ERROR: Unable to request rawdata at this time. The sensor XXXXX-ossec is NOT Connected.

[Sergio Bascuñán Olmeda]

First thing first;; Thanks Doug for an AMAZIN tool you did an excellent JOB.
Here is the deal im running Security onion on as a VM but for some reason im receiving a error message saying: ERROR: Unable to request rawdata at this time. The sensor XXXXX-ossec is NOT Connected. This popped up when right click on the ip that I want to sniff data. Please help, im trying to learn how to use this app.

Thanks

[Wes]

Sergio,


Try the following:

sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'select * from sensor';

Do you see an entry for an agent type of pcap, snort, ossec, etc.?

Is it active (value of "Y")?

Thanks,
Wes

[Sergio Bascuñán Olmeda]

On Monday, September 12, 2016 at 10:41:14 AM UTC-4, Sergio Bascuñán Olmeda wrote:

Hello Wes


this is the output

seconiadm@flcb-seconion:~$ sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'select * from sensor';
+-----+----------------------+------------+---------------------+-----------+-------------+------------+---------------------+--------+------+------------+
| sid | hostname | agent_type | net_name | interface | description | bpf_filter | updated | active | ip | public_key |
+-----+----------------------+------------+---------------------+-----------+-------------+------------+---------------------+--------+------+------------+
| 1 | flcb-seconion-eth1 | pcap | flcb-seconion-eth1 | NULL | NULL | NULL | 2016-09-09 19:05:53 | Y | NULL | NULL |
| 2 | flcb-seconion-eth1-1 | snort | flcb-seconion-eth1 | NULL | NULL | NULL | 2016-09-09 19:05:54 | Y | NULL | NULL |
| 3 | flcb-seconion-ossec | ossec | flcb-seconion-ossec | NULL | NULL | NULL | 2016-09-09 19:05:57 | Y | NULL | NULL |
+-----+----------------------+------------+---------------------+-----------+-------------+------------+---------------------+--------+------+------------+

[Sergio Bascuñán Olmeda]

On Monday, September 12, 2016 at 11:48:43 AM UTC-4, Wes wrote:
> On Monday, September 12, 2016 at 10:41:14 AM UTC-4, Sergio Bascuñán Olmeda wrote:
> > First thing first;; Thanks Doug for an AMAZIN tool you did an excellent JOB.
> > Here is the deal im running Security onion on as a VM but for some reason im receiving a error message saying: ERROR: Unable to request rawdata at this time. The sensor XXXXX-ossec is NOT Connected. This popped up when right click on the ip that I want to sniff data. Please help, im trying to learn how to use this app.
> >
> > Thanks
> Sergio,

Sorry her is the output

seconiadm@flcb-seconion:~$ sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'select * from sensor';
+-----+----------------------+------------+---------------------+-----------+-------------+------------+---------------------+--------+------+------------+
| sid | hostname | agent_type | net_name | interface | description | bpf_filter | updated | active | ip | public_key |
+-----+----------------------+------------+---------------------+-----------+-------------+------------+---------------------+--------+------+------------+
| 1 | flcb-seconion-eth1 | pcap | flcb-seconion-eth1 | NULL | NULL | NULL | 2016-09-09 19:05:53 | Y | NULL | NULL |
| 2 | flcb-seconion-eth1-1 | snort | flcb-seconion-eth1 | NULL | NULL | NULL | 2016-09-09 19:05:54 | Y | NULL | NULL |
| 3 | flcb-seconion-ossec | ossec | flcb-seconion-ossec | NULL | NULL | NULL | 2016-09-09 19:05:57 | Y | NULL | NULL |
+-----+----------------------+------------+---------------------+-----------+-------------+------------+---------------------+--------+------+------------+

>
>

[Wes]

Sergio,

Do you have another sensor that is not connected to the standalone?

You may want to check /var/log/nsm/[hostname-interface]/ossec_agent.log to see if anything jumps out at you.

Thanks,
Wes

[Sergio Bascuñán Olmeda]

I Think that's the only one. Attached logs

[Sergio Bascuñán Olmeda]

Hey Wes

Attached output. There no ossec_agent.log under flcb-seconion-eth1. DO you think that's the problem ? for your info eth0 is my management interface and eth1 is my sniff interface.

Thanks

[Wes]

Sorry, the log should be in /var/log/nsm/

Have you tried restarting services or rebooting to see if it helps?

Thanks,
Wes

[Sergio Bascuñán Olmeda]

Yes I did it multiple times.

[Sergio Bascuñán Olmeda]

Hey We

Another thing is that the ossec_aagent.log is empty.

[Wes]

Sergio,

I can't think of any other reason why ossec_agent wouldn't be operating correctly--have you tried re-running setup?

Thanks,
Wes

[Doug Burks]

Hi Sergio,

Are you trying to pivot from an OSSEC alert to full packet capture?
Pivoting to full packet capture only works for Network IDS alerts (not
Host IDS alerts from OSSEC).

> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks

[Wes Lambert]

If I'm understanding correctly, this is when you select the sensor/interfaces to monitor when loading Sguil--is this correct, Sergio?

Thanks,
Wes

On Sep 13, 2016 5:09 PM, "Doug Burks" <doug....@gmail.com> wrote:

Hi Sergio,

Are you trying to pivot from an OSSEC alert to full packet capture?
Pivoting to full packet capture only works for Network IDS alerts (not
Host IDS alerts from OSSEC).

On Mon, Sep 12, 2016 at 10:27 AM, Sergio Bascuñán Olmeda
<sergio.b...@gmail.com> wrote:
> First thing first;; Thanks Doug for an AMAZIN tool you did an excellent JOB.
> Here is the deal im running Security onion on as a VM but for some reason im receiving a error message saying: ERROR: Unable to request rawdata at this time. The sensor XXXXX-ossec is NOT Connected. This popped up when right click on the ip that I want to sniff data. Please help, im trying to learn how to use this app.
>
> Thanks
>
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.

> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

[Sergio Bascuñán Olmeda]

On Tuesday, September 13, 2016 at 5:12:14 PM UTC-4, Wes wrote:
> If I'm understanding correctly, this is when you select the sensor/interfaces to monitor when loading Sguil--is this correct, Sergio?
>
> Thanks,
>
> Wes
>
>
>
> On Sep 13, 2016 5:09 PM, "Doug Burks" <doug....@gmail.com> wrote:
> Hi Sergio,
>
>
>
> Are you trying to pivot from an OSSEC alert to full packet capture?
>
> Pivoting to full packet capture only works for Network IDS alerts (not
>
> Host IDS alerts from OSSEC).
>
>
>
> On Mon, Sep 12, 2016 at 10:27 AM, Sergio Bascuñán Olmeda
>
> <sergio.b...@gmail.com> wrote:
>
> > First thing first;; Thanks Doug for an AMAZIN tool you did an excellent JOB.
>
> > Here is the deal im running Security onion on as a VM but for some reason im receiving a error message saying: ERROR: Unable to request rawdata at this time. The sensor XXXXX-ossec is NOT Connected. This popped up when right click on the ip that I want to sniff data. Please help, im trying to learn how to use this app.
>
> >
>
> > Thanks
>
> >
>
> > --
>
> > Follow Security Onion on Twitter!
>
> > https://twitter.com/securityonion
>
> > ---
>
> > You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> > To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> > To post to this group, send email to securit...@googlegroups.com.

>
> > Visit this group at https://groups.google.com/group/security-onion.
>
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
>
>
>
>
> --
>
> Doug Burks
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

yes thats correct Wes and Doug, see attached printscreen.

[Wes]

Sergio,

Apologies for taking you down the rabbit hole...I see what you mean now--I was originally thinking of you attempting to select a sensor interface for monitoring when Sguil starts up, instead of pivoting to FPC from an alert -- as Doug mentioned, you cannot pivot from an OSSEC alert, as the information for the alert is provided in the bottom right-hand pane, if you click "Display Detail" (in Sguil).

Thanks,
Wes