Constant monitoring with SGUIL
Justin
Wes Lambert
Justin,
If left open, Sguil will usually lose its connection every night during updates.
Just because Sguil wasn't open, it does not mean that you wouldn't receive the alert.
Have you tried re-connecting to sguild by restarting Sguil and enetering your username and password? Have you tried looking in Squert?
Are you running ELSA? If so, have you tried looking there?
Thanks,
Wes
Is there a way to set Squil up to constantly monitor the interface chosen. I noticed the last couple of days when logging into the system it states it lost connection to Sguil. Since I seen this last week I ran a vulnerability scan on a machine that SO is mirroring. Usually Squil will be flagged with alerts. When logging in now it states the connection has been lost and when enabling the connection there is no events in there about the vulnerability scan.
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Justin
> Is there a way to set Squil up to constantly monitor the interface chosen. I noticed the last couple of days when logging into the system it states it lost connection to Sguil. Since I seen this last week I ran a vulnerability scan on a machine that SO is mirroring. Usually Squil will be flagged with alerts. When logging in now it states the connection has been lost and when enabling the connection there is no events in there about the vulnerability scan.
I restarted the computer and still nothing. I looked in Elsa and the connections were in there from the vulnerability device. I checked Squert and it looks like there was information in there as well about the scan. I was using Sguil for more like an alert center, but should I use Squert instead?
Wes Lambert
Justin,
So, you still don't see any events in Sguil, even if you replay test traffic to the interface?
If you are seeing events in Squert, you should see the same ones in Sguil.
Plenty of people use Sguil as their main alert console -- that is up to you. Just keep in mind that the Sguil client will disconnect from sguild whenever sguild is restarted.
Also keep in mind, that if you are using autocat rules, the events that match the rule (s) will not show up in Sguil, only uncategorized events.
Security Onion offers several ways to view alerts and get more context around events. You should use what works best for you.
Thanks,
Wes
Justin
That is correct West. After launching a scan against a host that should populate Squil with some events nothing happens.
Wes
Justin,
Keep in mind, Sguil will only show an event if a Snort/Suricata alerts was generated for it. And to clarify my previous statement, you will only see events in the realtime portion of the console if they are uncategorized.
When you log back into Sguil, are you sure you are selecting the appropriate interface (try selecting "monitor all interfaces")?
Are you connecting to sguild via an analyst machine? If so, are sure you are not connecting to localhost, instead of the intended sguild instance?
It could also be that there is a backlog of events to be processed by barnyard2.
Do you see a bunch of barnyard files in /var/log/nsm/<SENSOR>/?
When you look in Squert/ELSA, are the event timestamps the same or similar to when you initiate the scan? You may also want to look into the alert you want to trigger by ensuring the traffic you are generating matches the content match, etc. defined for the signature.
If you still can't get it sorted out, please attach the output of sostat-redacted for your server/sensor, attaching as a plain text file, or using a service like Pastebin.com.
Thanks,
Wes