ELSA stopped gathering new data possibly after upgrade

Danie de Jager

unread,

May 6, 2016, 7:23:48 AM5/6/16

to security-onion

Hi,

I upgraded to the latest build using uBuntu 14.04 and noticed only now that since then ELSA stopped gathering new information. When I change the date range all the latest dates are greyed out for the last couple of months. Sguil works fine.

I'm not sure where to start troubleshooting. The Sphinxsearch service is up on my master and sensor. There are no log files in /var/log/sphinxsearch/ on my master and sensor.

From sostat:
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
2078 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
nc: connect to localhost port 514 (tcp) failed: Connection refused

MySQL
Checking for process:
2065 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
1981 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
2179 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:
6
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue

ELSA Directory Sizes:
3.4G /nsm/elsa/data
89M /var/lib/mysql/syslog
32K /var/lib/mysql/syslog_data

ELSA Index Date Range
If you don't have at least 2 full days of logs in the Index Date Range,
then you'll need to increase log_size_limit in /etc/elsa_node.conf.
+---------------------+---------------------+
| MIN(start) | MAX(end) |
+---------------------+---------------------+
| 2015-05-28 08:36:41 | 2016-02-11 07:09:05 |
+---------------------+---------------------+

ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 seconion-sensor1 10.2.37.204

Wes

unread,

May 6, 2016, 8:11:05 AM5/6/16

to security-onion

Danie,

Did you follow ALL of the steps here, making sure to not replace the syslog-ng.conf file?
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrading-from-12.04-to-14.04

Have you tried restarting syslog-ng or rebooting?

Also check /nsm/elsa/data/elsa/log/, especially node.log, which you could try tailing (tail -f) when restarting syslog-ng.

How does your syslog-ng.conf (/etc/syslog-ng/syslog-ng.conf) compare to /opt/elsa/contrib/securityonion/contrib/securityonion-syslog-ng.conf?

Also, please include the full output of sostat-redacted:

https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists#include-sostat-redacted-output

Thanks,
Wes

Danie de Jager

unread,

May 6, 2016, 8:20:16 AM5/6/16

to security-onion

> Danie,
>
> Did you follow ALL of the steps here, making sure to not replace the syslog-ng.conf file?
> https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrading-from-12.04-to-14.04
>
> Have you tried restarting syslog-ng or rebooting?
>
> Also check /nsm/elsa/data/elsa/log/, especially node.log, which you could try tailing (tail -f) when restarting syslog-ng.
>
> How does your syslog-ng.conf (/etc/syslog-ng/syslog-ng.conf) compare to /opt/elsa/contrib/securityonion/contrib/securityonion-syslog-ng.conf?
>
> Also, please include the full output of sostat-redacted:
>
> https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists#include-sostat-redacted-output
>
> Thanks,
> Wes

Thanks Wes,

I followed the steps. I don't use syslog unless SO uses syslog for some if its processes I wouldn't touch the configs. Doing a diff on the 2 files shows a big difference. Regrettably I took over this install from someone else who previously went live with the POC so luckily not a lot of tuning was done but the system is dog slow.

Danie

Danie de Jager

unread,

May 6, 2016, 8:21:01 AM5/6/16

to security-onion

Here is the redacted output on pastebin:
http://pastebin.com/6RQi5Tx8

Wes

unread,

May 6, 2016, 8:28:15 AM5/6/16

to security-onion

Danie,

First, I would try backing up the current syslog-ng.conf file you have in /etc/syslog-ng.conf and replace it with the one in /opt/elsa/contrib/securityonion/contrib/securityonion-syslog-ng.conf, then restart syslog-ng.

Not related to this particular issue, I would also log into Sguil and categorize your uncategorized events. Failure to do so could result in poor performance and/or database table corruption.

It also looks like you are running PRADS/pads_agent on your sensor. You may want to disable this for better performance on your sensor.

Thanks,
Wes

Danie de Jager

unread,

May 6, 2016, 8:43:41 AM5/6/16

to security-onion

Thanks Wes,

When we disable PRADS the guys doing the investigation are missing the events around the incident so we enabled it again.

I will do as you suggested with Syslog.

Is there a schematic to show how the different systems combine to make SO? If ELSA is not getting new data what can cause that?

Danie

Danie de Jager

unread,

May 6, 2016, 8:49:24 AM5/6/16

to security-onion

The original Syslog config is doing some includes that is not done in the other config.

#head /etc/syslog-ng/syslog-ng.conf
@version: 3.5
@include "scl.conf"
@include "`scl-root`/system/tty10.conf"

# Syslog-ng configuration file, compatible with default Debian syslogd
# installation.

# First, set some global options.
options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
owner("root"); group("adm"); perm(0640); stats_freq(0);

----------------------------------------------------------------------------
#head /opt/elsa/contrib/securityonion/contrib/securityo
@version: 3.5
source s_syslog { unix-dgram("/dev/log"); };

source s_network {
tcp();
udp();
};

parser p_db {
db-parser(file("/opt/elsa/node/conf/patterndb.xml"));
daniej@seconion-master:~$ head /etc/syslog-ng/syslog-ng.conf

Wes

unread,

May 6, 2016, 8:52:41 AM5/6/16

to security-onion

Danie,

Those (the includes in the /etc/syslog-ng) are not required. Have you replaced the file (using the one from /opt/elsa) and tried restarting syslog-ng?

Thanks,
Wes

Wes

unread,

May 6, 2016, 8:56:30 AM5/6/16

to security-onion

Bro offers much of the same information as PRADS viewable through ELSA.

You can have a look here to get an idea of the general SO architecture:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Architecture

From my experience, I have found that if ELSA is not getting new data, it could be because:

-There is an issue with syslog-ng (bad config, etc.)
-There is an issue with Sphinx indexing the buffers
-Corrupt MySQL database (elsa_web, syslog_data)
-Overwhelmed machine (not enough resources, or other issues cause resource hogging)

These are just a few things I have noticed. You can learn more about ELSA specifically, here:
https://github.com/mcholste/elsa/wiki/Documentation

Thanks,
Wes

Danie de Jager

unread,

May 6, 2016, 9:00:13 AM5/6/16

to securit...@googlegroups.com

Hi,

i replaced the config and restarted the service. It is still not listening on 514

tcp 0 0 127.0.0.1:50000 0.0.0.0:* LISTEN -

tcp 0 0 127.0.0.1:5910 0.0.0.0:* LISTEN -

tcp 0 0 0.0.0.0:7734 0.0.0.0:* LISTEN -

tcp 0 0 127.0.0.1:3350 0.0.0.0:* LISTEN -

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -

tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -

tcp 0 0 0.0.0.0:7736 0.0.0.0:* LISTEN -

tcp 0 0 0.0.0.0:4505 0.0.0.0:* LISTEN -

tcp 0 0 0.0.0.0:9306 0.0.0.0:* LISTEN -

tcp 0 0 0.0.0.0:4506 0.0.0.0:* LISTEN -

tcp 0 0 0.0.0.0:3389 0.0.0.0:* LISTEN -

tcp 0 0 0.0.0.0:9312 0.0.0.0:* LISTEN -

tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -

tcp6 0 0 ::1:50000 :::* LISTEN -

tcp6 0 0 :::3154 :::* LISTEN -

tcp6 0 0 :::9876 :::* LISTEN -

tcp6 0 0 :::7734 :::* LISTEN -

tcp6 0 0 :::22 :::* LISTEN -

tcp6 0 0 ::1:631 :::* LISTEN -

tcp6 0 0 :::7736 :::* LISTEN -

tcp6 0 0 :::443 :::* LISTEN -

Here is the processes for syslog

#ps faux | grep syslog

ossecm 2413 0.0 0.0 16080 620 ? S 09:47 0:00 /var/ossec/bin/ossec-csyslogd

root 26715 0.0 0.0 31092 468 ? S 12:55 0:00 supervising syslog-ng

root 26716 0.0 0.0 67816 4056 ? Ss 12:55 0:00 \_ /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid

Danie de Jager
Striata Global Security Engineer

Office: +27 11 5309600

Striata on: Twitter | LinkedIn | Facebook | www.striata.com

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/-z38LqYP8xs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Danie de Jager

unread,

May 6, 2016, 9:02:45 AM5/6/16

to securit...@googlegroups.com

Thanks,

From looking at the diagram it seems that ELSA combines data from barnyard2 and syslog-ng. Hence if my syslog is not working ELSA won't update?

Danie de Jager
Striata Global Security Engineer

Office: +27 11 5309600

Striata on: Twitter | LinkedIn | Facebook | www.striata.com

Wes

unread,

May 6, 2016, 9:11:21 AM5/6/16

to security-onion

You can think of syslog-ng as the glue/transport mechanism for all of the source logs (defined in syslog-ng.conf) from Security Onion tools to ELSA.

It pulls in the information, formats/filters, as necessary and ships the data off to ELSA (Sphinx for indexing, MySQL for overall storage).

Does that help clarify?

Thanks,
Wes

Danie de Jager

unread,

May 6, 2016, 9:20:07 AM5/6/16

to securit...@googlegroups.com

I definitely will need to do the training course but things are making sense. Any idea what I can do to get syslog listening correctly? I've never used it myself.

Danie de Jager
Striata Global Security Engineer

Office: +27 11 5309600

Striata on: Twitter | LinkedIn | Facebook | www.striata.com

Wes

unread,

May 6, 2016, 9:30:12 AM5/6/16

to security-onion

Try the following when restarting syslog-ng:

tail -f /nsm/elsa/data/elsa/log/node.log

See if that produces a useful error or clue.

Also, try rebooting and see if that helps.

Thanks,
Wes

Danie de Jager

unread,

May 6, 2016, 9:40:43 AM5/6/16

to securit...@googlegroups.com

I see this:

* TRACE [2016/05/06 13:37:04] /opt/elsa/web/../node/Indexer.pm (1782) Indexer::_get_lock 3556 [undef]

Locked directory

* DEBUG [2016/05/06 13:37:04] /opt/elsa/web/../node/Indexer.pm (1008) Indexer::load_buffers 3556 [undef]

rows for load_records: $VAR1 = [];

* TRACE [2016/05/06 13:37:04] /opt/elsa/web/../node/Indexer.pm (1805) Indexer::_release_lock 3556 [undef]

Unlocked directory

* TRACE [2016/05/06 13:37:04] /opt/elsa/web/../node/Indexer.pm (2828) Indexer::record_host_stats 3556 [undef]

Only found 1 hosts in temp_9

* TRACE [2016/05/06 13:37:09] /opt/elsa/web/../node/Indexer.pm (2860) Indexer::record_host_stats 3556 [undef]

Finished in 5.12448596954346 with 1007 records counted

* TRACE [2016/05/06 13:37:09] /opt/elsa/web/../node/Indexer.pm (620) Indexer::_oversize_log_rotate 3556 [undef]

Effective log_size_limit: 472000000000, archive_limit: 155760000000

* DEBUG [2016/05/06 13:37:09] /opt/elsa/web/../node/Indexer.pm (163) Indexer::_get_current_index_size 3556 [undef]

Current size of indexed logs in database is 1493089680

* TRACE [2016/05/06 13:37:09] /opt/elsa/web/../node/Indexer.pm (182) Indexer::_get_current_index_size 3556 [undef]

Found size of Sphinx indexes 1634430598 for total size of 3127520278

* DEBUG [2016/05/06 13:37:09] /opt/elsa/web/../node/Indexer.pm (145) Indexer::_get_current_archive_size 3556 [undef]

Current size of archived logs in database is 147354594

* TRACE [2016/05/06 13:37:09] /opt/elsa/web/../node/Indexer.pm (1782) Indexer::_get_lock 3556 [undef]

Locked directory

* TRACE [2016/05/06 13:37:09] /opt/elsa/web/../node/Indexer.pm (1805) Indexer::_release_lock 3556 [undef]

Unlocked directory

* TRACE [2016/05/06 13:37:09] /opt/elsa/web/../node/Indexer.pm (1782) Indexer::_get_lock 3556 [undef]

Locked query

* TRACE [2016/05/06 13:38:02] /opt/elsa/web/../node/Indexer.pm (1782) Indexer::_get_lock 11470 [undef]

Locked directory

* DEBUG [2016/05/06 13:38:02] /opt/elsa/web/../node/Indexer.pm (1008) Indexer::load_buffers 11470 [undef]

rows for load_records: $VAR1 = [];

* TRACE [2016/05/06 13:38:02] /opt/elsa/web/../node/Indexer.pm (1805) Indexer::_release_lock 11470 [undef]

Unlocked directory

* TRACE [2016/05/06 13:38:02] /opt/elsa/web/../node/Indexer.pm (2828) Indexer::record_host_stats 11470 [undef]

Only found 1 hosts in temp_9

* TRACE [2016/05/06 13:38:07] /opt/elsa/web/../node/Indexer.pm (2860) Indexer::record_host_stats 11470 [undef]

Finished in 5.00400304794312 with 1007 records counted

* TRACE [2016/05/06 13:38:07] /opt/elsa/web/../node/Indexer.pm (620) Indexer::_oversize_log_rotate 11470 [undef]

Effective log_size_limit: 472000000000, archive_limit: 155760000000

* DEBUG [2016/05/06 13:38:07] /opt/elsa/web/../node/Indexer.pm (163) Indexer::_get_current_index_size 11470 [undef]

Current size of indexed logs in database is 1493089680

* TRACE [2016/05/06 13:38:07] /opt/elsa/web/../node/Indexer.pm (182) Indexer::_get_current_index_size 11470 [undef]

Found size of Sphinx indexes 1634430598 for total size of 3127520278

* DEBUG [2016/05/06 13:38:07] /opt/elsa/web/../node/Indexer.pm (145) Indexer::_get_current_archive_size 11470 [undef]

Current size of archived logs in database is 147354594

* TRACE [2016/05/06 13:38:07] /opt/elsa/web/../node/Indexer.pm (1782) Indexer::_get_lock 11470 [undef]

Locked directory

* TRACE [2016/05/06 13:38:07] /opt/elsa/web/../node/Indexer.pm (1805) Indexer::_release_lock 11470 [undef]

Unlocked directory

* TRACE [2016/05/06 13:38:07] /opt/elsa/web/../node/Indexer.pm (1782) Indexer::_get_lock 11470 [undef]

Locked query

* TRACE [2016/05/06 13:39:02] /opt/elsa/web/../node/Indexer.pm (1782) Indexer::_get_lock 11694 [undef]

Locked directory

* DEBUG [2016/05/06 13:39:02] /opt/elsa/web/../node/Indexer.pm (1008) Indexer::load_buffers 11694 [undef]

rows for load_records: $VAR1 = [];

* TRACE [2016/05/06 13:39:02] /opt/elsa/web/../node/Indexer.pm (1805) Indexer::_release_lock 11694 [undef]

Unlocked directory

* TRACE [2016/05/06 13:39:02] /opt/elsa/web/../node/Indexer.pm (2828) Indexer::record_host_stats 11694 [undef]

Only found 1 hosts in temp_9

* TRACE [2016/05/06 13:39:07] /opt/elsa/web/../node/Indexer.pm (2860) Indexer::record_host_stats 11694 [undef]

Finished in 5.00380921363831 with 1007 records counted

* TRACE [2016/05/06 13:39:07] /opt/elsa/web/../node/Indexer.pm (620) Indexer::_oversize_log_rotate 11694 [undef]

Effective log_size_limit: 472000000000, archive_limit: 155760000000

* DEBUG [2016/05/06 13:39:07] /opt/elsa/web/../node/Indexer.pm (163) Indexer::_get_current_index_size 11694 [undef]

Current size of indexed logs in database is 1493089680

* TRACE [2016/05/06 13:39:08] /opt/elsa/web/../node/Indexer.pm (182) Indexer::_get_current_index_size 11694 [undef]

Found size of Sphinx indexes 1634430598 for total size of 3127520278

* DEBUG [2016/05/06 13:39:08] /opt/elsa/web/../node/Indexer.pm (145) Indexer::_get_current_archive_size 11694 [undef]

Current size of archived logs in database is 147354594

* TRACE [2016/05/06 13:39:08] /opt/elsa/web/../node/Indexer.pm (1782) Indexer::_get_lock 11694 [undef]

Locked directory

* TRACE [2016/05/06 13:39:08] /opt/elsa/web/../node/Indexer.pm (1805) Indexer::_release_lock 11694 [undef]

Unlocked directory

* TRACE [2016/05/06 13:39:08] /opt/elsa/web/../node/Indexer.pm (1782) Indexer::_get_lock 11694 [undef]

Locked query

Danie de Jager
Striata Global Security Engineer

Office: +27 11 5309600

Striata on: Twitter | LinkedIn | Facebook | www.striata.com

Wes

unread,

May 6, 2016, 9:57:35 AM5/6/16

to security-onion

Danie,

Please provide the latest sostat-redacted output.

Thanks,
Wes

Danie de Jager

unread,

May 6, 2016, 10:04:06 AM5/6/16

to securit...@googlegroups.com

Thanks Wes,

I uploaded it for the Master here:

http://pastebin.com/Vxp8E78X

Wes

unread,

May 6, 2016, 10:54:34 AM5/6/16

to security-onion

Danie,

Please provide the output of the following:

sudo lsof -nP -i | grep 514

and the output of the following:

sudo dpkg -l | grep syslog-ng

Thanks,
Wes

Danie de Jager

unread,

May 9, 2016, 4:32:39 AM5/9/16

to securit...@googlegroups.com

Thanks Wes,

sudo lsof -nP -i | grep 514

ossec-csy 2452 ossecm 5u IPv4 15657 0t0 UDP 127.0.0.1:43967->127.0.0.1:514

sshd 5952 root 3u IPv4 15847 0t0 TCP 10.2.37.203:22->10.2.37.204:51470 (ESTABLISHED)

sshd 6186 sensor1 3u IPv4 15847 0t0 TCP 10.2.37.203:22->10.2.37.204:51470 (ESTABLISHED)

sudo dpkg -l | grep syslog-ng

rc libsyslog-ng-3.3.4:amd64 3.3.4.dfsg-2ubuntu1 amd64 Next generation system logging daemon (private library)

ii syslog-ng 3.5.3-1 all Enhanced system logging daemon (metapackage)

ii syslog-ng-core 3.5.3-1 amd64 Enhanced system logging daemon (core)

ii syslog-ng-mod-amqp 3.5.3-1 amd64 Enhanced system logging daemon (AMQP plugin)

ii syslog-ng-mod-geoip 3.5.3-1 amd64 Enhanced system logging daemon (GeoIP plugin)

ii syslog-ng-mod-json 3.5.3-1 amd64 Enhanced system logging daemon (JSON plugin)

ii syslog-ng-mod-mongodb 3.5.3-1 amd64 Enhanced system logging daemon (MongoDB plugin)

ii syslog-ng-mod-redis 3.5.3-1 amd64 Enhanced system logging daemon (Redis plugin)

ii syslog-ng-mod-smtp 3.5.3-1 amd64 Enhanced system logging daemon (SMTP plugin)

ii syslog-ng-mod-sql 3.5.3-1 amd64 Enhanced system logging daemon (SQL plugin)

ii syslog-ng-mod-stomp 3.5.3-1 amd64 Enhanced system logging daemon (STOMP plugin)

Danie de Jager
Striata Global Security Engineer

Office: +27 11 5309600

Striata on: Twitter | LinkedIn | Facebook | www.striata.com

Wes

unread,

May 9, 2016, 9:21:57 AM5/9/16

to security-onion

Danie,

If you have the ability, it may be best (and quicker) to compare a test VM (syslog-ng.conf, and other files) running Security Onion 14.04 to your current machine.

Thanks,
Wes

Danie de Jager

unread,

May 9, 2016, 9:25:13 AM5/9/16

to securit...@googlegroups.com

I hear you. Even if I could do that there are too many variables to check against.

What if the issue is on my Sensor that is not pushing the logs to the master? Or is that not the issue as we don't get the syslog service to accept incoming connections on the required port on the master?

Danie de Jager
Striata Global Security Engineer

Office: +27 11 5309600

Striata on: Twitter | LinkedIn | Facebook | www.striata.com

Wes

unread,

May 9, 2016, 9:39:48 AM5/9/16

to security-onion

You will need to have syslog-ng listening on the master (port 514) in order to receive logs from any device sending them to the master, as well as to read/process any log files local to the master.

Sensors store most of their own data (with the exception of alert data) in their own ELSA database, so they should have their own index/date range. After running sostat on the sensor, what is the index range displayed?

Please include the sostat-redacted output for the sensor.

Thanks,
Wes

Danie de Jager

unread,

May 10, 2016, 3:27:32 AM5/10/16

to securit...@googlegroups.com

Hi Wes,

I made a silly mistake. The syslog-ng conf file from /opt and the one in /etc got different file names. When I replaced the one in /etc with the one from /opt I started seeing that Syslog-ng is now listening correctly and ELSA started updating the search date to today's date. There is still no info in there but will give it a day to see if it starts populating.

Danie de Jager
Striata Global Security Engineer

Office: +27 11 5309600

Striata on: Twitter | LinkedIn | Facebook | www.striata.com

Danie de Jager

unread,

May 11, 2016, 2:54:25 AM5/11/16

to securit...@googlegroups.com

Hi Wes,

I can confirm that syslog-ng is now running and after 24 hours ELSA's interface is now updating to the latest date but there is no information in any of the reports.

Danie de Jager
Striata Global Security Engineer

Office: +27 11 5309600

Striata on: Twitter | LinkedIn | Facebook | www.striata.com

Danie de Jager

unread,

May 11, 2016, 3:34:40 AM5/11/16

to securit...@googlegroups.com

Further the previous mail I found:

#tail /var/log/nsm/sensor-clean.log

OOPS: The sensor "" does not exist!

Is that normal on a master instance?

Danie de Jager
Striata Global Security Engineer

Office: +27 11 5309600

Striata on: Twitter | LinkedIn | Facebook | www.striata.com

Wes

unread,

May 11, 2016, 7:55:44 AM5/11/16

to security-onion

On Wednesday, May 11, 2016 at 3:34:40 AM UTC-4, Danie de Jager wrote:
> Further the previous mail I found:
>
> #tail /var/log/nsm/sensor-clean.log
> OOPS: The sensor "" does not exist!
> OOPS: The sensor "" does not exist!
>
>
> Is that normal on a master instance?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Danie de Jager
>
> Striata Global Security Engineer
>
>
>
> Office: +27 11 5309600
>
>
>
> Striata on: Twitter | LinkedIn | Facebook | www.striata.com
>
>
>
> On 11 May 2016 at 08:53, Danie de Jager <danie....@striata.com> wrote:
>
>
> Hi Wes,
>
>
> I can confirm that syslog-ng is now running and after 24 hours ELSA's interface is now updating to the latest date but there is no information in any of the reports.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

Danie,

What happens if you query from the 10th (2016-05-10 00:00:00) onward, or the 11th ?

Try looking in:

/nsm/elsa/data/elsa/log/node.log

and

/nsm/elsa/data/elsa/log/web.log

for clues.

Please attach the most recent output of sostat-redacted for the master and the sensor.

The content you mentioned within the sensor-clean.log is normal for the master, as this job is used to purge data on sensors.

Thanks,
Wes

Danie de Jager

unread,

May 11, 2016, 8:05:49 AM5/11/16

to securit...@googlegroups.com

Hi,

From /nsm/elsa/data/elsa/log/web.log I see:

Header: $VAR1 = {

'Status' => 596,

'Reason' => 'Connection timed out',

'URL' => 'http://127.0.0.1:50000/API/info'

};

When I search using older date ranges that used to work I get:

Query 293 submitted. seconion-sensor1: Batching because estimated query time is 300 seconds.127.0.0.1: Batching because estimated query time is 300 seconds.<br>

Danie de Jager
Striata Global Security Engineer

Office: +27 11 5309600

Striata on: Twitter | LinkedIn | Facebook | www.striata.com

Wes

unread,

May 11, 2016, 8:12:49 AM5/11/16

to security-onion

When running queries past the index range (defaults to 48 hours), queries will batch and then a link will be send to the email address for which ELSA is configured to send batch query results. If this is not configured, you may end up with an error.

Try running the same query appending "nobatch:1" if you do not want it to batch.

Ex. class=BRO_CONN "-" groupby:srcip nobatch:1

Have you tried to see what happens when you query starting from a more recent date, such as the 10th or 11th?

Again, please attach the sostat-redacted output for both the sensor and master.

Thanks,
Wes

Danie de Jager

unread,

May 11, 2016, 8:51:44 AM5/11/16

to securit...@googlegroups.com

Hi Wes,

When I enter the ELSA query using nobatch:1 on old data I eventually get a graph. Only when I do recent data I see in the log the Jason error.

Master:

http://pastebin.com/iUqd8aiM

Sensor:

http://pastebin.com/Kvr5XrDA

Danie de Jager
Striata Global Security Engineer

Office: +27 11 5309600

Striata on: Twitter | LinkedIn | Facebook | www.striata.com

Danie de Jager

unread,

May 11, 2016, 8:54:29 AM5/11/16

to securit...@googlegroups.com

You can find the complete transaction logged here when I click inside ELSA:

http://pastebin.com/Wp47eRn0

Danie de Jager
Striata Global Security Engineer

Office: +27 11 5309600

Striata on: Twitter | LinkedIn | Facebook | www.striata.com

Wes

unread,

May 11, 2016, 8:59:26 AM5/11/16

to security-onion

> &g

Danie,

It looks like, from your sensor's sostat output, that syslog-ng is not running as it should (on the sensor). I would recommend replacing the file on the sensor as you did with the master. Let's try that first and go from there.

Thanks,
Wes

Danie de Jager

unread,

May 11, 2016, 9:29:45 AM5/11/16

to securit...@googlegroups.com

Thanks Wes,

There are 2 syslogs-ng configs in /opt/elsa/contrib/securityonion/contrib

securityonion-syslog-ng.conf

securityonion-syslog-ng-local.conf

I replaced /etc/syslog-ng/syslog-ng.conf with securityonion-syslog-ng.conf from /opt/elsa/contrib/securityonion/contrib

syslog-ng is now listening on the sensor on port 514

Danie de Jager
Striata Global Security Engineer

Office: +27 11 5309600

Striata on: Twitter | LinkedIn | Facebook | www.striata.com

Danie,

It looks like, from your sensor's sostat output, that syslog-ng is not running as it should (on the sensor). I would recommend replacing the file on the sensor as you did with the master. Let's try that first and go from there.

Thanks,
Wes

Danie de Jager

unread,

May 11, 2016, 9:31:53 AM5/11/16

to securit...@googlegroups.com

Hi Wes,

I just did some testing and ELSA seems to be working again. Thanks for your assistance.

Seems to me that the issue was that after the OS upgrade my Syslog-ng agents used the wrong config file. After replacing the conf with securityonion-syslog-ng.conf found at /opt/elsa/contrib/securityonion/contrib on the sensor and master it resolved the problem where ELSA was not updating with new data.

Danie de Jager
Striata Global Security Engineer

Office: +27 11 5309600

Striata on: Twitter | LinkedIn | Facebook | www.striata.com

Wes

unread,

May 11, 2016, 9:35:21 AM5/11/16

to security-onion

You're very welcome, Danie. I'm glad I could help.

Thanks,
Wes

Reply all

Reply to author

Forward