How to restart NSM service via Squert

[Kris Springer]

Has anyone built a script or custom code to restart the NSM service directly from the Squert webpage in order to instantly enable new AutoCat rules? I've looked through SO forums and haven't found that this is an option. Currently it requires logging directly into the SO server and running the following
#sudo /usr/sbin/nsm_server_ps-restart

[Wes]

On Wednesday, December 21, 2016 at 12:59:34 PM UTC-5, Kris Springer wrote:
> Has anyone built a script or custom code to restart the NSM service directly from the Squert webpage in order to instantly enable new AutoCat rules? I've looked through SO forums and haven't found that this is an option. Currently it requires logging directly into the SO server and running the following
> #sudo /usr/sbin/nsm_server_ps-restart

Kris,

Are you sure you aren't seeing the events that were already in Squert? Autocats will only apply to future events processed by sguild. So, if you already had similar events in the realtime queue, they will remain there until you categorize them manually/F8 them.

This works for me in v1.6.3. What version are you using?

Thanks,
Wes

[Kris Springer]

Yes, I understand that new Autocat rules only apply to future events, not historical, but somewhere along the line I got the idea that I had to manually restart the NSM service in order for the autocat rules to apply. Am I mistaken?

[Kris Springer]

So I've created a little script that runs /usr/sbin/nsm_server_ps-restart when a user clicks a button in the web interface.

Can someone please confirm if this is even required to apply new Autocat rules for future events? If restarting the service is not necessary I'll abandon this script.

[Wes]

On Wednesday, December 21, 2016 at 4:59:16 PM UTC-5, Kris Springer wrote:
> So I've created a little script that runs /usr/sbin/nsm_server_ps-restart when a user clicks a button in the web interface.
>
> Can someone please confirm if this is even required to apply new Autocat rules for future events? If restarting the service is not necessary I'll abandon this script.

Kris,

You should not have to restart sguild for autocat rules to take effect.

Thanks,
Wes

[Kris Springer]

Thanks Wes. I appreciate your patient responses to my questions.

I believe this is where I got the 'need to restart sguil' requirement from.
https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts#autocategorize-events

At least now I've figured out how to run sudo scripts directly from web pages. :-)

[Doug Burks]

On Wed, Dec 21, 2016 at 7:42 PM, Kris Springer
<kspr...@innovateteam.com> wrote:
> Thanks Wes. I appreciate your patient responses to my questions.
>
> I believe this is where I got the 'need to restart sguil' requirement from.
> https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts#autocategorize-events

Hi Kris,

From that page:

"Please note the following instructions are for older versions of Sguil only."

Those instructions were from a time when autocats were defined in a
file that was only read at startup, thus the requirement to restart
sguild.

I'll remove those old instructions to prevent further confusion.

--
Doug Burks

[jesse...@gmail.com]

On Wednesday, December 21, 2016 at 4:59:16 PM UTC-5, Kris Springer wrote:

> So I've created a little script that runs /usr/sbin/nsm_server_ps-restart when a user clicks a button in the web interface.
>
> Can someone please confirm if this is even required to apply new Autocat rules for future events? If restarting the service is not necessary I'll abandon this script.

Hello Kris,

Would you mind sharing how you're able to run nsm_server_ps-restart from the Squert web interface? I'd appreciate it.

[Kris Springer]

Note: the restart script won't work unless you add the 'www-data' user and script path into the sudo file. This will allow the www-data user to sudo and run only the specific scripts specified. The sudo file must be edited using the following command. Also, be careful with this file. There's always the possibility of breaking it if you're careless.

Step 1: Edit the sudo file by running this command.
#sudo visudo

Add this line at the very bottom, then save.
www-data ALL=(ALL) NOPASSWD: /usr/sbin/nsm_server_ps-restart

Step 2: Create a PHP script file in the following path. This is the file that gets triggered when you click the html button is step 3.
#cd /var/www/so/squert/.scripts/
#sudo pico restart-nsm.php

Enter the following into the blank php file and save.
<?php
echo exec("sudo /usr/sbin/nsm_server_ps-restart", $output);
?>

Step 3: Add a link/button wherever you want it in the squert index.php file. I put mine in the Autocat popup window. For reference, it's around line 283.
#cd /var/www/so/squert/
#sudo pico index.php

Button option 1: javascript method. Here's how I did it in mine. It gives you a little popup window when you click the link.
<script language="JavaScript">function MM_openBrWindow(theURL,winName,features){window.open(theURL,winName,features);}</script>
<a href="javascript:;" onClick="MM_openBrWindow('.scripts/restart-nsm.php','Restart NSM Now','width=250,height=50')" class="ac_view"><img src=.css/reload.png>Restart sguil service now</a>

Button option 2: simple href method with no javascript. This opens in a new tab instead of a popup.
<a href=".scripts/restart-nsm.php" target="_blank"><img src=.css/reload.png>Restart sguil service now</a>

Step 4: Refresh your squert page in a browser and try out your new button. It should display results similar to the following if the script ran and worked.
starting: sguil server[ OK ]

If you get blank results then it's not working because of a permissions issue with the sudo file referenced in step 1. Do some Google searching to iron out your issues.

[Kris Springer]

There are additional methods of getting better output on the php file when the script runs, but my simple file serves my purposes. Expand yours as you desire.

[jesse...@gmail.com]

On Tuesday, December 27, 2016 at 1:50:01 PM UTC-5, Kris Springer wrote:
> There are additional methods of getting better output on the php file when the script runs, but my simple file serves my purposes. Expand yours as you desire.

Thanks a bunch!