few weeks ago i upgraded my security onion machine according to this guide:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrading-from-12.04-to-14.04
since than the syslog-ng alerts is not working although i did exactly what the guide says:
"IMPORTANT! If you receive a prompt regarding syslog-ng.conf, press N to keep your currently-installed version."
how can i fix it.
thanks,
guy
Guy,
Try comparing /etc/syslog-ng/syslog-ng.conf with securityonion-syslog-ng.conf from /opt/elsa/contrib/securityonion/contrib/.
If they are different, replace /etc/syslog-ng/syslog-ng.conf with securityonion-syslog-ng.conf from /opt/elsa/contrib/securityonion/contrib/.
Then restart syslog-ng:
sudo service syslog-ng restart
You may need to restart NSM services as well for good measure:
sudo service nsm restart
Also see:
https://groups.google.com/d/msg/security-onion/-z38LqYP8xs/ozdejh_0BgAJ
If that doesn't work, please provide the output of sostat-redacted:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists#include-sostat-redacted-output
Thanks,
Wes
Hi Wes,
the file are different, however the /etc/syslog-ng/syslog-ng.conf is the configuration i need.
thanks,
guy
Guy,
It may not necessarily be the file, but please do the following:
Please perform a "diff" on the two files and attach the output of sostat-redacted.
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Guy,
From your sostat, it looks like you have a large number of buffers in the queue. I would look through the provided guidance:
ELSA Buffers in Queue:
276
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
You could also try the following:
-Rename the binlong* files in /var/lib/sphinxsearch/data/ folder and restart sphinxsearch (sudo service sphinxsearch restart) and/or reboot.
I would also perform a mysqlcheck to be safe:
sudo mysqlcheck -A (may take a while, depending on size of DBs)
Thanks,
Wes
Hi Wes,
dose this steps should help to the syslog problem?
guy
Yes, please try them :)
Guy,
It looks like Sphinx is now running appropriately. It also looks like the number of buffers have dropped since your last email(albeit) a little bit. If you don't necessarily need the data, you could try removing the buffers from /nsm/elsa/data/elsa/tmp/buffers/ and see how the buffers grow from there.
From your sostat, it appears your index range is increasing as it is supposed to.
Have you tried checking ELSA to see if you are receiving logs as expected?
Thanks,
Wes