After Upgrade syslog-ng is not working

[ggi...@gmail.com]

hello,

few weeks ago i upgraded my security onion machine according to this guide:

https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrading-from-12.04-to-14.04

since than the syslog-ng alerts is not working although i did exactly what the guide says:

"IMPORTANT! If you receive a prompt regarding syslog-ng.conf, press N to keep your currently-installed version."

how can i fix it.

thanks,
guy

[Wes]

Guy,

Try comparing /etc/syslog-ng/syslog-ng.conf with securityonion-syslog-ng.conf from /opt/elsa/contrib/securityonion/contrib/.

If they are different, replace /etc/syslog-ng/syslog-ng.conf with securityonion-syslog-ng.conf from /opt/elsa/contrib/securityonion/contrib/.

Then restart syslog-ng:

sudo service syslog-ng restart

You may need to restart NSM services as well for good measure:

sudo service nsm restart

Also see:
https://groups.google.com/d/msg/security-onion/-z38LqYP8xs/ozdejh_0BgAJ

If that doesn't work, please provide the output of sostat-redacted:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists#include-sostat-redacted-output

Thanks,
Wes

[ggi...@gmail.com]

Hi Wes,

the file are different, however the /etc/syslog-ng/syslog-ng.conf is the configuration i need.

thanks,
guy

[Wes Lambert]

Guy,

It may not necessarily be the file, but please do the following:

Please perform a "diff" on the two files and attach the output of sostat-redacted.

Thanks,
Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[ggi...@gmail.com]

hi Wes,

i attached the files

[Wes]

Guy,

From your sostat, it looks like you have a large number of buffers in the queue. I would look through the provided guidance:

ELSA Buffers in Queue:
276
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue

You could also try the following:

-Rename the binlong* files in /var/lib/sphinxsearch/data/ folder and restart sphinxsearch (sudo service sphinxsearch restart) and/or reboot.

I would also perform a mysqlcheck to be safe:

sudo mysqlcheck -A (may take a while, depending on size of DBs)

Thanks,
Wes

[ggi...@gmail.com]

Hi Wes,

dose this steps should help to the syslog problem?

guy

[Wes Lambert]

Yes, please try them :)

[ggi...@gmail.com]

no luck... still not working.

guy

[Wes]

Were you able to get your ELSA buffers to an acceptable level?

Is sphinxsearch listening/operating appropriately?

Please provide updated sostat-redacted information.

Thanks,
Wes

[ggi...@gmail.com]

Hi Wes,

the stat for the moment:

1. the "grep syslogs_archive_1 /nsm/elsa/data/elsa/log/node.log" - return no error.

2. ELSA Buffers in Queue: 254

3. searchd 2026 sphinxsearch 7u IPv4 16412 0t0 TCP *:9306 (LISTEN)
searchd 2026 sphinxsearch 8u IPv4 16413 0t0 TCP *:9312 (LISTEN)

thanks,
Guy

[Wes]

Guy,

Try looking through the logs (web, node, searchd, etc.) in /nsm/elsa/data/elsa/log/ for any clues.

Also, please include the full output of sostat-redacted in your response.

Thanks,
Wes

[ggi...@gmail.com]

Hi Wes,

unfortunately no clues in the logs.

attached updated sostat file.

thanks,
guy

[Wes Lambert]

Guy,

It looks like Sphinx is now running appropriately.  It also looks like the number of buffers have dropped since your last email(albeit) a little bit.  If you don't necessarily need the data, you could try removing the buffers from /nsm/elsa/data/elsa/tmp/buffers/ and see how the buffers grow from there.

From your sostat, it appears your index range is increasing as it is supposed to.

Have you tried checking ELSA to see if you are receiving logs as expected?

Thanks,
Wes

[ggi...@gmail.com]

Hi Wes,

yes, the elsa works fine. i checked again the /etc/syslog-ng/syslog-ng.conf everything looks well configured but still no events go's out at port 514.

i tried disabling the ufw - no success.
is their any external tool to install for syslog forwarding?

p.s no actual events recorded in the sguil log file.

thanks,
guy

[Wes]

Guy,

I would first try to resolve the issue with the events not being fired upon. If you login to Sguil/Squert, do you see recent events (I see 8,000+ uncategorized from your sostat)?

Also, try setting DEBUG to "2" in /etc/nsm/securityonion/sguild.conf, restarting sguild (sudo nsm_server_ps-restart), and taking another look in /var/log/nsm/securityonion/sguild.log.

You can also try taking a look at the traffic on the management interface using tcpdump to see if any traffic is indeed going out (Ex. sudo tcpdump -i eth0).

Thanks,
Wes

[ggi...@gmail.com]

Hi Wes,

WAY TO GO!!!

Changing the debug level to 2 solved the problem.
probably after the upgrading the DEBUG level went down back to 1.
now everything is playing.

thanks a lot,
Guy