 |
> | icmphdr_coilite-mgr-ossec_20160222 |
> | icmphdr_coilite-sensor03-ossec_20160222 |
> | icmphdr_coilite-sensor03-ossec_20160223 |
> | icmphdr_coilite-sensor06-ossec_20160222 |
> | icmphdr_coilite-sensor06-ossec_20160223 |
> | icmphdr_solo01-eth3_20160222 |
> | icmphdr_solo01-eth3_20160223 |
> | icmphdr_solo01-ossec_20160222 |
> | icmphdr_solo01-ossec_20160223 |
> | icmphdr_solo02-eth0_20160222 |
> | icmphdr_solo02-eth0_20160223 |
> | icmphdr_solo02-ossec_20160222 |
> | icmphdr_solo02-ossec_20160223 |
> | ip2c |
> | mappings |
> | nessus |
> | nessus_data |
> | object_mappings |
> | pads |
> | portscan |
> | sancp |
> | sancp_BOBAFETT01-eth7_20160222 |
> | sancp_solo01-eth3_20160222 |
> | sancp_solo02-eth0_20160222 |
> | sensor |
> | stat_types |
> | stats |
> | status |
> | tcphdr |
> | tcphdr_BOBAFETT01-eth7_20160222 |
> | tcphdr_BOBAFETT01-eth7_20160223 |
> | tcphdr_BOBAFETT01-ossec_20160222 |
> | tcphdr_BOBAFETT01-ossec_20160223 |
> | tcphdr_BOBAFETT03-ossec_20160222 |
> | tcphdr_BOBAFETT03-ossec_20160223 |
> | tcphdr_VADER01-ossec_20160222 |
> | tcphdr_VADER01-ossec_20160223 |
> | tcphdr_VADER03-ossec_20160222 |
> | tcphdr_VADER03-ossec_20160223 |
> | tcphdr_coilite-mgr-ossec_20160222 |
> | tcphdr_coilite-sensor03-ossec_20160222 |
> | tcphdr_coilite-sensor03-ossec_20160223 |
> | tcphdr_coilite-sensor06-ossec_20160222 |
> | tcphdr_coilite-sensor06-ossec_20160223 |
> | tcphdr_solo01-eth3_20160222 |
> | tcphdr_solo01-eth3_20160223 |
> | tcphdr_solo01-ossec_20160222 |
> | tcphdr_solo01-ossec_20160223 |
> | tcphdr_solo02-eth0_20160222 |
> | tcphdr_solo02-eth0_20160223 |
> | tcphdr_solo02-ossec_20160222 |
> | tcphdr_solo02-ossec_20160223 |
> | udphdr |
> | udphdr_BOBAFETT01-eth7_20160222 |
> | udphdr_BOBAFETT01-eth7_20160223 |
> | udphdr_BOBAFETT01-ossec_20160222 |
> | udphdr_BOBAFETT01-ossec_20160223 |
> | udphdr_BOBAFETT03-ossec_20160222 |
> | udphdr_BOBAFETT03-ossec_20160223 |
> | udphdr_VADER01-ossec_20160222 |
> | udphdr_VADER01-ossec_20160223 |
> | udphdr_VADER03-ossec_20160222 |
> | udphdr_VADER03-ossec_20160223 |
> | udphdr_coilite-mgr-ossec_20160222 |
> | udphdr_coilite-sensor03-ossec_20160222 |
> | udphdr_coilite-sensor03-ossec_20160223 |
> | udphdr_coilite-sensor06-ossec_20160222 |
> | udphdr_coilite-sensor06-ossec_20160223 |
> | udphdr_solo01-eth3_20160222 |
> | udphdr_solo01-eth3_20160223 |
> | udphdr_solo01-ossec_20160222 |
> | udphdr_solo01-ossec_20160223 |
> | udphdr_solo02-eth0_20160222 |
> | udphdr_solo02-eth0_20160223 |
> | udphdr_solo02-ossec_20160222 |
> | udphdr_solo02-ossec_20160223 |
> | user_info |
> | version |
> +-----------------------------------------+
> 140 rows in set (0.00 sec)

Danny,

You could try dropping the specific table you are having issues with or running mysql repair tools on just that table. Otherwise, I would try setting the DAYSTOKEEP variable to 1 in /etc/nsm/securityonion.conf and running sguil-db-purge again.

Thanks,
Wes

[Wes]

On Wednesday, February 24, 2016 at 11:31:54 AM UTC-5, Danny Stephens wrote:

> /etc/nsm$ cat securityonion.conf
> # /etc/nsm/securityonion.conf
> # Generated by Security Onion Setup (sosetup) at Mon Jan 4 15:48:38 UTC 2016
>
> # Which IDS engine would you like to run?
> ENGINE=suricata
>
> # How many days would you like to keep in the Sguil database archive?
> DAYSTOKEEP=1
>
> # How many days worth of tables would you like to repair every day?
> DAYSTOREPAIR=2
>
> # At what percentage of disk usage should the NSM scripts warn you?
> WARN_DISK_USAGE=80
>
> # At what percentage of disk usage should the NSM scripts begin purging old data?
> CRIT_DISK_USAGE=90
>
> # Do you want to run Bro? yes/no
> BRO_ENABLED=yes
>
> # BRO_USER specifies the user account used to start Bro.
> BRO_USER=sguil
> BRO_GROUP=sguil
>
> # The OSSEC agent sends OSSEC HIDS alerts into the Sguil database.
> # Do you want to run the OSSEC Agent? yes/no
> OSSEC_AGENT_ENABLED=yes
>
> # OSSEC_AGENT_LEVEL specifies the level at which OSSEC alerts are sent to sguild.
> OSSEC_AGENT_LEVEL=5
>
> # Do you want to run the Snorby worker? yes/no
> SNORBY_ENABLED=no
>
> # Do you want to run Xplico? yes/no
> XPLICO_ENABLED=yes
>
> # LOCAL_HIDS_RULE_TUNING
> # If set to no (default), sensor will copy OSSEC rules from master server as-is (no changes).
> # If set to yes, sensor will keep its own copy of the OSSEC rules.
> LOCAL_HIDS_RULE_TUNING=no
>
> # LOCAL_NIDS_RULE_TUNING
> # The effect of this option is different depending on whether this box is a server or not.
> # SERVER
> # LOCAL_NIDS_RULE_TUNING=yes
> # rule-update will operate on a local copy of the rules instead of downloading rules from the Internet
> # LOCAL_NIDS_RULE_TUNING=no
> # rule-update will try to download rules from the Internet
> # SENSOR-ONLY
> # LOCAL_NIDS_RULE_TUNING=yes
> # rule-update will copy rules from master server and then try to run PulledPork locally for tuning
> # LOCAL_NIDS_RULE_TUNING=no
> # rule-update will copy rules from master server as-is (no changes)
> LOCAL_NIDS_RULE_TUNING=no
>
> # OSSEC_AGENT_USER specifies the user account used to start the OSSEC agent for Sguil.
> OSSEC_AGENT_USER=sguil
>
> # ELSA
> ELSA=YES
>
> # What is the maximum number of uncategorized events to allow?
> # If this number gets too high, then sguild startup may be delayed.
> UNCAT_MAX=1000
>
>
>
> i did that days ago

Danny,

Did you try dropping the table?

Thanks,
Wes

[Wes]

If you do decide to drop the table, ensure sguild/nsm services are not running when editing securityonion_db.

Thanks,
Wes

[Bamm Visscher]

I am not sure why an event would get placed in the wrong table, but you can try updating the alert status using the MERGE table. It may take a bit depending on how big your event DB is:

mysql> UPDATE `event` SET status=1, last_modified='2016-02-22 09:40:45', last_uid='1' WHERE sid=357 AND cid=66336;

Bamm

On Tue, Feb 23, 2016 at 10:49 AM, Danny Stephens <syc...@gmail.com> wrote:

>
> Danny,
>
> Have you tried looking to see if this event/table exists in securityonion_db?
>
> 2016-02-22 09:40:45 pid(40154)  UPDATE `event_BOBAFETT01-eth7_20160222` SET status=1, last_modified='2016-02-22 09:40:45', last_uid='1' WHERE sid=357 AND cid=66336
> mysqlexec/db server: Table 'securityonion_db.event_BOBAFETT01-eth7_20160222' doesn't exist
>
> Thanks,
> Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

sguil - The Analyst Console for NSM
http://www.sguil.net

[Wes]

On Wednesday, February 24, 2016 at 1:07:18 PM UTC-5, Danny Stephens wrote:
> most current  sguild.log
>
>
>
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM event WHERE sid=60
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM event WHERE sid=83
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM event WHERE sid=84
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM event WHERE sid=85
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM event WHERE sid=86
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM event WHERE sid=381
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM event WHERE sid=46
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM event WHERE sid=47
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM event WHERE sid=50
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM event WHERE sid=51
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM event WHERE sid=54
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM event WHERE sid=58
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM event WHERE sid=64
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM pads WHERE sid=76
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM event WHERE sid=78
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM event WHERE sid=382
> 2016-02-24 11:05:17 pid(13146)    SELECT MAX(timestamp) FROM event WHERE sid=79
> 2016-02-24 11:05:17 pid(13146)  Querying DB for archived events...
> 2016-02-24 11:05:17 pid(13146)  SELECT event.status, event.priority, event.class, sensor.hostname,

>  event.timestamp, event.sid, event.cid, event.signature,
>  INET_NTOA(event.src_ip), INET_NTOA(event.dst_ip), event.ip_proto,
>  event.src_port, event.dst_port, event.signature_gen, event.signature_id,
>  event.signature_rev, event.unified_event_id, unified_event_ref
>  FROM event
>  FORCE INDEX (status)
>  JOIN sensor ON event.sid=sensor.sid
>  WHERE event.status=0 ORDER BY event.timestamp ASC

> 2016-02-24 11:05:17 pid(13146)  Archived Alert: 0 5 {} coilite-mgr-ossec {2016-02-23 00:01:55} 1 1 {[OSSEC] SSHD authentication failed.} 10.180.187.24 0.0.0.0 0 {} {} 10001 5716 1 1 1
> 2016-02-24 11:05:17 pid(13146)  AUTO MARKING EVENT AS : 1
> 2016-02-24 11:05:17 pid(13146)  UPDATE `event_coilite-mgr-ossec_20160223` SET status=1, last_modified='2016-02-24 11:05:17', last_uid='1' WHERE sid=1 AND cid=1
> mysqlexec/db server: Table 'securityonion_db.event_coilite-mgr-ossec_20160223' doesn't exist

>     while executing
> "mysqlexec $MAIN_DB_SOCKETID $updateString"
>     (procedure "UpdateDBStatus" line 11)
>     invoked from within
> "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)"
>     (procedure "AutoCat" line 43)
>     invoked from within
> "AutoCat $row"
>     ("foreach" body line 6)
>     invoked from within
> "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] {
>
>
>         InfoMessage "Archived Alert: $row"
>         set LAST_EVENT_ID([lindex $row 3]) "[li..."
>     invoked from within
> "if { $mergeTableListArray(event) != "" } {
>
>
>     # Get the archived alerts
>     LogMessage "Querying DB for archived events..."
>     set MAJOR_MYSQL_VERS..."
>     (file "/usr/bin/sguild" line 737)

> 2016-02-24 11:05:17 pid(13151)  loaderd: Received:
> 2016-02-24 11:05:17 pid(13151)  Unknown command received from sguild:

> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
>
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/touCa1eR_EE/unsubscribe.
>
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.

>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

Danny,

Were you able to get this issue resolved?

Thanks,
Wes

[Wes]

On Monday, February 29, 2016 at 10:20:28 AM UTC-5, Danny Stephens wrote:
> >
> > Danny,
> >
> > Were you able to get this issue resolved?
> >
> > Thanks,
> > Wes
>

> Wes,
>
> Squil starts and runs fine now but squert on the other hand is now not working id just spins and at the bottom of the page it just says waiting or and the IP
> but at random time is works and runs fine then nothing again it dose not make a hole lot of sense
>
> Thank you for all your help
> Stephens

Danny,

Could you please attach new sostat-redacted output and sguild.log?

Thanks,
Wes