Error: No such container: so-logstash

334 views

Skip to first unread message

Gordon Maene

unread,

Sep 4, 2019, 10:12:40 AM9/4/19

to security-onion

Afternoon Team

We've been suffering from the [129:20:1] stream5: TCP session without 3-way handshake events smashing Sguil. We have since ran the sudo sguil-db-purge so eventually managed to get Sguil back up and running. We then ran soup to get the latest updates but since updating we have been battling to get logstash started.

Logstash stays on "Logstash has started, but is still initializing" for around 10 minutes before the whole server gets stuck and only a reboot gets it started up again. At the moment I am only able to troubleshoot by stopping the logstash service.

I noticed that in the sostat-redacted it says Error: No such container: so-logstash and when I locate logstash.yml it comes up in 3 different directories, which I don't believe is correct, but not sure how to go about resolving it.

Any ideas on how I can get logstash back up and running or how to resolve what I believe to be a corrupted logstash container?

Thanks for the help.

Regards

Gordon

locate logstash.yml

/etc/logstash/logstash.yml

/etc/logstash/logstash.yml.bak

/opt/elastic/src/etc/logstash/logstash.yml

/var/lib/docker/overlay2/2e2c68c9b5c0715a86cb992e1e13f372bad74d0069703781b117bba4ce28f9ca/diff/usr/share/logstash/config/logstash.yml

/var/lib/docker/overlay2/7fdba90485fb394d4c3ca6a23f7fa64c9c9a96896cc78c62df64eb099698d827/diff/usr/share/logstash/config/logstash.yml

/var/lib/docker/overlay2/c436c507ab86307c7a754a436406f9fb3edd5e5ce0446f329fbdf0b5e6ed68f4/diff/usr/share/logstash/config/logstash.yml

sostat-redacted

ERROR 130 (HY000) at line 1: Incorrect file format 'event_ha148-ids-01-ens224-1_20190904'

Error: No such container: so-logstash

=========================================================================

Service Status

=========================================================================

Status: securityonion

* SO-user server[ OK ]

Status: HIDS

* ossec_agent (SO-user)[ OK ]

Status: Elastic stack

* so-elasticsearch OK ]

* so-logstash FAIL ]

* so-kibana FAIL ]

* so-domainstats OK ]

* so-curator OK ]

* so-elastalert OK ]

=========================================================================

Interface Status

=========================================================================

br-df93399bedb3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:4 errors:0 dropped:0 overruns:0 frame:0

TX packets:25 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:112 (112.0 B) TX bytes:1830 (1.8 KB)

docker0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:7215 errors:0 dropped:0 overruns:0 frame:0

TX packets:16214 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:1161872 (1.1 MB) TX bytes:79168334 (79.1 MB)

ens160 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:4194775 errors:0 dropped:0 overruns:0 frame:0

TX packets:3682041 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:665671849 (665.6 MB) TX bytes:9848548720 (9.8 GB)

lo Link encap:Local Loopback

inet addr:X.X.X.X Mask:X.X.X.X

inet6 addr: X.X.X.X/128 Scope:Host

UP LOOPBACK RUNNING MTU:65536 Metric:1

RX packets:88239 errors:0 dropped:0 overruns:0 frame:0

TX packets:88239 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:418900646 (418.9 MB) TX bytes:418900646 (418.9 MB)

so-curator

-------------------------------------------------------------------------

(eth0)

veth18b5695 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:36 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 B) TX bytes:2632 (2.6 KB)

(eth1)

veth78b8098 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:14809 errors:0 dropped:0 overruns:0 frame:0

TX packets:15633 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:1597626 (1.5 MB) TX bytes:203101908 (203.1 MB)

so-elastalert

-------------------------------------------------------------------------

(eth0)

vethcf21480 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:6 errors:0 dropped:0 overruns:0 frame:0

TX packets:43 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:404 (404.0 B) TX bytes:3374 (3.3 KB)

(eth1)

vethf698c6c Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:7105 errors:0 dropped:0 overruns:0 frame:0

TX packets:5064 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:1912796 (1.9 MB) TX bytes:1464035 (1.4 MB)

so-elasticsearch

-------------------------------------------------------------------------

(eth0)

vetha1ca03b Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:31 errors:0 dropped:0 overruns:0 frame:0

TX packets:77 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:2428 (2.4 KB) TX bytes:5571 (5.5 KB)

(eth1)

vethb42341d Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:20950 errors:0 dropped:0 overruns:0 frame:0

TX packets:22357 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:206068303 (206.0 MB) TX bytes:3774751 (3.7 MB)

so-domainstats

-------------------------------------------------------------------------

(eth0)

veth349e149 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:50 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 B) TX bytes:3596 (3.5 KB)

(eth1)

veth3d86df7 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:53 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 B) TX bytes:3722 (3.7 KB)

=========================================================================

Link Statistics

=========================================================================

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000

link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM

RX: bytes packets errors dropped overrun mcast

418901346 88253 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

418901346 88253 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 0

2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM

RX: bytes packets errors dropped overrun mcast

665687787 4194866 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

9848554370 3682126 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 1

3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM

RX: bytes packets errors dropped overrun mcast

1161872 7215 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

79168334 16214 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

4: br-df93399bedb3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM

RX: bytes packets errors dropped overrun mcast

112 4 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

1830 25 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

6: veth349e149@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 0

RX: bytes packets errors dropped overrun mcast

0 0 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

3596 50 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

8: veth3d86df7@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-df93399bedb3 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 0

RX: bytes packets errors dropped overrun mcast

0 0 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

3722 53 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

10: vetha1ca03b@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 1

RX: bytes packets errors dropped overrun mcast

2428 31 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

5571 77 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

12: vethb42341d@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-df93399bedb3 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 1

RX: bytes packets errors dropped overrun mcast

206068303 20950 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

3774751 22357 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

22: vethcf21480@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 4

RX: bytes packets errors dropped overrun mcast

404 6 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

3374 43 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

24: vethf698c6c@if23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-df93399bedb3 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 4

RX: bytes packets errors dropped overrun mcast

1912796 7105 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

1464035 5064 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

26: veth18b5695@if25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 5

RX: bytes packets errors dropped overrun mcast

0 0 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

2632 36 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

28: veth78b8098@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-df93399bedb3 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 5

RX: bytes packets errors dropped overrun mcast

1609122 14917 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

204532679 15748 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

=========================================================================

Disk Usage

=========================================================================

Filesystem Size Used Avail Use% Mounted on

udev 9.8G 0 9.8G 0% /dev

tmpfs 2.0G 11M 2.0G 1% /run

/dev/sda1 674G 399G 241G 63% /

tmpfs 9.9G 180K 9.9G 1% /dev/shm

tmpfs 5.0M 0 5.0M 0% /run/lock

tmpfs 9.9G 0 9.9G 0% /sys/fs/cgroup

tmpfs 2.0G 8.0K 2.0G 1% /run/user/1000

overlay 674G 399G 241G 63% /var/lib/docker/overlay2/886008fdedca289c5c0e1053a51f61a5872c07d00f96c18165044d4e5b7370e9/merged

overlay 674G 399G 241G 63% /var/lib/docker/overlay2/b9acbc453fea090b97d086c4b9a75a320d4c3eb784316257de011d14e844d8f9/merged

overlay 674G 399G 241G 63% /var/lib/docker/overlay2/899639b2d36fba61bb06d61a6346265e66e5a904cd1ccc73b3848771a4a73775/merged

overlay 674G 399G 241G 63% /var/lib/docker/overlay2/57b66642fec6841356abd24fc7a448c039afafea2ef69d4004753747f66aca86/merged

tmpfs 2.0G 0 2.0G 0% /run/user/1001

=========================================================================

Network Sockets

=========================================================================

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

syslog-ng 916 root 7u IPv4 20079 0t0 TCP *:514 (LISTEN)

syslog-ng 916 root 8u IPv4 20080 0t0 UDP *:514

mysqld 1473 mysql 19u IPv4 27982 0t0 TCP X.X.X.X:3306 (LISTEN)

sshd 1494 root 3u IPv4 30815 0t0 TCP *:ssh_port (LISTEN)

sshd 1494 root 4u IPv6 30817 0t0 TCP *:ssh_port (LISTEN)

sshd 1624 root 3u IPv4 23714 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:33010 (ESTABLISHED)

sshd 1816 root 3u IPv4 24720 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52848 (ESTABLISHED)

sshd 1823 root 3u IPv4 23925 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:42566 (ESTABLISHED)

sshd 1826 root 3u IPv4 23932 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:34076 (ESTABLISHED)

sshd 1835 root 3u IPv4 27734 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:43778 (ESTABLISHED)

ntpd 1844 ntp 16u IPv6 23199 0t0 UDP *:123

ntpd 1844 ntp 17u IPv4 23202 0t0 UDP *:123

ntpd 1844 ntp 18u IPv4 23207 0t0 UDP X.X.X.X:123

ntpd 1844 ntp 19u IPv4 23209 0t0 UDP X.X.X.X:123

ntpd 1844 ntp 20u IPv6 23211 0t0 UDP [X.X.X.X]:123

ntpd 1844 ntp 21u IPv6 23213 0t0 UDP [X.X.X.X]:123

ntpd 1844 ntp 23u IPv4 33971 0t0 UDP X.X.X.X:123

ntpd 1844 ntp 24u IPv4 33973 0t0 UDP X.X.X.X:123

ntpd 1844 ntp 25u IPv6 33977 0t0 UDP [X.X.X.X]:123

ntpd 1844 ntp 26u IPv6 33981 0t0 UDP [X.X.X.X]:123

ntpd 1844 ntp 27u IPv6 34104 0t0 UDP [X.X.X.X]:123

ntpd 1844 ntp 28u IPv6 34107 0t0 UDP [X.X.X.X]:123

ntpd 1844 ntp 29u IPv6 34354 0t0 UDP [X.X.X.X]:123

ntpd 1844 ntp 30u IPv6 34371 0t0 UDP [X.X.X.X]:123

ntpd 1844 ntp 35u IPv6 37732 0t0 UDP [X.X.X.X]:123

ntpd 1844 ntp 36u IPv6 37734 0t0 UDP [X.X.X.X]:123

ntpd 1844 ntp 37u IPv6 46172 0t0 UDP [X.X.X.X]:123

ntpd 1844 ntp 38u IPv6 46402 0t0 UDP [X.X.X.X]:123

xrdp 1850 xrdp 6u IPv4 26766 0t0 TCP *:3389 (LISTEN)

xrdp-sesm 1890 root 6u IPv4 27821 0t0 TCP X.X.X.X:3350 (LISTEN)

sshd 1940 root 3u IPv4 27771 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:59330 (ESTABLISHED)

sshd 1959 root 3u IPv4 27791 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:42632 (ESTABLISHED)

sshd 1961 root 3u IPv4 28825 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:54260 (ESTABLISHED)

sshd 1981 root 3u IPv4 28836 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41002 (ESTABLISHED)

xinetd 2005 root 5u IPv4 24803 0t0 TCP *:6556 (LISTEN)

sshd 2014 root 3u IPv4 28849 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:39078 (ESTABLISHED)

sshd 2037 root 3u IPv4 28891 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:44120 (ESTABLISHED)

sshd 2073 root 3u IPv4 24838 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:12118 (ESTABLISHED)

sshd 2080 root 3u IPv4 24842 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:49850 (ESTABLISHED)

sshd 2084 root 3u IPv4 27857 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:58220 (ESTABLISHED)

sshd 2235 SO-user 3u IPv4 28836 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41002 (ESTABLISHED)

sshd 2236 SO-user 3u IPv4 27857 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:58220 (ESTABLISHED)

sshd 2237 SO-user 3u IPv4 24720 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52848 (ESTABLISHED)

sshd 2238 SO-user 3u IPv4 23932 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:34076 (ESTABLISHED)

sshd 2239 SO-user 3u IPv4 23714 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:33010 (ESTABLISHED)

sshd 2240 SO-user 3u IPv4 28849 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:39078 (ESTABLISHED)

sshd 2241 SO-user 3u IPv4 24842 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:49850 (ESTABLISHED)

sshd 2242 SO-user 3u IPv4 28825 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:54260 (ESTABLISHED)

sshd 2243 SO-user 3u IPv4 23925 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:42566 (ESTABLISHED)

sshd 2244 SO-user 3u IPv4 28891 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:44120 (ESTABLISHED)

sshd 2245 SO-user 3u IPv4 27791 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:42632 (ESTABLISHED)

sshd 2246 SO-user 3u IPv4 27734 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:43778 (ESTABLISHED)

sshd 2247 SO-user 3u IPv4 27771 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:59330 (ESTABLISHED)

sshd 2250 root 3u IPv4 27895 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38322 (ESTABLISHED)

sshd 2263 SO-user 3u IPv4 27895 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38322 (ESTABLISHED)

sshd 2264 root 3u IPv4 27901 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:44642 (ESTABLISHED)

sshd 2282 SO-user 3u IPv4 27901 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:44642 (ESTABLISHED)

apache2 2319 root 4u IPv6 28987 0t0 TCP *:443 (LISTEN)

sshd 2324 root 3u IPv4 25952 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46306 (ESTABLISHED)

sshd 2326 root 3u IPv4 25959 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:55116 (ESTABLISHED)

sshd 2339 SO-user 3u IPv4 25952 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46306 (ESTABLISHED)

sshd 2351 SO-user 3u IPv4 25959 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:55116 (ESTABLISHED)

apache2 2353 www-data 4u IPv6 28987 0t0 TCP *:443 (LISTEN)

apache2 2354 www-data 4u IPv6 28987 0t0 TCP *:443 (LISTEN)

apache2 2356 www-data 4u IPv6 28987 0t0 TCP *:443 (LISTEN)

apache2 2357 www-data 4u IPv6 28987 0t0 TCP *:443 (LISTEN)

apache2 2358 www-data 4u IPv6 28987 0t0 TCP *:443 (LISTEN)

sshd 2365 root 3u IPv4 29013 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:53018 (ESTABLISHED)

sshd 2380 SO-user 3u IPv4 29013 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:53018 (ESTABLISHED)

sshd 2385 root 3u IPv4 22472 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:57699 (ESTABLISHED)

sshd 2401 SO-user 3u IPv4 24838 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:12118 (ESTABLISHED)

sshd 2585 SO-user 3u IPv4 22472 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:57699 (ESTABLISHED)

apache2 2601 www-data 4u IPv6 28987 0t0 TCP *:443 (LISTEN)

sshd 2605 root 3u IPv4 24381 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:36532 (ESTABLISHED)

sshd 2623 SO-user 3u IPv4 24381 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:36532 (ESTABLISHED)

sshd 2660 root 3u IPv4 27163 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:48880 (ESTABLISHED)

sshd 2683 SO-user 3u IPv4 27163 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:48880 (ESTABLISHED)

sshd 2684 root 3u IPv4 23505 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:57676 (ESTABLISHED)

sshd 2700 SO-user 3u IPv4 23505 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:57676 (ESTABLISHED)

sshd 2705 root 3u IPv4 23515 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:42734 (ESTABLISHED)

sshd 2718 SO-user 3u IPv4 23515 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:42734 (ESTABLISHED)

sshd 2730 root 3u IPv4 26189 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:54788 (ESTABLISHED)

sshd 2747 SO-user 3u IPv4 26189 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:54788 (ESTABLISHED)

ossec-aut 3157 root 3u IPv4 26579 0t0 TCP *:1515 (LISTEN)

salt-mini 3783 root 26u IPv4 33373 0t0 TCP X.X.X.X:42560->X.X.X.X:4505 (ESTABLISHED)

docker-pr 3904 root 4u IPv4 30241 0t0 TCP X.X.X.X:20000 (LISTEN)

sshd 3955 root 3u IPv4 31105 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:34364 (ESTABLISHED)

sshd 3985 SO-user 3u IPv4 31105 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:34364 (ESTABLISHED)

salt-mast 4156 root 14u IPv4 34962 0t0 TCP *:4505 (LISTEN)

salt-mast 4156 root 16u IPv4 32241 0t0 TCP X.X.X.X:4505->X.X.X.X:40712 (ESTABLISHED)

salt-mast 4156 root 17u IPv4 31250 0t0 TCP X.X.X.X:4505->X.X.X.X:42050 (ESTABLISHED)

salt-mast 4156 root 18u IPv4 31273 0t0 TCP X.X.X.X:4505->X.X.X.X:50386 (ESTABLISHED)

salt-mast 4156 root 19u IPv4 30520 0t0 TCP X.X.X.X:4505->X.X.X.X:38778 (ESTABLISHED)

salt-mast 4156 root 20u IPv4 35148 0t0 TCP X.X.X.X:4505->X.X.X.X:35990 (ESTABLISHED)

salt-mast 4156 root 21u IPv4 35150 0t0 TCP X.X.X.X:4505->X.X.X.X:57102 (ESTABLISHED)

salt-mast 4156 root 22u IPv4 35151 0t0 TCP X.X.X.X:4505->X.X.X.X:42560 (ESTABLISHED)

salt-mast 4156 root 23u IPv4 35153 0t0 TCP X.X.X.X:4505->X.X.X.X:60846 (ESTABLISHED)

salt-mast 4156 root 24u IPv4 35161 0t0 TCP X.X.X.X:4505->X.X.X.X:46162 (ESTABLISHED)

salt-mast 4156 root 25u IPv4 35175 0t0 TCP X.X.X.X:4505->X.X.X.X:33396 (ESTABLISHED)

salt-mast 4156 root 26u IPv4 35176 0t0 TCP X.X.X.X:4505->X.X.X.X:47056 (ESTABLISHED)

salt-mast 4156 root 27u IPv4 35210 0t0 TCP X.X.X.X:4505->X.X.X.X:36116 (ESTABLISHED)

salt-mast 4156 root 28u IPv4 35223 0t0 TCP X.X.X.X:4505->X.X.X.X:46770 (ESTABLISHED)

salt-mast 4156 root 29u IPv4 35270 0t0 TCP X.X.X.X:4505->X.X.X.X:49222 (ESTABLISHED)

salt-mast 4156 root 30u IPv4 35271 0t0 TCP X.X.X.X:4505->X.X.X.X:43818 (ESTABLISHED)

salt-mast 4156 root 31u IPv4 35272 0t0 TCP X.X.X.X:4505->X.X.X.X:58250 (ESTABLISHED)

salt-mast 4156 root 32u IPv4 35298 0t0 TCP X.X.X.X:4505->X.X.X.X:54306 (ESTABLISHED)

salt-mast 4156 root 33u IPv4 35325 0t0 TCP X.X.X.X:4505->X.X.X.X:35012 (ESTABLISHED)

salt-mast 4156 root 34u IPv4 35329 0t0 TCP X.X.X.X:4505->X.X.X.X:55462 (ESTABLISHED)

salt-mast 4156 root 35u IPv4 30711 0t0 TCP X.X.X.X:4505->X.X.X.X:55784 (ESTABLISHED)

salt-mast 4156 root 36u IPv4 30712 0t0 TCP X.X.X.X:4505->X.X.X.X:45632 (ESTABLISHED)

salt-mast 4156 root 37u IPv4 38922 0t0 TCP X.X.X.X:4505->X.X.X.X:51962 (ESTABLISHED)

salt-mast 4156 root 38u IPv4 38979 0t0 TCP X.X.X.X:4505->X.X.X.X:60842 (ESTABLISHED)

salt-mast 4156 root 39u IPv4 38983 0t0 TCP X.X.X.X:4505->X.X.X.X:60938 (ESTABLISHED)

salt-mast 4156 root 40u IPv4 38984 0t0 TCP X.X.X.X:4505->X.X.X.X:47898 (ESTABLISHED)

salt-mast 4156 root 41u IPv4 39008 0t0 TCP X.X.X.X:4505->X.X.X.X:53638 (ESTABLISHED)

salt-mast 4156 root 42u IPv4 39009 0t0 TCP X.X.X.X:4505->X.X.X.X:45098 (ESTABLISHED)

salt-mast 4156 root 43u IPv4 39173 0t0 TCP X.X.X.X:4505->X.X.X.X:34266 (ESTABLISHED)

salt-mast 4195 root 22u IPv4 27617 0t0 TCP *:4506 (LISTEN)

salt-mast 4195 root 24u IPv4 29560 0t0 TCP X.X.X.X:4506->X.X.X.X:54062 (ESTABLISHED)

salt-mast 4195 root 25u IPv4 29587 0t0 TCP X.X.X.X:4506->X.X.X.X:43024 (ESTABLISHED)

salt-mast 4195 root 26u IPv4 30710 0t0 TCP X.X.X.X:4506->X.X.X.X:56548 (ESTABLISHED)

salt-mast 4195 root 27u IPv4 29606 0t0 TCP X.X.X.X:4506->X.X.X.X:55836 (ESTABLISHED)

salt-mast 4195 root 28u IPv4 29607 0t0 TCP X.X.X.X:4506->X.X.X.X:32952 (ESTABLISHED)

salt-mast 4195 root 29u IPv4 30482 0t0 TCP X.X.X.X:4506->X.X.X.X:32954 (ESTABLISHED)

docker-pr 5019 root 4u IPv4 30555 0t0 TCP X.X.X.X:9300 (LISTEN)

docker-pr 5032 root 4u IPv4 31601 0t0 TCP X.X.X.X:9200 (LISTEN)

sshd 5517 root 3u IPv4 32715 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:34112 (ESTABLISHED)

sshd 5550 SO-user 3u IPv4 32715 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:34112 (ESTABLISHED)

apache2 7072 www-data 4u IPv6 28987 0t0 TCP *:443 (LISTEN)

apache2 7161 www-data 4u IPv6 28987 0t0 TCP *:443 (LISTEN)

apache2 7162 www-data 4u IPv6 28987 0t0 TCP *:443 (LISTEN)

=========================================================================

IDS Rules Update

=========================================================================

Wed Sep 4 07:01:01 UTC 2019

Backing up current local_rules.xml file.

Cleaning up local_rules.xml backup files older than 30 days.

Backing up current downloaded.rules file before it gets overwritten.

Cleaning up downloaded.rules backup files older than 30 days.

Backing up current local.rules file before it gets overwritten.

Cleaning up local.rules backup files older than 30 days.

Sleeping for 48 minutes to avoid overwhelming rule sites.

=========================================================================

CPU Usage

=========================================================================

Load average for the last 1, 5, and 15 minutes:

0.17 0.12 0.10

Processing units: 8

If load average is higher than processing units,

then tune until load average is lower than processing units.

top - 13:06:05 up 2:25, 3 users, load average: 0.17, 0.12, 0.10

Tasks: 303 total, 1 running, 235 sleeping, 0 stopped, 0 zombie

%Cpu(s): 2.1 us, 0.4 sy, 0.0 ni, 95.8 id, 1.7 wa, 0.0 hi, 0.1 si, 0.0 st

KiB Mem : 20554068 total, 9812168 free, 7246420 used, 3495480 buff/cache

KiB Swap: 16774140 total, 16774140 free, 0 used. 12581012 avail Mem

%CPU %MEM COMMAND

1.7 29.5 /opt/jdk-12.0.1/bin/java -Xms4106m -Xmx4106m -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.io.tmpdir=/tmp/elasticsearch-10262170435228982621 -XX:+HeapDumpOnOutOfMemoryError -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Djava.locale.providers=COMPAT -Des.cgroups.hierarchy.override=/ -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/usr/share/elasticsearch/config -Des.distribution.flavor=oss -Des.distribution.type=docker -cp /usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch -Ebootstrap.memory_lock=true -Etransport.host=X.X.X.X -Ehttp.host=X.X.X.X

1.6 0.4 /usr/bin/python /usr/bin/salt-master

1.5 0.4 /usr/bin/python /usr/bin/salt-master

1.5 0.5 /usr/bin/python /usr/bin/salt-master

1.4 0.4 /usr/bin/python /usr/bin/salt-master

0.4 2.1 /usr/sbin/mysqld

0.3 0.3 /usr/bin/python /usr/bin/salt-master

0.2 0.3 /usr/bin/python /usr/bin/salt-master

0.1 0.4 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

0.1 1.3 /usr/bin/python /opt/domain_stats/domain_stats.py -ip X.X.X.X 20000 -a /opt/domain_stats/top-1m.csv --preload 0

0.1 0.0 /bin/bash /usr/sbin/sostat

0.1 0.2 python -m elastalert.elastalert --config /etc/elastalert/conf/elastalert_config.yaml --verbose

0.0 0.0 /sbin/init splash

0.0 0.0 [kthreadd]

0.0 0.0 [kworker/0:0H]

0.0 0.0 [mm_percpu_wq]

0.0 0.0 [ksoftirqd/0]

0.0 0.0 [rcu_sched]

0.0 0.0 [rcu_bh]

0.0 0.0 [migration/0]

0.0 0.0 [watchdog/0]

0.0 0.0 [cpuhp/0]

0.0 0.0 [cpuhp/1]

0.0 0.0 [watchdog/1]

0.0 0.0 [migration/1]

0.0 0.0 [ksoftirqd/1]

0.0 0.0 [kworker/1:0H]

0.0 0.0 [cpuhp/2]

0.0 0.0 [watchdog/2]

0.0 0.0 [migration/2]

0.0 0.0 [ksoftirqd/2]

0.0 0.0 [kworker/2:0H]

0.0 0.0 [cpuhp/3]

0.0 0.0 [watchdog/3]

0.0 0.0 [migration/3]

0.0 0.0 [ksoftirqd/3]

0.0 0.0 [kworker/3:0H]

0.0 0.0 [cpuhp/4]

0.0 0.0 [watchdog/4]

0.0 0.0 [migration/4]

0.0 0.0 [ksoftirqd/4]

0.0 0.0 [kworker/4:0H]

0.0 0.0 [cpuhp/5]

0.0 0.0 [watchdog/5]

0.0 0.0 [migration/5]

0.0 0.0 [ksoftirqd/5]

0.0 0.0 [kworker/5:0H]

0.0 0.0 [cpuhp/6]

0.0 0.0 [watchdog/6]

0.0 0.0 [migration/6]

0.0 0.0 [ksoftirqd/6]

0.0 0.0 [kworker/6:0H]

0.0 0.0 [cpuhp/7]

0.0 0.0 [watchdog/7]

0.0 0.0 [migration/7]

0.0 0.0 [ksoftirqd/7]

0.0 0.0 [kworker/7:0H]

0.0 0.0 [kdevtmpfs]

0.0 0.0 [netns]

0.0 0.0 [rcu_tasks_kthre]

0.0 0.0 [kauditd]

0.0 0.0 [khungtaskd]

0.0 0.0 [oom_reaper]

0.0 0.0 [writeback]

0.0 0.0 [kcompactd0]

0.0 0.0 [ksmd]

0.0 0.0 [khugepaged]

0.0 0.0 [crypto]

0.0 0.0 [kintegrityd]

0.0 0.0 [kblockd]

0.0 0.0 [ata_sff]

0.0 0.0 [md]

0.0 0.0 [edac-poller]

0.0 0.0 [devfreq_wq]

0.0 0.0 [watchdogd]

0.0 0.0 [kswapd0]

0.0 0.0 [kworker/u17:0]

0.0 0.0 [ecryptfs-kthrea]

0.0 0.0 [kthrotld]

0.0 0.0 [acpi_thermal_pm]

0.0 0.0 [scsi_eh_0]

0.0 0.0 [scsi_tmf_0]

0.0 0.0 [scsi_eh_1]

0.0 0.0 [scsi_tmf_1]

0.0 0.0 [ipv6_addrconf]

0.0 0.0 [kstrp]

0.0 0.0 [charger_manager]

0.0 0.0 [mpt_poll_0]

0.0 0.0 [mpt/0]

0.0 0.0 [kworker/6:1H]

0.0 0.0 [scsi_eh_2]

0.0 0.0 [scsi_tmf_2]

0.0 0.0 [ttm_swap]

0.0 0.0 [irq/16-vmwgfx]

0.0 0.0 [kworker/2:1H]

0.0 0.0 [kworker/3:1H]

0.0 0.0 [kworker/5:1H]

0.0 0.0 [raid5wq]

0.0 0.0 [kworker/7:1H]

0.0 0.0 [kworker/0:1H]

0.0 0.0 [kworker/4:1H]

0.0 0.0 [jbd2/sda1-8]

0.0 0.0 [ext4-rsv-conver]

0.0 0.0 /lib/systemd/systemd-journald

0.0 0.0 [iscsi_eh]

0.0 0.0 [ib-comp-wq]

0.0 0.0 [ib_mcast]

0.0 0.0 [ib_nl_sa_wq]

0.0 0.0 [rdma_cm]

0.0 0.0 /sbin/lvmetad -f

0.0 0.0 /lib/systemd/systemd-udevd

0.0 0.0 /usr/bin/vmtoolsd

0.0 0.0 [kworker/1:1H]

0.0 0.0 /usr/bin/VGAuthService

0.0 0.0 /usr/lib/accountsservice/accounts-daemon

0.0 0.0 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

0.0 0.0 /usr/sbin/atd -f

0.0 0.0 /lib/systemd/systemd-logind

0.0 0.0 /usr/sbin/cron -f

0.0 0.0 /usr/sbin/syslog-ng -F

0.0 0.0 /usr/sbin/NetworkManager --no-daemon

0.0 0.0 /usr/sbin/acpid

0.0 0.0 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog

0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug

0.0 0.0 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

0.0 0.3 /usr/bin/python /usr/bin/salt-master

0.0 0.2 /usr/bin/python /usr/bin/salt-minion

0.0 0.2 /usr/bin/containerd

0.0 0.0 /usr/sbin/sshd -D

0.0 0.0 /sbin/iscsid

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 [kworker/4:0]

0.0 0.0 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid

0.0 0.0 /usr/sbin/lightdm

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 111:118

0.0 0.0 /usr/sbin/xrdp

0.0 0.2 /usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch

0.0 0.0 /usr/sbin/xrdp-sesman

0.0 0.0 /sbin/agetty --noclear tty1 linux

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 /usr/sbin/xinetd -pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 /lib/systemd/systemd --user

0.0 0.0 (sd-pam)

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user

0.0 0.1 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)

0.0 0.0 php-fpm: pool www

0.0 0.1 /usr/sbin/apache2 -k start

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user

0.0 0.0 /usr/sbin/apache2 -k start

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user@pts/0

0.0 0.0 -bash

0.0 0.0 sudo su

0.0 0.0 su

0.0 0.0 bash

0.0 0.0 sshd: SO-user@pts/1

0.0 0.0 -bash

0.0 0.0 /usr/sbin/apache2 -k start

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user

0.0 0.0 /var/ossec/bin/ossec-authd

0.0 0.0 /var/ossec/bin/wazuh-db

0.0 0.0 /var/ossec/bin/ossec-execd

0.0 0.0 /var/ossec/bin/wazuh-modulesd

0.0 0.0 [kworker/u16:2]

0.0 0.3 /usr/bin/python /usr/bin/salt-minion

0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 20000 -container-ip X.X.X.X -container-port 20000

0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/8ec42bd5b03f1bf6d8ef3a0a4174164a44570c321c33bee0d7bcf3c03fe2f7c7 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user

0.0 0.0 /bin/bash /usr/sbin/sostat-redacted

0.0 0.2 /usr/bin/python /usr/bin/salt-master

0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 9300 -container-ip X.X.X.X -container-port 9300

0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 9200 -container-ip X.X.X.X -container-port 9200

0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/cf5f14969f82bcfe32ec5136b8c601fb59b1f19307468ec6e512434892a730ad -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user

0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu

0.0 0.0 /usr/sbin/apache2 -k start

0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/f2711c1c806311215827fb4b45ca0909dd4665513f5c32a271cc020d423ecac8 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc

0.0 0.1 /usr/bin/python /usr/bin/supervisord -c /etc/elastalert/conf/elastalert_supervisord.conf -n

0.0 0.0 lightdm --session-child 12 19

0.0 0.0 /usr/bin/gnome-keyring-daemon --daemonize --login

0.0 0.0 /bin/sh /usr/bin/gnome-session-classic

0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/ca54ad3e828ecb413beefa05b2a44ab4a045aecc0256c745d7d91f83ff97ec97 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc

0.0 0.0 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session /usr/bin/im-launch gnome-session-classic

0.0 0.0 /usr/bin/dbus-launch --exit-with-session /usr/bin/im-launch gnome-session-classic

0.0 0.0 /bin/bash

0.0 0.0 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session

0.0 0.0 /usr/bin/ibus-daemon --daemonize --xim --address unix:tmpdir=/tmp/ibus

0.0 0.0 /usr/lib/gnome-session/gnome-session-binary --session gnome-classic

0.0 0.0 /usr/lib/gvfs/gvfsd

0.0 0.0 /usr/lib/ibus/ibus-dconf

0.0 0.1 /usr/lib/ibus/ibus-ui-gtk3

0.0 0.0 [kworker/2:1]

0.0 0.1 /usr/lib/ibus/ibus-x11 --kill-daemon

0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher

0.0 0.0 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3

0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session

0.0 0.0 /usr/lib/ibus/ibus-engine-simple

0.0 0.1 /usr/bin/gnome-screensaver --no-daemon

0.0 0.1 /usr/lib/gnome-settings-daemon/gnome-settings-daemon

0.0 0.0 /usr/lib/upower/upowerd

0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog

0.0 0.0 /usr/lib/rtkit/rtkit-daemon

0.0 0.0 /usr/lib/colord/colord

0.0 0.8 /usr/bin/gnome-shell

0.0 0.0 /usr/lib/gnome-shell/gnome-shell-calendar-server

0.0 0.1 /usr/lib/evolution/evolution-source-registry

0.0 0.0 /usr/lib/telepathy/mission-control-5

0.0 0.0 /usr/lib/gvfs/gvfs-udisks2-volume-monitor

0.0 0.0 /usr/lib/udisks2/udisksd --no-debug

0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor

0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor

0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor

0.0 0.0 /usr/lib/gvfs/gvfs-goa-volume-monitor

0.0 0.1 nautilus -n

0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service

0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.1 /org/gtk/gvfs/exec_spaw/0

0.0 0.2 /usr/lib/evolution/evolution-calendar-factory

0.0 0.0 /usr/lib/gvfs/gvfsd-metadata

0.0 0.2 /usr/lib/evolution/evolution-calendar-factory-subprocess --factory contacts --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.Calendarx8590x2 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/Calendar/8590/2

0.0 0.0 /usr/lib/evolution/evolution-addressbook-factory

0.0 0.2 /usr/lib/evolution/evolution-calendar-factory-subprocess --factory local --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.Calendarx8590x3 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/Calendar/8590/3

0.0 0.0 /usr/lib/evolution/evolution-addressbook-factory-subprocess --factory local --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.AddressBookx8630x2 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/AddressBook/8630/2

0.0 0.1 /usr/bin/gnome-disks --gapplication-service

0.0 0.0 [kworker/1:2]

0.0 0.0 [kworker/6:0]

0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf

0.0 0.0 /lib/systemd/systemd --user

0.0 0.0 (sd-pam)

0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf

0.0 0.0 sudo su

0.0 0.0 su

0.0 0.0 bash

0.0 0.0 [kworker/7:0]

0.0 0.0 [kworker/1:0]

0.0 0.0 [kworker/4:2]

0.0 0.0 [kworker/0:1]

0.0 0.0 [kworker/u16:1]

0.0 0.0 [kworker/3:1]

0.0 0.0 [kworker/2:2]

0.0 0.0 [kworker/5:1]

0.0 0.0 [kworker/u16:0]

0.0 0.0 [kworker/7:2]

0.0 0.0 [kworker/6:2]

0.0 0.0 [kworker/0:2]

0.0 0.0 [kworker/3:0]

0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs

0.0 0.0 [kworker/5:0]

=========================================================================

Sguil Uncategorized Events

=========================================================================

Sguil events summary for yesterday

=========================================================================

Top 50 All time Sguil Events

=========================================================================

Last update

=========================================================================

Commandline: apt-get install -y docker-ce docker-ce-cli containerd.io

Requested-By: SO-user (1000)

Upgrade: docker-ce:amd64 (5:19.03.1~3-0~ubuntu-xenial, 5:19.03.2~3-0~ubuntu-xenial), docker-ce-cli:amd64 (5:19.03.1~3-0~ubuntu-xenial, 5:19.03.2~3-0~ubuntu-xenial)

End-Date: 2019-09-04 09:52:35

Start-Date: 2019-09-04 09:53:06

Commandline: apt-get -y dist-upgrade

Requested-By: SO-user (1000)

Upgrade: securityonion-bro-scripts:amd64 (20121004-0ubuntu0securityonion72, 20121004-0ubuntu0securityonion73), securityonion-bro-afpacket:amd64 (1.3.0-1ubuntu1securityonion12, 1.3.0-1ubuntu1securityonion13), securityonion-bro:amd64 (2.6.3-1ubuntu1securityonion1, 2.6.4-1ubuntu1securityonion1)

End-Date: 2019-09-04 09:53:14

=========================================================================

Elasticsearch

=========================================================================

Elasticsearch is running.

Cluster Name: "uk-pro-son-01"

Cluster Status: "green"

Total Nodes: 1

Failed Nodes: 0

Total Indices: 29

Total Shards: 45

Total Documents: 352808402

Total Size: 408387MB

Free Memory: 48%

Total Number of Events: 352808402

Avg. Event Size (In Bytes): 1157

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS

cf5f14969f82 so-elasticsearch 0.32% 4.92GiB / 19.6GiB 25.10% 3.79MB / 206MB 3.21GB / 22.9MB 101

=========================================================================

Logstash

=========================================================================

Logstash is not running.

Try starting it with:

'sudo so-elastic-start'

'sudo docker start so-logstash'

If that does not work, try checking /var/log/logstash/logstash.log for clues.

=========================================================================

Kibana

=========================================================================

Kibana is not running.

Try starting it with:

'sudo so-elastic-start'

'sudo docker start so-kibana'

If that does not work, try checking /var/log/kibana/kibana.log for clues.

=========================================================================

ElastAlert

=========================================================================

ElastAlert is running.

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS

f2711c1c8063 so-elastalert 0.01% 68.56MiB / 19.6GiB 0.34% 1.47MB / 1.91MB 38.2MB / 24.6kB 2

=========================================================================

Curator

=========================================================================

Curator is running.

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS

ca54ad3e828e so-curator 0.00% 7.246MiB / 19.6GiB 0.04% 205MB / 1.61MB 6.95MB / 0B 1

=========================================================================

Domain Stats

=========================================================================

Domain_stats is running.

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS

8ec42bd5b03f so-domainstats 0.10% 267.2MiB / 19.6GiB 1.33% 7.39kB / 0B 80.4MB / 0B 2

Testing domain_stats now...

Domain_stats is working.

=========================================================================

Version Information

=========================================================================

Ubuntu 16.04.6 LTS

securityonion-sostat 20120722-0ubuntu0securityonion129

Wes Lambert

unread,

Sep 5, 2019, 8:11:18 AM9/5/19

to securit...@googlegroups.com

Hi Gordon,

The Logstash config file looks fine -- however, you may want to consider limiting the number of pipeline workers in logstash.yml to 1 or 2 for the time being.

Please try temporarily disabling domainstats by setting DOMAINSTATS_ENABLED to no in /etc/nsm/securityonion.conf

Pleased perform a so-logstash-restart after making the changes and let me know the result.

Additionally, you'' want to restart Kibana with so-kibana-restart.

With regard to Sguild/MySQL, you may want to run sguil-db-purge again, and or run a mysqlcheck on securityonion_db, in addition to restarting Sguil and MySQL (sudo so-sguild-stop && sudo service mysql restart && sudo so-sguild-start).

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/8ac09163-e61e-4fe9-a982-7279ceb21dc1%40googlegroups.com.

https://twitter.com/therealwlambert

https://securityonion.net/

Wes Lambert

unread,

Sep 5, 2019, 8:11:51 AM9/5/19

to securit...@googlegroups.com

If you haven't already suppressed the alert, you can find examples here in the recent mailing list threads.

Thanks!

Wes

Gordon Maene

unread,

Sep 5, 2019, 12:10:48 PM9/5/19

to securit...@googlegroups.com

Hi Wes

Thanks a lot for taking the time to have a look at this for me.

I read something this morning regarding the domain stats, so disabled and restarted services with so-restart. To confirm, I believe there are only 2 pipeline workers running, I could try drop to one to see if that helps?

Whilst sguil is looking better I still keep getting the " Logstash has started, but is still initializing... WARN"n followed by "1016 events in queue, 0 events published..." error which eventually bombs out and kills the server with only a reboot allowing me back on. I've tried running so-elastic-clear-queue but didnt seem to help at all.

Anything else I can check?

Error and sostat-redacted below.

Thanks again for the help.

Regards

Gordon

status: Elastic stack

* so-elasticsearch OK ]
* so-logstash

Logstash has started, but is still initializing... WARN ]
0 events in queue, 0 events published...

sostat-redacted

=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Elastic stack
* so-elasticsearch OK ]
* so-logstash

Logstash has started, but is still initializing... WARN ]
0 events in queue, 0 events published...
* so-kibana OK ]

* so-curator OK ]
* so-elastalert OK ]

=========================================================================
Interface Status
=========================================================================
br-df93399bedb3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:9 errors:0 dropped:0 overruns:0 frame:0
TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:264 (264.0 B) TX bytes:1542 (1.5 KB)

docker0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:27964 errors:0 dropped:0 overruns:0 frame:0
TX packets:70215 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:17039313 (17.0 MB) TX bytes:466617927 (466.6 MB)

ens160 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:9763131 errors:0 dropped:0 overruns:0 frame:0
TX packets:8372501 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3107856457 (3.1 GB) TX bytes:20054426919 (20.0 GB)

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1

RX packets:894792 errors:0 dropped:0 overruns:0 frame:0
TX packets:894792 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1770456983 (1.7 GB) TX bytes:1770456983 (1.7 GB)

so-logstash
-------------------------------------------------------------------------
(eth0)
veth20a439a Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:72 errors:0 dropped:0 overruns:0 frame:0
TX packets:89 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:264786 (264.7 KB) TX bytes:6547 (6.5 KB)

(eth1)
veth501d99e Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:175 errors:0 dropped:0 overruns:0 frame:0
TX packets:140 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:235355 (235.3 KB) TX bytes:28339 (28.3 KB)

so-kibana
-------------------------------------------------------------------------
(eth0)
vetha62cf9c Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:37 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:2526 (2.5 KB)

(eth1)
vethb688b1f Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:29596 errors:0 dropped:0 overruns:0 frame:0
TX packets:19809 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3866825 (3.8 MB) TX bytes:3185722 (3.1 MB)

so-curator
-------------------------------------------------------------------------
(eth0)
vethf8dd264 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:47 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:3206 (3.2 KB)

(eth1)
vethdef095b Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:29004 errors:0 dropped:0 overruns:0 frame:0
TX packets:30452 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3174440 (3.1 MB) TX bytes:412780723 (412.7 MB)

so-elastalert
-------------------------------------------------------------------------
(eth0)
vethbc4377d Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:724 (724.0 B) TX bytes:4480 (4.4 KB)

(eth1)
veth844c9c6 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:13988 errors:0 dropped:0 overruns:0 frame:0
TX packets:10259 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3703759 (3.7 MB) TX bytes:2858481 (2.8 MB)

so-elasticsearch
-------------------------------------------------------------------------
(eth0)
veth92184dd Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:451 errors:0 dropped:0 overruns:0 frame:0
TX packets:651 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1289655 (1.2 MB) TX bytes:50661 (50.6 KB)

(eth1)
veth4838f59 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:61484 errors:0 dropped:0 overruns:0 frame:0
TX packets:74164 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:419066279 (419.0 MB) TX bytes:12423297 (12.4 MB)

so-domainstats
-------------------------------------------------------------------------
(eth0)
vethc2409ca Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:62 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:4212 (4.2 KB)

(eth1)
veth3254ecd Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:3608 (3.6 KB)

=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast

1770461301 894802 0 0 0 0

RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

1770461301 894802 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 0
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast

3107906923 9763431 0 0 0 0

RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

20054500657 8372797 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 1
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast

17039614 27969 0 0 0 0

RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

466621825 70221 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2
4: br-df93399bedb3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast

264 9 0 0 0 0

RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

1542 21 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

6: vethc2409ca@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 0
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

4212 62 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

8: veth3254ecd@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-df93399bedb3 state UP mode DEFAULT group default

3608 56 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

10: veth92184dd@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 1
RX: bytes packets errors dropped overrun mcast

1289655 451 0 0 0 0

RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

50661 651 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

12: veth4838f59@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-df93399bedb3 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 1
RX: bytes packets errors dropped overrun mcast

419066279 61484 0 0 0 0

RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

12423297 74164 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

22: vethf8dd264@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 4
RX: bytes packets errors dropped overrun mcast

0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

3206 47 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

24: vethbc4377d@if23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 5
RX: bytes packets errors dropped overrun mcast

724 10 0 0 0 0

RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

4480 56 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

26: vethdef095b@if25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-df93399bedb3 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 4
RX: bytes packets errors dropped overrun mcast

3174440 29004 0 0 0 0

RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

412780723 30452 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

28: veth844c9c6@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-df93399bedb3 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 5
RX: bytes packets errors dropped overrun mcast

3703759 13988 0 0 0 0

RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

2858481 10259 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

30: vetha62cf9c@if29: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 2

RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

2526 37 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

32: vethb688b1f@if31: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-df93399bedb3 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 2

RX: bytes packets errors dropped overrun mcast

3868393 29608 0 0 0 0

RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

3187008 19817 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

58: veth20a439a@if57: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 3

RX: bytes packets errors dropped overrun mcast

265157 77 0 0 0 0

RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

10445 95 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

60: veth501d99e@if59: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-df93399bedb3 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 3

RX: bytes packets errors dropped overrun mcast

235355 175 0 0 0 0

RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

28339 140 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on

udev 7.9G 0 7.9G 0% /dev
tmpfs 1.6G 11M 1.6G 1% /run
/dev/sda1 674G 401G 239G 63% /
tmpfs 7.9G 16K 7.9G 1% /dev/shm

tmpfs 5.0M 0 5.0M 0% /run/lock

tmpfs 7.9G 0 7.9G 0% /sys/fs/cgroup
tmpfs 1.6G 0 1.6G 0% /run/user/1000
tmpfs 1.6G 4.0K 1.6G 1% /run/user/115
overlay 674G 401G 239G 63% /var/lib/docker/overlay2/2c0f0ffbb3973faba9ebefac5dd7d6a8c26af5ec7dadb452ae6d8560d0076412/merged
overlay 674G 401G 239G 63% /var/lib/docker/overlay2/abdd2cbeb62d7aa33d5bdc265013f5a682eb9d150eafa406a1d54b8a34fe629e/merged
overlay 674G 401G 239G 63% /var/lib/docker/overlay2/671f22dfef3e0c4eed31cd14a3fc9d2debf6f5fcf2e1815bd975f51c9d9e291e/merged
overlay 674G 401G 239G 63% /var/lib/docker/overlay2/737c277f3ba66cb2eb29f4827b42b74a2a7218114b7ece4586de0c7032751b08/merged
overlay 674G 401G 239G 63% /var/lib/docker/overlay2/d70223e1bd7439303e27aecb8091884f6134db51e7cf5ab25a786d519fb05aa8/merged
tmpfs 1.6G 0 1.6G 0% /run/user/1001
overlay 674G 401G 239G 63% /var/lib/docker/overlay2/fbaf05381180f152bd38112910a64c401bc0d3994ad75e2fdafeaa2ef4863445/merged

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

syslog-ng 918 root 7u IPv4 17130 0t0 TCP *:514 (LISTEN)
syslog-ng 918 root 8u IPv4 17131 0t0 UDP *:514
sshd 1063 root 3u IPv4 556064 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:33456 (ESTABLISHED)
sshd 1077 SO-user 3u IPv4 556064 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:33456 (ESTABLISHED)
sshd 1546 root 3u IPv4 31818 0t0 TCP *:ssh_port (LISTEN)
sshd 1546 root 4u IPv6 31820 0t0 TCP *:ssh_port (LISTEN)
sshd 1678 root 3u IPv4 18414 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:36448 (ESTABLISHED)
sshd 1683 root 3u IPv4 18418 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:56772 (ESTABLISHED)
sshd 1693 root 3u IPv4 18423 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:42934 (ESTABLISHED)
sshd 1747 root 3u IPv4 25627 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:50904 (ESTABLISHED)
sshd 1751 root 3u IPv4 25635 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:40928 (ESTABLISHED)
sshd 1983 root 3u IPv4 25804 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:57242 (ESTABLISHED)
sshd 1985 root 3u IPv4 25808 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:54916 (ESTABLISHED)
sshd 2000 root 3u IPv4 25819 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:59736 (ESTABLISHED)
ntpd 2043 ntp 16u IPv6 24910 0t0 UDP *:123
ntpd 2043 ntp 17u IPv4 24913 0t0 UDP *:123
ntpd 2043 ntp 18u IPv4 24918 0t0 UDP X.X.X.X:123
ntpd 2043 ntp 19u IPv4 24920 0t0 UDP X.X.X.X:123
ntpd 2043 ntp 20u IPv6 24922 0t0 UDP [X.X.X.X]:123
ntpd 2043 ntp 21u IPv6 24924 0t0 UDP [X.X.X.X]:123
ntpd 2043 ntp 23u IPv4 33315 0t0 UDP X.X.X.X:123
ntpd 2043 ntp 24u IPv4 33353 0t0 UDP X.X.X.X:123
ntpd 2043 ntp 25u IPv6 33357 0t0 UDP [X.X.X.X]:123
ntpd 2043 ntp 26u IPv6 33359 0t0 UDP [X.X.X.X]:123
ntpd 2043 ntp 27u IPv6 33361 0t0 UDP [X.X.X.X]:123
ntpd 2043 ntp 28u IPv6 33363 0t0 UDP [X.X.X.X]:123
ntpd 2043 ntp 29u IPv6 33579 0t0 UDP [X.X.X.X]:123
ntpd 2043 ntp 30u IPv6 33581 0t0 UDP [X.X.X.X]:123
ntpd 2043 ntp 31u IPv6 395817 0t0 UDP [X.X.X.X]:123
ntpd 2043 ntp 32u IPv6 395880 0t0 UDP [X.X.X.X]:123
ntpd 2043 ntp 33u IPv6 735803 0t0 UDP [X.X.X.X]:123
ntpd 2043 ntp 34u IPv6 735805 0t0 UDP [X.X.X.X]:123
ntpd 2043 ntp 35u IPv6 46055 0t0 UDP [X.X.X.X]:123
ntpd 2043 ntp 36u IPv6 46057 0t0 UDP [X.X.X.X]:123
ntpd 2043 ntp 37u IPv6 42706 0t0 UDP [X.X.X.X]:123
ntpd 2043 ntp 38u IPv6 42708 0t0 UDP [X.X.X.X]:123
sshd 2044 root 3u IPv4 25833 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:40374 (ESTABLISHED)
xrdp 2046 xrdp 6u IPv4 25911 0t0 TCP *:3389 (LISTEN)
xrdp-sesm 2102 root 6u IPv4 23912 0t0 TCP X.X.X.X:3350 (LISTEN)
sshd 2149 root 3u IPv4 25916 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46124 (ESTABLISHED)
xinetd 2267 root 5u IPv4 27899 0t0 TCP *:6556 (LISTEN)
sshd 2308 SO-user 3u IPv4 25627 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:50904 (ESTABLISHED)
sshd 2310 SO-user 3u IPv4 25635 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:40928 (ESTABLISHED)
sshd 2311 SO-user 3u IPv4 18418 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:56772 (ESTABLISHED)
sshd 2312 SO-user 3u IPv4 25804 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:57242 (ESTABLISHED)
sshd 2313 SO-user 3u IPv4 25833 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:40374 (ESTABLISHED)
sshd 2314 SO-user 3u IPv4 18423 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:42934 (ESTABLISHED)
sshd 2314 SO-user 4u IPv4 745592 0t0 TCP X.X.X.X:43112->X.X.X.X:6050 (ESTABLISHED)
sshd 2315 SO-user 3u IPv4 25819 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:59736 (ESTABLISHED)
sshd 2316 SO-user 3u IPv4 25808 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:54916 (ESTABLISHED)
sshd 2317 SO-user 3u IPv4 25916 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46124 (ESTABLISHED)
sshd 2318 SO-user 3u IPv4 18414 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:36448 (ESTABLISHED)
apache2 2439 root 4u IPv6 27290 0t0 TCP *:443 (LISTEN)
sshd 2817 root 3u IPv4 26078 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:35094 (ESTABLISHED)
sshd 2819 root 3u IPv4 26082 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:44952 (ESTABLISHED)
sshd 2821 root 3u IPv4 26086 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:36034 (ESTABLISHED)
sshd 2834 SO-user 3u IPv4 26078 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:35094 (ESTABLISHED)
sshd 2846 SO-user 3u IPv4 26082 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:44952 (ESTABLISHED)
sshd 2847 root 3u IPv4 26090 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:23802 (ESTABLISHED)
sshd 2866 SO-user 3u IPv4 26086 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:36034 (ESTABLISHED)
sshd 2925 root 3u IPv4 26114 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:44734 (ESTABLISHED)
sshd 2942 SO-user 3u IPv4 26114 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:44734 (ESTABLISHED)
sshd 2966 SO-user 3u IPv4 26090 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:23802 (ESTABLISHED)
sshd 3085 root 3u IPv4 26231 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:56334 (ESTABLISHED)
sshd 3123 SO-user 3u IPv4 26231 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:56334 (ESTABLISHED)
ossec-aut 3220 root 3u IPv4 26299 0t0 TCP *:1515 (LISTEN)
ossec-rem 3368 ossecr 4u IPv4 31764 0t0 UDP *:1514
sshd 4126 root 3u IPv4 32065 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38390 (ESTABLISHED)
sshd 4147 SO-user 3u IPv4 32065 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38390 (ESTABLISHED)
salt-mini 4365 root 26u IPv4 38172 0t0 TCP X.X.X.X:38394->X.X.X.X:4505 (ESTABLISHED)
sshd 4431 root 3u IPv4 32156 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:44718 (ESTABLISHED)
sshd 4451 SO-user 3u IPv4 32156 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:44718 (ESTABLISHED)
sshd 4454 root 3u IPv4 32160 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:36238 (ESTABLISHED)
sshd 4455 root 3u IPv4 32164 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:55354 (ESTABLISHED)
sshd 4460 root 3u IPv4 32176 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:48666 (ESTABLISHED)
sshd 4473 SO-user 3u IPv4 32176 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:48666 (ESTABLISHED)
sshd 4485 SO-user 3u IPv4 32160 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:36238 (ESTABLISHED)
sshd 4497 SO-user 3u IPv4 32164 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:55354 (ESTABLISHED)
docker-pr 4574 root 4u IPv4 30714 0t0 TCP X.X.X.X:20000 (LISTEN)
docker-pr 4882 root 4u IPv4 33400 0t0 TCP X.X.X.X:9300 (LISTEN)
docker-pr 4896 root 4u IPv4 38010 0t0 TCP X.X.X.X:9200 (LISTEN)
sshd 5109 root 3u IPv4 32351 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:56006 (ESTABLISHED)
salt-mast 5324 root 14u IPv4 32450 0t0 TCP *:4505 (LISTEN)
salt-mast 5324 root 16u IPv4 37448 0t0 TCP X.X.X.X:4505->X.X.X.X:35480 (ESTABLISHED)
salt-mast 5324 root 17u IPv4 41040 0t0 TCP X.X.X.X:4505->X.X.X.X:38394 (ESTABLISHED)
salt-mast 5324 root 18u IPv4 41041 0t0 TCP X.X.X.X:4505->X.X.X.X:51332 (ESTABLISHED)
salt-mast 5324 root 19u IPv4 41042 0t0 TCP X.X.X.X:4505->X.X.X.X:58004 (ESTABLISHED)
salt-mast 5324 root 20u IPv4 41043 0t0 TCP X.X.X.X:4505->X.X.X.X:56440 (ESTABLISHED)
salt-mast 5324 root 21u IPv4 41050 0t0 TCP X.X.X.X:4505->X.X.X.X:46044 (ESTABLISHED)
salt-mast 5324 root 22u IPv4 35362 0t0 TCP X.X.X.X:4505->X.X.X.X:60302 (ESTABLISHED)
salt-mast 5324 root 23u IPv4 35363 0t0 TCP X.X.X.X:4505->X.X.X.X:57826 (ESTABLISHED)
salt-mast 5324 root 24u IPv4 35364 0t0 TCP X.X.X.X:4505->X.X.X.X:40848 (ESTABLISHED)
salt-mast 5324 root 25u IPv4 35366 0t0 TCP X.X.X.X:4505->X.X.X.X:50032 (ESTABLISHED)
salt-mast 5324 root 26u IPv4 35367 0t0 TCP X.X.X.X:4505->X.X.X.X:48022 (ESTABLISHED)
salt-mast 5324 root 27u IPv4 35368 0t0 TCP X.X.X.X:4505->X.X.X.X:36276 (ESTABLISHED)
salt-mast 5324 root 28u IPv4 35369 0t0 TCP X.X.X.X:4505->X.X.X.X:42692 (ESTABLISHED)
salt-mast 5324 root 29u IPv4 35370 0t0 TCP X.X.X.X:4505->X.X.X.X:48930 (ESTABLISHED)
salt-mast 5324 root 30u IPv4 35372 0t0 TCP X.X.X.X:4505->X.X.X.X:59188 (ESTABLISHED)
salt-mast 5324 root 31u IPv4 35376 0t0 TCP X.X.X.X:4505->X.X.X.X:53994 (ESTABLISHED)
salt-mast 5324 root 32u IPv4 35377 0t0 TCP X.X.X.X:4505->X.X.X.X:38198 (ESTABLISHED)
salt-mast 5324 root 33u IPv4 35378 0t0 TCP X.X.X.X:4505->X.X.X.X:47774 (ESTABLISHED)
salt-mast 5324 root 34u IPv4 35379 0t0 TCP X.X.X.X:4505->X.X.X.X:34594 (ESTABLISHED)
salt-mast 5324 root 35u IPv4 35380 0t0 TCP X.X.X.X:4505->X.X.X.X:55718 (ESTABLISHED)
salt-mast 5324 root 36u IPv4 35381 0t0 TCP X.X.X.X:4505->X.X.X.X:34562 (ESTABLISHED)
salt-mast 5324 root 37u IPv4 35382 0t0 TCP X.X.X.X:4505->X.X.X.X:47234 (ESTABLISHED)
salt-mast 5324 root 38u IPv4 35383 0t0 TCP X.X.X.X:4505->X.X.X.X:42452 (ESTABLISHED)
salt-mast 5324 root 39u IPv4 35388 0t0 TCP X.X.X.X:4505->X.X.X.X:49412 (ESTABLISHED)
salt-mast 5324 root 40u IPv4 35389 0t0 TCP X.X.X.X:4505->X.X.X.X:52200 (ESTABLISHED)
salt-mast 5324 root 41u IPv4 35390 0t0 TCP X.X.X.X:4505->X.X.X.X:36944 (ESTABLISHED)
salt-mast 5324 root 42u IPv4 35391 0t0 TCP X.X.X.X:4505->X.X.X.X:34958 (ESTABLISHED)
salt-mast 5324 root 43u IPv4 35417 0t0 TCP X.X.X.X:4505->X.X.X.X:37922 (ESTABLISHED)
salt-mast 5354 root 22u IPv4 35119 0t0 TCP *:4506 (LISTEN)
salt-mast 5354 root 24u IPv4 728983 0t0 TCP X.X.X.X:4506->X.X.X.X:59596 (ESTABLISHED)
salt-mast 5354 root 30u IPv4 39228 0t0 TCP X.X.X.X:4506->X.X.X.X:57846 (ESTABLISHED)
salt-mast 5354 root 32u IPv4 41053 0t0 TCP X.X.X.X:4506->X.X.X.X:45112 (ESTABLISHED)
salt-mast 5354 root 38u IPv4 729732 0t0 TCP X.X.X.X:4506->X.X.X.X:59592 (ESTABLISHED)
sshd 5784 root 3u IPv4 568423 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52088 (ESTABLISHED)
sshd 5799 SO-user 3u IPv4 568423 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52088 (ESTABLISHED)
sshd 6237 SO-user 3u IPv4 32351 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:56006 (ESTABLISHED)
sshd 7019 root 3u IPv4 669228 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46956 (ESTABLISHED)
sshd 7037 SO-user 3u IPv4 669228 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46956 (ESTABLISHED)
sshd 8330 root 3u IPv4 669674 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46262 (ESTABLISHED)
sshd 8343 SO-user 3u IPv4 669674 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46262 (ESTABLISHED)
apache2 11497 www-data 4u IPv6 27290 0t0 TCP *:443 (LISTEN)
apache2 11498 www-data 4u IPv6 27290 0t0 TCP *:443 (LISTEN)
apache2 11499 www-data 4u IPv6 27290 0t0 TCP *:443 (LISTEN)
apache2 11500 www-data 4u IPv6 27290 0t0 TCP *:443 (LISTEN)
apache2 11501 www-data 4u IPv6 27290 0t0 TCP *:443 (LISTEN)
docker-pr 12583 root 4u IPv4 380857 0t0 TCP X.X.X.X:5601 (LISTEN)
apache2 12882 www-data 4u IPv6 27290 0t0 TCP *:443 (LISTEN)
apache2 12900 www-data 4u IPv6 27290 0t0 TCP *:443 (LISTEN)
apache2 12903 www-data 4u IPv6 27290 0t0 TCP *:443 (LISTEN)
apache2 12914 www-data 4u IPv6 27290 0t0 TCP *:443 (LISTEN)
apache2 12947 www-data 4u IPv6 27290 0t0 TCP *:443 (LISTEN)
sshd 14427 root 3u IPv4 396238 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:24148 (ESTABLISHED)
sshd 14542 SO-user 3u IPv4 396238 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:24148 (ESTABLISHED)
mysqld 23352 mysql 18u IPv4 716823 0t0 TCP X.X.X.X:3306 (LISTEN)
sshd 23409 root 3u IPv4 518667 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:24384 (ESTABLISHED)
tclsh 23455 SO-user 13u IPv4 712576 0t0 TCP *:7734 (LISTEN)
tclsh 23455 SO-user 14u IPv6 712577 0t0 TCP *:7734 (LISTEN)
tclsh 23455 SO-user 15u IPv4 712580 0t0 TCP *:7736 (LISTEN)
tclsh 23455 SO-user 16u IPv6 712581 0t0 TCP *:7736 (LISTEN)
tclsh 23455 SO-user 17u IPv4 712684 0t0 TCP X.X.X.X:7736->X.X.X.X:40525 (ESTABLISHED)
tclsh 23455 SO-user 18u IPv4 712685 0t0 TCP X.X.X.X:7736->X.X.X.X:43839 (ESTABLISHED)
tclsh 23455 SO-user 19u IPv4 712686 0t0 TCP X.X.X.X:7736->X.X.X.X:38415 (ESTABLISHED)
tclsh 23455 SO-user 20u IPv4 712687 0t0 TCP X.X.X.X:7736->X.X.X.X:35165 (ESTABLISHED)
tclsh 23455 SO-user 21u IPv4 712688 0t0 TCP X.X.X.X:7736->X.X.X.X:33751 (ESTABLISHED)
tclsh 23455 SO-user 22u IPv4 712689 0t0 TCP X.X.X.X:7736->X.X.X.X:42517 (ESTABLISHED)
tclsh 23455 SO-user 23u IPv4 712690 0t0 TCP X.X.X.X:7736->X.X.X.X:43699 (ESTABLISHED)
tclsh 23455 SO-user 24u IPv4 712691 0t0 TCP X.X.X.X:7736->X.X.X.X:34319 (ESTABLISHED)
tclsh 23455 SO-user 25u IPv4 712692 0t0 TCP X.X.X.X:7736->X.X.X.X:37763 (ESTABLISHED)
tclsh 23455 SO-user 26u IPv4 712693 0t0 TCP X.X.X.X:7736->X.X.X.X:38181 (ESTABLISHED)
tclsh 23455 SO-user 27u IPv4 712694 0t0 TCP X.X.X.X:7736->X.X.X.X:36271 (ESTABLISHED)
tclsh 23455 SO-user 28u IPv4 712695 0t0 TCP X.X.X.X:7736->X.X.X.X:44817 (ESTABLISHED)
tclsh 23455 SO-user 29u IPv4 712696 0t0 TCP X.X.X.X:7736->X.X.X.X:38001 (ESTABLISHED)
tclsh 23455 SO-user 30u IPv4 712697 0t0 TCP X.X.X.X:7736->X.X.X.X:44723 (ESTABLISHED)
tclsh 23455 SO-user 31u IPv4 712698 0t0 TCP X.X.X.X:7736->X.X.X.X:33007 (ESTABLISHED)
tclsh 23455 SO-user 32u IPv4 712699 0t0 TCP X.X.X.X:7736->X.X.X.X:39165 (ESTABLISHED)
tclsh 23455 SO-user 33u IPv4 712700 0t0 TCP X.X.X.X:7736->X.X.X.X:46847 (ESTABLISHED)
tclsh 23455 SO-user 34u IPv4 712701 0t0 TCP X.X.X.X:7736->X.X.X.X:42639 (ESTABLISHED)
tclsh 23455 SO-user 35u IPv4 712702 0t0 TCP X.X.X.X:7736->X.X.X.X:39053 (ESTABLISHED)
tclsh 23455 SO-user 36u IPv4 712703 0t0 TCP X.X.X.X:7736->X.X.X.X:33171 (ESTABLISHED)
tclsh 23455 SO-user 37u IPv4 712704 0t0 TCP X.X.X.X:7736->X.X.X.X:40875 (ESTABLISHED)
tclsh 23455 SO-user 38u IPv4 717825 0t0 TCP X.X.X.X:7736->X.X.X.X:40211 (ESTABLISHED)
tclsh 23455 SO-user 39u IPv4 717826 0t0 TCP X.X.X.X:7736->X.X.X.X:42105 (ESTABLISHED)
tclsh 23455 SO-user 40u IPv4 717827 0t0 TCP X.X.X.X:7736->X.X.X.X:38863 (ESTABLISHED)
tclsh 23455 SO-user 41u IPv4 717828 0t0 TCP X.X.X.X:7736->X.X.X.X:42827 (ESTABLISHED)
tclsh 23455 SO-user 42u IPv4 717829 0t0 TCP X.X.X.X:7736->X.X.X.X:43333 (ESTABLISHED)
tclsh 23455 SO-user 43u IPv4 717830 0t0 TCP X.X.X.X:7736->X.X.X.X:36469 (ESTABLISHED)
tclsh 23455 SO-user 44u IPv4 717831 0t0 TCP X.X.X.X:7736->X.X.X.X:38935 (ESTABLISHED)
tclsh 23455 SO-user 45u IPv4 717832 0t0 TCP X.X.X.X:7736->X.X.X.X:33683 (ESTABLISHED)
tclsh 23455 SO-user 46u IPv4 717833 0t0 TCP X.X.X.X:7736->X.X.X.X:44463 (ESTABLISHED)
tclsh 23455 SO-user 47u IPv4 717834 0t0 TCP X.X.X.X:7736->X.X.X.X:44961 (ESTABLISHED)
tclsh 23455 SO-user 48u IPv4 717835 0t0 TCP X.X.X.X:7736->X.X.X.X:40965 (ESTABLISHED)
tclsh 23455 SO-user 49u IPv4 717836 0t0 TCP X.X.X.X:7736->X.X.X.X:41151 (ESTABLISHED)
tclsh 23455 SO-user 50u IPv4 717837 0t0 TCP X.X.X.X:7736->X.X.X.X:40515 (ESTABLISHED)
tclsh 23455 SO-user 51u IPv4 717838 0t0 TCP X.X.X.X:7736->X.X.X.X:35125 (ESTABLISHED)
tclsh 23455 SO-user 52u IPv4 717839 0t0 TCP X.X.X.X:7736->X.X.X.X:46521 (ESTABLISHED)
tclsh 23455 SO-user 53u IPv4 717840 0t0 TCP X.X.X.X:7736->X.X.X.X:39057 (ESTABLISHED)
tclsh 23455 SO-user 54u IPv4 717841 0t0 TCP X.X.X.X:7736->X.X.X.X:43875 (ESTABLISHED)
tclsh 23455 SO-user 55u IPv4 717842 0t0 TCP X.X.X.X:7736->X.X.X.X:36937 (ESTABLISHED)
tclsh 23455 SO-user 56u IPv4 717843 0t0 TCP X.X.X.X:7736->X.X.X.X:45199 (ESTABLISHED)
tclsh 23455 SO-user 57u IPv4 717844 0t0 TCP X.X.X.X:7736->X.X.X.X:34127 (ESTABLISHED)
tclsh 23455 SO-user 58u IPv4 717845 0t0 TCP X.X.X.X:7736->X.X.X.X:41435 (ESTABLISHED)
tclsh 23455 SO-user 59u IPv4 717846 0t0 TCP X.X.X.X:7736->X.X.X.X:36783 (ESTABLISHED)
tclsh 23455 SO-user 60u IPv4 717847 0t0 TCP X.X.X.X:7736->X.X.X.X:34865 (ESTABLISHED)
tclsh 23455 SO-user 61u IPv4 717848 0t0 TCP X.X.X.X:7736->X.X.X.X:46433 (ESTABLISHED)
tclsh 23455 SO-user 62u IPv4 717849 0t0 TCP X.X.X.X:7736->X.X.X.X:42211 (ESTABLISHED)
tclsh 23455 SO-user 63u IPv4 717850 0t0 TCP X.X.X.X:7736->X.X.X.X:43251 (ESTABLISHED)
tclsh 23455 SO-user 64u IPv4 717851 0t0 TCP X.X.X.X:7736->X.X.X.X:44045 (ESTABLISHED)
tclsh 23455 SO-user 65u IPv4 717852 0t0 TCP X.X.X.X:7736->X.X.X.X:39769 (ESTABLISHED)
tclsh 23455 SO-user 66u IPv4 717853 0t0 TCP X.X.X.X:7736->X.X.X.X:38721 (ESTABLISHED)
tclsh 23455 SO-user 67u IPv4 717854 0t0 TCP X.X.X.X:7736->X.X.X.X:38935 (ESTABLISHED)
tclsh 23455 SO-user 68u IPv4 717855 0t0 TCP X.X.X.X:7736->X.X.X.X:44343 (ESTABLISHED)
tclsh 23455 SO-user 69u IPv4 717856 0t0 TCP X.X.X.X:7736->X.X.X.X:38253 (ESTABLISHED)
tclsh 23455 SO-user 70u IPv4 717857 0t0 TCP X.X.X.X:7736->X.X.X.X:33375 (ESTABLISHED)
tclsh 23455 SO-user 71u IPv4 717858 0t0 TCP X.X.X.X:7736->X.X.X.X:41295 (ESTABLISHED)
tclsh 23455 SO-user 72u IPv4 717859 0t0 TCP X.X.X.X:7736->X.X.X.X:36959 (ESTABLISHED)
tclsh 23455 SO-user 73u IPv4 717860 0t0 TCP X.X.X.X:7736->X.X.X.X:38531 (ESTABLISHED)
tclsh 23455 SO-user 74u IPv4 717861 0t0 TCP X.X.X.X:7736->X.X.X.X:44767 (ESTABLISHED)
tclsh 23455 SO-user 75u IPv4 717862 0t0 TCP X.X.X.X:7736->X.X.X.X:33721 (ESTABLISHED)
tclsh 23455 SO-user 76u IPv4 717863 0t0 TCP X.X.X.X:7736->X.X.X.X:42825 (ESTABLISHED)
tclsh 23455 SO-user 77u IPv4 717864 0t0 TCP X.X.X.X:7736->X.X.X.X:43571 (ESTABLISHED)
tclsh 23455 SO-user 78u IPv4 717865 0t0 TCP X.X.X.X:7736->X.X.X.X:32875 (ESTABLISHED)
tclsh 23455 SO-user 79u IPv4 717866 0t0 TCP X.X.X.X:7736->X.X.X.X:33193 (ESTABLISHED)
tclsh 23455 SO-user 80u IPv4 717867 0t0 TCP X.X.X.X:7736->X.X.X.X:42495 (ESTABLISHED)
tclsh 23455 SO-user 81u IPv4 717868 0t0 TCP X.X.X.X:7736->X.X.X.X:38003 (ESTABLISHED)
tclsh 23455 SO-user 82u IPv4 717869 0t0 TCP X.X.X.X:7736->X.X.X.X:43203 (ESTABLISHED)
tclsh 23455 SO-user 83u IPv4 717870 0t0 TCP X.X.X.X:7736->X.X.X.X:43057 (ESTABLISHED)
tclsh 23455 SO-user 84u IPv4 717871 0t0 TCP X.X.X.X:7736->X.X.X.X:40145 (ESTABLISHED)
tclsh 23455 SO-user 85u IPv4 717872 0t0 TCP X.X.X.X:7736->X.X.X.X:33307 (ESTABLISHED)
tclsh 23455 SO-user 86u IPv4 717873 0t0 TCP X.X.X.X:7736->X.X.X.X:33501 (ESTABLISHED)
tclsh 23455 SO-user 87u IPv4 717874 0t0 TCP X.X.X.X:7736->X.X.X.X:36817 (ESTABLISHED)
tclsh 23455 SO-user 88u IPv4 717875 0t0 TCP X.X.X.X:7736->X.X.X.X:39203 (ESTABLISHED)
tclsh 23455 SO-user 89u IPv4 717876 0t0 TCP X.X.X.X:7736->X.X.X.X:36275 (ESTABLISHED)
tclsh 23455 SO-user 90u IPv4 717877 0t0 TCP X.X.X.X:7736->X.X.X.X:42531 (ESTABLISHED)
tclsh 23455 SO-user 91u IPv4 717878 0t0 TCP X.X.X.X:7736->X.X.X.X:43417 (ESTABLISHED)
tclsh 23455 SO-user 92u IPv4 717879 0t0 TCP X.X.X.X:7736->X.X.X.X:42569 (ESTABLISHED)
tclsh 23455 SO-user 93u IPv4 717880 0t0 TCP X.X.X.X:7736->X.X.X.X:33589 (ESTABLISHED)
tclsh 23455 SO-user 94u IPv4 717881 0t0 TCP X.X.X.X:7736->X.X.X.X:37753 (ESTABLISHED)
tclsh 23455 SO-user 95u IPv4 717882 0t0 TCP X.X.X.X:7736->X.X.X.X:42213 (ESTABLISHED)
tclsh 23455 SO-user 96u IPv4 717883 0t0 TCP X.X.X.X:7736->X.X.X.X:42593 (ESTABLISHED)
tclsh 23455 SO-user 97u IPv4 717884 0t0 TCP X.X.X.X:7736->X.X.X.X:40471 (ESTABLISHED)
tclsh 23455 SO-user 98u IPv4 717885 0t0 TCP X.X.X.X:7736->X.X.X.X:38985 (ESTABLISHED)
tclsh 23455 SO-user 99u IPv4 717886 0t0 TCP X.X.X.X:7736->X.X.X.X:37701 (ESTABLISHED)
tclsh 23455 SO-user 100u IPv4 717887 0t0 TCP X.X.X.X:7736->X.X.X.X:41587 (ESTABLISHED)
tclsh 23455 SO-user 101u IPv4 717888 0t0 TCP X.X.X.X:7736->X.X.X.X:32779 (ESTABLISHED)
tclsh 23455 SO-user 102u IPv4 717889 0t0 TCP X.X.X.X:7736->X.X.X.X:41461 (ESTABLISHED)
tclsh 23455 SO-user 103u IPv4 717890 0t0 TCP X.X.X.X:7736->X.X.X.X:40045 (ESTABLISHED)
tclsh 23455 SO-user 104u IPv4 717891 0t0 TCP X.X.X.X:7736->X.X.X.X:33685 (ESTABLISHED)
tclsh 23455 SO-user 105u IPv4 717892 0t0 TCP X.X.X.X:7736->X.X.X.X:46357 (ESTABLISHED)
tclsh 23455 SO-user 106u IPv4 714318 0t0 TCP X.X.X.X:7736->X.X.X.X:46417 (ESTABLISHED)
tclsh 23455 SO-user 108u IPv4 717949 0t0 TCP X.X.X.X:7736->X.X.X.X:37513 (ESTABLISHED)
tclsh 23455 SO-user 111u IPv4 717963 0t0 TCP X.X.X.X:7736->X.X.X.X:33893 (ESTABLISHED)
tclsh 23455 SO-user 112u IPv4 717964 0t0 TCP X.X.X.X:7736->X.X.X.X:37293 (ESTABLISHED)
tclsh 23455 SO-user 113u IPv4 717965 0t0 TCP X.X.X.X:7736->X.X.X.X:43263 (ESTABLISHED)
tclsh 23455 SO-user 114u IPv4 717966 0t0 TCP X.X.X.X:7736->X.X.X.X:35317 (ESTABLISHED)
tclsh 23455 SO-user 115u IPv4 717967 0t0 TCP X.X.X.X:7736->X.X.X.X:35203 (ESTABLISHED)
tclsh 23455 SO-user 116u IPv4 717968 0t0 TCP X.X.X.X:7736->X.X.X.X:33927 (ESTABLISHED)
tclsh 23455 SO-user 117u IPv4 717969 0t0 TCP X.X.X.X:7736->X.X.X.X:44983 (ESTABLISHED)
tclsh 23455 SO-user 118u IPv4 717970 0t0 TCP X.X.X.X:7736->X.X.X.X:38043 (ESTABLISHED)
tclsh 23455 SO-user 119u IPv4 717971 0t0 TCP X.X.X.X:7736->X.X.X.X:42275 (ESTABLISHED)
tclsh 23455 SO-user 120u IPv4 717972 0t0 TCP X.X.X.X:7736->X.X.X.X:33927 (ESTABLISHED)
tclsh 23455 SO-user 121u IPv4 717973 0t0 TCP X.X.X.X:7736->X.X.X.X:42535 (ESTABLISHED)
tclsh 23455 SO-user 122u IPv4 717974 0t0 TCP X.X.X.X:7736->X.X.X.X:42109 (ESTABLISHED)
tclsh 23455 SO-user 123u IPv4 717975 0t0 TCP X.X.X.X:7736->X.X.X.X:37805 (ESTABLISHED)
tclsh 23455 SO-user 124u IPv4 717976 0t0 TCP X.X.X.X:7736->X.X.X.X:43377 (ESTABLISHED)
tclsh 23455 SO-user 125u IPv4 717977 0t0 TCP X.X.X.X:7736->X.X.X.X:41383 (ESTABLISHED)
tclsh 23455 SO-user 126u IPv4 717978 0t0 TCP X.X.X.X:7736->X.X.X.X:43917 (ESTABLISHED)
tclsh 23455 SO-user 127u IPv4 717979 0t0 TCP X.X.X.X:7736->X.X.X.X:37751 (ESTABLISHED)
tclsh 23455 SO-user 128u IPv4 717980 0t0 TCP X.X.X.X:7736->X.X.X.X:44175 (ESTABLISHED)
sshd 23518 SO-user 3u IPv4 518667 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:24384 (ESTABLISHED)
sshd 24607 root 3u IPv4 519025 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:60720 (ESTABLISHED)
sshd 24620 SO-user 3u IPv4 519025 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:60720 (ESTABLISHED)
tclsh 25522 SO-user 3u IPv4 708543 0t0 TCP X.X.X.X:35563->X.X.X.X:7736 (CLOSE_WAIT)
docker-pr 30299 root 4u IPv6 727885 0t0 TCP *:9600 (LISTEN)
docker-pr 30315 root 4u IPv6 731736 0t0 TCP *:6053 (LISTEN)
docker-pr 30329 root 4u IPv6 736644 0t0 TCP *:6052 (LISTEN)
docker-pr 30343 root 4u IPv6 737433 0t0 TCP *:6051 (LISTEN)
docker-pr 30357 root 3u IPv6 745593 0t0 TCP X.X.X.X:6050->X.X.X.X:43112 (ESTABLISHED)
docker-pr 30357 root 4u IPv6 727892 0t0 TCP *:6050 (LISTEN)
docker-pr 30357 root 5u IPv4 745595 0t0 TCP X.X.X.X:58048->X.X.X.X:6050 (ESTABLISHED)
docker-pr 30370 root 4u IPv6 727899 0t0 TCP *:5044 (LISTEN)

=========================================================================
IDS Rules Update
=========================================================================

Thu Sep 5 07:03:12 UTC 2019

Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.

Running PulledPork.
https://github.com/shirkdog/pulledpork
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.3 - Making signature updates great again!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2017 JJ Cummings, Michael Shirk
@_/ / 66\_ and the PulledPork Team!
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-29130.tar.gz....
Rules tarball download of snortrules-snapshot-29130.tar.gz....
They Match
Done!
Checking latest MD5 for community-rules.tar.gz....
Rules tarball download of community-rules.tar.gz....
They Match
Done!
Checking latest MD5 for emerging.rules.tar.gz....
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
IP Blacklist download of http://talosintelligence.com/feeds/ip-filter.blf....
Reading IP List...
Prepping rules from emerging.rules.tar.gz for work....
Done!
Prepping rules from community-rules.tar.gz for work....
Done!
Prepping rules from snortrules-snapshot-29130.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Writing Blacklist File /etc/nsm/rules/default.blacklist....
Writing Blacklist Version 1714565220 to /etc/nsm/rules/IPRVersion.dat....
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Skipped 0 rules (already disabled)
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Skipped 0 rules (already disabled)
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 377 rules
Skipped 50 rules (already disabled)
Done
Setting Flowbit State....
Enabled 193 flowbits
Enabled 1 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------17
Deleted:---87
Enabled Rules:----34597
Dropped Rules:----0
Disabled Rules:---32552
Total Rules:------67149
IP Blacklist Stats...
Total IPs:-----1173
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!

=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:

2.62 1.80 1.08

Processing units: 8
If load average is higher than processing units,
then tune until load average is lower than processing units.

top - 12:47:48 up 4:51, 4 users, load average: 2.62, 1.80, 1.08
Tasks: 306 total, 2 running, 233 sleeping, 1 stopped, 0 zombie
%Cpu(s): 3.7 us, 0.7 sy, 0.0 ni, 93.1 id, 2.4 wa, 0.0 hi, 0.2 si, 0.0 st
KiB Mem : 16425320 total, 912440 free, 8826252 used, 6686628 buff/cache
KiB Swap: 16774140 total, 16773360 free, 780 used. 6900552 avail Mem

%CPU %MEM COMMAND
200 10.3 /bin/java -Xms4000m -Xmx4000m -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djruby.compile.invokedynamic=true -Djruby.jit.threshold=0 -XX:+HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -Xss16M -Djruby.regexp.interruptible=true -Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ -cp /usr/share/logstash/logstash-core/lib/jars/animal-sniffer-annotations-1.14.jar:/usr/share/logstash/logstash-core/lib/jars/commons-codec-1.11.jar:/usr/share/logstash/logstash-core/lib/jars/commons-compiler-3.0.8.jar:/usr/share/logstash/logstash-core/lib/jars/error_prone_annotations-2.0.18.jar:/usr/share/logstash/logstash-core/lib/jars/google-java-format-1.1.jar:/usr/share/logstash/logstash-core/lib/jars/gradle-license-report-0.7.1.jar:/usr/share/logstash/logstash-core/lib/jars/guava-22.0.jar:/usr/share/logstash/logstash-core/lib/jars/j2objc-annotations-1.1.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-annotations-2.9.8.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-core-2.9.8.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-databind-2.9.8.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-dataformat-cbor-2.9.8.jar:/usr/share/logstash/logstash-core/lib/jars/janino-3.0.8.jar:/usr/share/logstash/logstash-core/lib/jars/javassist-3.22.0-GA.jar:/usr/share/logstash/logstash-core/lib/jars/jruby-complete-X.X.X.X.jar:/usr/share/logstash/logstash-core/lib/jars/jsr305-1.3.9.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-api-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-slf4j-impl-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/logstash-core.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.commands-3.6.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.contenttype-3.4.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.expressions-3.4.300.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.filesystem-1.3.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.jobs-3.5.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.resources-3.7.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.runtime-3.7.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.app-1.3.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.common-3.6.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.preferences-3.4.1.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.registry-3.5.101.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.jdt.core-3.10.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.osgi-3.7.1.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.text-3.5.101.jar:/usr/share/logstash/logstash-core/lib/jars/slf4j-api-1.7.25.jar org.logstash.Logstash
4.1 1.6 /usr/sbin/mysqld
1.6 0.7 /usr/bin/python /usr/bin/salt-master
1.5 37.2 /opt/jdk-12.0.1/bin/java -Xms4106m -Xmx4106m -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.io.tmpdir=/tmp/elasticsearch-10150487891609263127 -XX:+HeapDumpOnOutOfMemoryError -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Djava.locale.providers=COMPAT -Des.cgroups.hierarchy.override=/ -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/usr/share/elasticsearch/config -Des.distribution.flavor=oss -Des.distribution.type=docker -cp /usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch -Ebootstrap.memory_lock=true -Etransport.host=X.X.X.X -Ehttp.host=X.X.X.X
1.5 0.7 /usr/bin/python /usr/bin/salt-master
1.5 0.7 /usr/bin/python /usr/bin/salt-master
1.5 0.7 /usr/bin/python /usr/bin/salt-master
1.5 0.7 /usr/bin/python /usr/bin/salt-master
1.0 0.0 [kworker/u16:1]
0.7 0.0 [kworker/u16:2]
0.5 0.0 [kworker/u16:0]
0.5 0.0 [kworker/u16:4]
0.4 0.0 /var/ossec/bin/ossec-syscheckd
0.4 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.3 0.0 /var/ossec/bin/ossec-remoted
0.3 0.4 /usr/bin/python /usr/bin/salt-master
0.2 0.0 [ksoftirqd/1]
0.2 0.0 [ksoftirqd/3]
0.2 0.0 [ksoftirqd/5]
0.2 0.4 /usr/bin/python /usr/bin/salt-master
0.1 0.0 [ksoftirqd/0]
0.1 0.0 [ksoftirqd/2]
0.1 0.0 [ksoftirqd/4]
0.1 0.0 [ksoftirqd/6]
0.1 0.0 [ksoftirqd/7]
0.1 0.0 [jbd2/sda1-8]
0.1 0.5 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
0.1 1.6 /usr/bin/python /opt/domain_stats/domain_stats.py -ip X.X.X.X 20000 -a /opt/domain_stats/top-1m.csv --preload 0
0.1 0.7 /usr/share/kibana/bin/../node/bin/node --no-warnings --max-http-header-size=65536 /usr/share/kibana/bin/../src/cli --cpu.cgroup.path.override=/ --cpuacct.cgroup.path.override=/ --kibana.defaultAppId=dashboard/94b52620-342a-11e7-9d52-4f090484f59e

0.0 0.0 /sbin/init splash
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [mm_percpu_wq]

0.0 0.0 [rcu_sched]

0.0 0.0 [rcu_bh]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [cpuhp/0]
0.0 0.0 [cpuhp/1]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/1]

0.0 0.0 [kworker/1:0H]

0.0 0.0 [cpuhp/2]
0.0 0.0 [watchdog/2]
0.0 0.0 [migration/2]

0.0 0.0 [kworker/2:0H]

0.0 0.0 [cpuhp/3]
0.0 0.0 [watchdog/3]
0.0 0.0 [migration/3]

0.0 0.0 [kworker/3:0H]

0.0 0.0 [cpuhp/4]
0.0 0.0 [watchdog/4]
0.0 0.0 [migration/4]

0.0 0.0 [kworker/4:0H]

0.0 0.0 [cpuhp/5]
0.0 0.0 [watchdog/5]
0.0 0.0 [migration/5]

0.0 0.0 [kworker/5:0H]

0.0 0.0 [cpuhp/6]
0.0 0.0 [watchdog/6]
0.0 0.0 [migration/6]

0.0 0.0 [kworker/6:0H]

0.0 0.0 [cpuhp/7]
0.0 0.0 [watchdog/7]
0.0 0.0 [migration/7]

0.0 0.0 [kworker/7:0H]

0.0 0.0 [kworker/1:1H]

0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_tmf_2]
0.0 0.0 [ttm_swap]
0.0 0.0 [irq/16-vmwgfx]
0.0 0.0 [kworker/2:1H]

0.0 0.0 [kworker/6:1H]
0.0 0.0 [kworker/3:1H]
0.0 0.0 [raid5wq]
0.0 0.0 [kworker/5:1H]
0.0 0.0 [kworker/7:1H]
0.0 0.0 [kworker/4:1H]
0.0 0.0 [kworker/0:1H]

0.0 0.0 [ext4-rsv-conver]
0.0 0.0 /lib/systemd/systemd-journald
0.0 0.0 [iscsi_eh]

0.0 0.0 /sbin/lvmetad -f

0.0 0.0 [ib-comp-wq]
0.0 0.0 [ib_mcast]
0.0 0.0 [ib_nl_sa_wq]
0.0 0.0 [rdma_cm]

0.0 0.0 /usr/bin/vmtoolsd
0.0 0.0 /lib/systemd/systemd-udevd
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/sbin/atd -f
0.0 0.0 /usr/bin/VGAuthService
0.0 0.1 /usr/sbin/syslog-ng -F
0.0 0.0 /usr/sbin/acpid
0.0 0.0 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user
0.0 0.0 /usr/sbin/cron -f
0.0 0.0 /usr/sbin/NetworkManager --no-daemon
0.0 0.0 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.1 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-minion

0.0 0.2 /usr/bin/containerd
0.0 0.0 /usr/sbin/sshd -D

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user [priv]

0.0 0.0 /sbin/iscsid

0.0 0.0 /sbin/iscsid
0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user [priv]
0.0 0.0 [kworker/0:2]
0.0 0.0 /usr/sbin/lightdm
0.0 0.0 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid

0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 111:118

0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /usr/sbin/xrdp

0.0 0.1 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
0.0 0.0 php-fpm: pool www
0.0 0.0 php-fpm: pool www

0.0 0.2 /usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.0 0.0 /sbin/agetty --noclear tty1 linux
0.0 0.0 /usr/sbin/xrdp-sesman

0.0 0.0 /lib/systemd/systemd --user
0.0 0.0 (sd-pam)
0.0 0.0 sshd: SO-user [priv]

0.0 0.0 /usr/sbin/xinetd -pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
0.0 0.0 sshd: SO-user

0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user

0.0 0.1 /usr/sbin/apache2 -k start

0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user

0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user
0.0 0.0 lightdm --session-child 16 19

0.0 0.0 /lib/systemd/systemd --user
0.0 0.0 (sd-pam)

0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter

0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user

0.0 0.0 sshd: SO-user@pts/0

0.0 0.0 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session

0.0 0.0 -bash
0.0 0.3 /usr/sbin/lightdm-gtk-greeter
0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher --launch-immediately

0.0 0.0 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session

0.0 0.0 sudo su
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 su
0.0 0.0 bash
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user
0.0 0.0 /var/ossec/bin/ossec-authd
0.0 0.0 /var/ossec/bin/wazuh-db
0.0 0.0 /var/ossec/bin/ossec-execd

0.0 0.1 /var/ossec/bin/ossec-analysisd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 /var/ossec/bin/wazuh-modulesd
0.0 0.0 [kworker/6:2]

0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user

0.0 0.4 /usr/bin/python /usr/bin/salt-minion

0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user

0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 20000 -container-ip X.X.X.X -container-port 20000
0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/8fd70d2a7b0ea53913b5d5bea077ae34c4d0e9b55835b2816a45f9e0d2bef21f -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 9300 -container-ip X.X.X.X -container-port 9300

0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 9200 -container-ip X.X.X.X -container-port 9200

0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/eaa1ce9fa4d33a72a6e8f34c7988dc3b6771f9d5f3b8158d708efc4acfd72775 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 [kworker/3:0]
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user@pts/1
0.0 0.0 -bash
0.0 0.0 sudo su

0.0 0.0 su
0.0 0.0 bash

0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/0:0]

0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user

0.0 0.0 [kworker/4:2]
0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/c006146fee3d9e9edd5d718c0e8f8776ed981500e5991c48aaf517784fdbe1d2 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 /bin/bash
0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/0de65e15840591533338363f7696ba041a1f266b0c8341d813581421a285c256 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc

0.0 0.1 /usr/bin/python /usr/bin/supervisord -c /etc/elastalert/conf/elastalert_supervisord.conf -n

0.0 0.3 python -m elastalert.elastalert --config /etc/elastalert/conf/elastalert_config.yaml --verbose
0.0 0.0 [kworker/2:0]
0.0 0.0 less logstash-2019-09-03.log

0.0 0.1 /usr/sbin/apache2 -k start

0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 5601 -container-ip X.X.X.X -container-port 5601
0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/7f109c7b692c7f949eac02846a74ed132a0c4d59c38b5f89c788f761fcc923f4 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.1 /usr/sbin/apache2 -k start

0.0 0.1 /usr/sbin/apache2 -k start

0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/1:0]

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 sshd: SO-user@pts/2

0.0 0.0 -bash
0.0 0.0 sudo su
0.0 0.0 su
0.0 0.0 bash

0.0 0.0 [kworker/u16:3]
0.0 0.0 [kworker/7:1]
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/3:2]
0.0 0.0 [kworker/6:0]
0.0 0.0 [kworker/5:1]

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 sshd: SO-user@pts/3
0.0 0.0 -bash
0.0 0.0 [kworker/5:0]

0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user

0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf

0.0 0.0 /lib/systemd/systemd --user
0.0 0.0 (sd-pam)
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf

0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 [kworker/2:2]
0.0 0.0 [kworker/7:2]
0.0 0.0 [kworker/4:0]
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 9600 -container-ip X.X.X.X -container-port 9600
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6053 -container-ip X.X.X.X -container-port 6053
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6052 -container-ip X.X.X.X -container-port 6052
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6051 -container-ip X.X.X.X -container-port 6051
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6050 -container-ip X.X.X.X -container-port 6050
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 5044 -container-ip X.X.X.X -container-port 5044
0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/4e12f64737b09bf3b70bda4aab711daf95e6844ed4654c6974e046a69134aaaf -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 /bin/bash /usr/sbin/sostat-redacted
0.0 0.0 /bin/bash /usr/sbin/sostat

=========================================================================
Sguil Uncategorized Events
=========================================================================

COUNT(*)
1557

=========================================================================
Sguil events summary for yesterday
=========================================================================

Totals GenID:SigID Signature
391117 129:20 stream5: TCP session without 3-way handshake
11 1:1000169 Stega Sensor Heartbeat
Total
391128

=========================================================================
Top 50 All time Sguil Events
=========================================================================

Totals GenID:SigID Signature
1264085 129:20 stream5: TCP session without 3-way handshake
778 140:20 sip: Invite replay attack
165 1:2014734 ET P2P BitTorrent - Torrent File Downloaded
130 1:2011706 ET P2P Bittorrent P2P Client User-Agent (uTorrent)
88 1:1000169 Stega Sensor Heartbeat
79 1:2013926 ET POLICY HTTP traffic on port 443 (POST)
53 1:2027203 ET POLICY Possible Powershell .ps1 Script Use Over SMB
53 1:2027171 ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement
38 123:3 frag3: Short fragment, possible DoS attempt
32 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
23 1:2024764 ET INFO Suspicious Darkwave Popads Pop Under Redirect
16 120:24 http_inspect: PARTIAL DECOMPRESSION FAILURE IN HTTP RESPONSE BODY
14 1:2016777 ET INFO HTTP Request to a *.pw domain
14 1:2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
14 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
13 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
11 1:2024930 ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body
11 1:2016683 ET WEB_SERVER WebShell Generic - wget http - POST
9 1:2016778 ET DNS Query to a *.pw domain - Likely Hostile
9 133:31 dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed
8 1:2013927 ET POLICY HTTP traffic on port 443 (HEAD)
8 120:19 http_inspect: MULTIPLE CONTENT LENGTH IN HTTP RESPONSE
8 140:26 sip: The method is unknown
7 1:2023753 ET SCAN MS Terminal Server Traffic on Non-standard Port
5 1:2012087 ET SHELLCODE Possible Call with No Offset UDP Shellcode
5 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
5 1:2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
5 1:2027671 ET POLICY Cloudflare DNS Over HTTPS Certificate Inbound
5 133:32 dcerpc2: Connection-oriented DCE/RPC - No context items specified
4 1:2018372 ET EXPLOIT Malformed HeartBeat Request
4 1:2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
4 1:2011800 ET POLICY Abnormal User-Agent No space after colon - Likely Hostile
3 133:27 dcerpc2: Connection-oriented DCE/RPC - Invalid major version
3 1:2008986 ET POLICY IP Check Domain (whatismyip in HTTP Host)
3 1:43909 FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt
3 1:2027695 ET POLICY Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
3 1:2027205 ET POLICY Possible WMI .mof Managed Object File Use Over SMB
3 3:13802 OS-WINDOWS Microsoft malware protection engine denial of service attempt
3 120:26 http_inspect: JUNK LINE BEFORE HTTP RESPONSE HEADER
3 1:2011507 ET POLICY PDF With Embedded File
2 1:2000328 ET POLICY Outbound Multiple Non-SMTP Server Emails
2 123:4 frag3: Fragment packet ends after defragmented packet
2 1:2404524 ET CNC Ransomware Tracker Reported CnC Server TCP group 63
2 140:24 sip: SIP version other than 2.0, 1.0, and 1.1 are invalid
2 1:2014170 ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2 1:2012811 ET DNS Query to a .tk domain - Likely Hostile
2 1:2014756 ET POLICY Logmein.com/Join.me SSL Remote Control Access
2 1:2012887 ET POLICY Http Client Body contains pass= in cleartext
2 1:2027871 ET INFO Observed DNS Query to .fit TLD
2 1:37078 SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt
Total
1265759

=========================================================================
Last update
=========================================================================

Commandline: apt-get -y dist-upgrade
Requested-By: SO-user (1000)
Upgrade: securityonion-bro-scripts:amd64 (20121004-0ubuntu0securityonion72, 20121004-0ubuntu0securityonion73), securityonion-bro-afpacket:amd64 (1.3.0-1ubuntu1securityonion12, 1.3.0-1ubuntu1securityonion13), securityonion-bro:amd64 (2.6.3-1ubuntu1securityonion1, 2.6.4-1ubuntu1securityonion1)
End-Date: 2019-09-04 09:53:14

Start-Date: 2019-09-04 22:15:45

Commandline: apt-get -y dist-upgrade
Requested-By: SO-user (1000)

Upgrade: uuid-runtime:amd64 (2.27.1-6ubuntu3.7, 2.27.1-6ubuntu3.8), libfdisk1:amd64 (2.27.1-6ubuntu3.7, 2.27.1-6ubuntu3.8), libmount1:amd64 (2.27.1-6ubuntu3.7, 2.27.1-6ubuntu3.8), util-linux:amd64 (2.27.1-6ubuntu3.7, 2.27.1-6ubuntu3.8), mount:amd64 (2.27.1-6ubuntu3.7, 2.27.1-6ubuntu3.8), libblkid1:amd64 (2.27.1-6ubuntu3.7, 2.27.1-6ubuntu3.8), libuuid1:amd64 (2.27.1-6ubuntu3.7, 2.27.1-6ubuntu3.8), libsmartcols1:amd64 (2.27.1-6ubuntu3.7, 2.27.1-6ubuntu3.8), bsdutils:amd64 (1:2.27.1-6ubuntu3.7, 1:2.27.1-6ubuntu3.8)
End-Date: 2019-09-04 22:15:56

=========================================================================
Elasticsearch
=========================================================================

Elasticsearch is running.

Cluster Name: "uk-pro-son-01"
Cluster Status: "green"
Total Nodes: 1
Failed Nodes: 0
Total Indices: 29
Total Shards: 45

Total Documents: 352817249
Total Size: 408393MB
Free Memory: 6%
Total Number of Events: 352817249

Avg. Event Size (In Bytes): 1157

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS

eaa1ce9fa4d3 so-elasticsearch 1.25% 4.972GiB / 15.66GiB 31.74% 12.5MB / 421MB 3.34GB / 42.4MB 101

=========================================================================
Logstash
=========================================================================

Logstash is running.

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS

4e12f64737b0 so-logstash 107.61% 1.619GiB / 15.66GiB 10.33% 48.5kB / 1.37MB 0B / 24.1MB 115

Logstash Queue Stats:

Queue Type: memory
Queue settings can be modified in /etc/logstash/logstash.yml.

Event Summary (since restart):

Events In: 10
Events Out: 0

=========================================================================
Kibana
=========================================================================

Kibana is running.

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS

7f109c7b692c so-kibana 0.19% 115.3MiB / 15.66GiB 0.72% 3.19MB / 3.87MB 8.25MB / 16.4kB 11

=========================================================================
ElastAlert
=========================================================================

ElastAlert is running.

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS

0de65e158405 so-elastalert 0.02% 62.5MiB / 15.66GiB 0.39% 2.86MB / 3.7MB 33.5MB / 24.6kB 2

=========================================================================
Curator
=========================================================================

Curator is running.

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS

c006146fee3d so-curator 50.19% 8.336MiB / 15.66GiB 0.05% 414MB / 3.19MB 10.7MB / 0B 1

=========================================================================
Version Information
=========================================================================

Ubuntu 16.04.6 LTS
securityonion-sostat 20120722-0ubuntu0securityonion129

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAHjBB6ECQ7yXDrh0eO4QfWZ-FZHVjvPLpvL3KMPPSCAQvsksYw%40mail.gmail.com.

Reply all

Reply to author

Forward

0 new messages