New Installation not creating ELSA node

[Sean Engelbrecht]

Looking for some assistance here, I am trying a new installation with the following in mind:

1 Server and Sensor
2 Sensors (for now only one sensor)

I am using the latest Ubuntu Server 12.04 OS installation media, not the security onion ISO.

The standalone installation proceeds without error, the sensor installation appears to finish with no error. However the ELSA node is never created, the new sensor shows up in snorby but not elsa.

I have attached the sostat for both server and sensor, also no traffic is being forwarded to either systems monitoring interfaces yet.

Here are my results for each of the following commands:

ps ax | grep autossh

========================================
Sensor
========================================
3132 ? Ss 0:00 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:127.0.0.1:3306 -R 50000:localhost:50000 -R 50001:localhost:9306 sen...@192.168.1.143

========================================
Server
========================================
No Results (As expected)

========================================

nc localhost 50000

========================================
Sensor
========================================
[
5.5.32-0ubuntu0.12.04.1`xpIZgyLMÿ{F*=503Le8)`mysql_native_password

========================================
Server
========================================
[
5.5.32-0ubuntu0.12.04.1dt]W{'K%uÿ@~{l0GTQx)_%mysql_native_password

========================================

nc localhost 50001

========================================
Sensor
========================================
No results

========================================
Server
========================================
PuTTYPuTTY

========================================

Any help will be greatly appreciated, thanks.

[Sean Engelbrecht]

Sorry, forgot to add the sostat files ...

Thanks

[Heine Lysemose]

Hi Sean

Can you attach the log file from sosetup, /var/logs/securityonion/sosetup.log

Thanks,

Lysemose

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

[Sean Engelbrecht]

[Sean Engelbrecht]

I plan on trying yet another clean install tomorrow, not too sure what might be the cause of these issues.

I was able to replicate with Virtual machines, am I the only one having this issue ?

[Doug Burks]

The sensor_sosetup.log you provided shows the following:

# Please wait while configuring ELSA...
ERROR 2002 (HY000): Can't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2)
ERROR 2002 (HY000): Can't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2)
Beginning installation for ELSA LOG node.
* Reconfiguring mysql to use port 50000/tcp
stop: Unknown instance:
mysql start/running, process 22335
* Placing syslog-ng config
* Building elsa directories
* Placing ELSA log node config file
* Beginning node configuration.
* Adding Sphinx to startup
update-rc.d: warning: /etc/init.d/sphinxsearch missing LSB information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
System start/stop links for /etc/init.d/sphinxsearch already exist.
* Adding Syslog-ng to startup
System start/stop links for /etc/init.d/syslog-ng already exist.
mysqladmin: CREATE DATABASE failed; error: 'Can't create database
'syslog'; database exists'
mysqladmin: CREATE DATABASE failed; error: 'Can't create database
'syslog_data'; database exists'
ERROR 1050 (42S01) at line 1 in file:
'/opt/elsa/node/conf/schema.sql': Table 'programs' already exists

Looks like there are multiple errors there. Did you run Setup multiple times?

Please let us know how it goes with your clean install.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.

--
Doug Burks
http://securityonion.blogspot.com

[Sean Engelbrecht]

So I did run the sosetup multiple times, that may account for the errors...

I tried again on a clean OS Ubuntu (Ubuntu 12.04.3 LTS - 3.2.0-54-generic)

I have included the logs, and sostat since the elsa node is still not being created, but the sensor is getting added to the sguil database. Any thoughts ???

[Doug Burks]

When you ran Setup on the sensor, did you select the option to
automatically update the ELSA server?

What is the output of the following on the server?

grep elsa_node /etc/elsa_web.conf /etc/hosts

nc localhost 50000

nc localhost 50001

What is the output of the following on the sensor?

pgrep -lf autossh

[Sean Engelbrecht]

Thanks Doug,

I have my responses inline...

Sean Engelbrecht

On Wednesday, October 9, 2013 5:29:15 AM UTC-5, Doug Burks wrote:
> When you ran Setup on the sensor, did you select the option to
>
> automatically update the ELSA server?
>

Yes, I selected the option to update elsa server.

>
>
> What is the output of the following on the server?
>
>
>
> grep elsa_node /etc/elsa_web.conf /etc/hosts
>

Nothing, no results are returned
>
>
> nc localhost 50000
>
Nothing, no results are returned
>
>
> nc localhost 50001
>
Nothing, no results are returned

>
>
> What is the output of the following on the sensor?
>
>
>
> pgrep -lf autossh
>

user@sensor:~$ pgrep -lf autossh
6865 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:127.0.0.1:3306 sen...@10.218.1.143

>
>

[Doug Burks]

Your autossh tunnel doesn't show ports 50000 and 50001. Please reboot
the SENSOR and then run:
pgrep -lf autossh

If it then shows 50000/50001, then re-run the nc test on the SERVER:

nc localhost 50000
nc localhost 50001

If you get connections there, then run the following on the SERVER:
sudo securityonion_elsa_register.rb -f

Then verify that /etc/elsa_web.conf and /etc/hosts got updated on the SERVER:
grep elsa_node_ /etc/elsa_web.conf /etc/hosts

Then restart Apache on the SERVER:
sudo service apache2 restart

[Sean Engelbrecht]

Looks like its all working now...

So i restarted autossh tunnel with the following:
sudo pkill -USR1 autossh

then on the server I ran the following to verify:
nc localhost 50000
5.5.32-0ubuntu0.12.04.1¶j+8ue|_Iÿ-CK1P~MBDkrzmysql_native_password
nc localhost 500001
PuTTYPuTTY

Now that I know the tunnel is up I ran sudo securityonion_elsa_register.rb -f
followed by:
grep elsa_node_ /etc/elsa_web.conf /etc/hosts
/etc/elsa_web.conf: "elsa_node_001": {
/etc/hosts:127.0.0.1 elsa_node_001
and restarted apache2

so now the the nodes show up in the files and in the elsa web interface.

I am still not sure what the issues are, the account for the sensor is in the sudo group and only exists on the server.

Any thoughts ... I have 8 more sensors to install on ?

Thanks Again Doug