Re: [security-onion] Virtual Machine Snapshot Reverting Causes pcap_agent Failure

[Doug Burks]

Hi Jason,

The processes probably got confused when you reverted to the snapshot from a previous date and NTP updated the time to today's date.  Most likely, you could have simply restarted the processes:

sudo service nsm restart

Thanks,

Doug

On Tuesday, November 13, 2012, Jason wrote:

A little while back I perfectly configured a Security Onion VMware instance and took a VMware Workstation "snapshot" of the configuration, so I could later revert to the snapshot if needed.

Recently I reverted to the previously perfectly configured Security Onion snapshot and noticed that I was not seeing any new events in Sguil.  I ran "sudo sostat" and found that "pcap_agent" was showing "FAIL", while everything else was showing "OK".

Reading this forum, I saw someone mentioned that in this scenario we can try to erase everything in the "/nsm/sensor_data/_NAME_OF_SENSOR/dailylogs" directory (these were other directories with names representing the various dates).

After I deleted the above, I rebooted the virtual machine, reran "sudo sostat" and "pcap_agent" is now showing "OK".  I would think this is related.

Any thoughts are welcome.

--

--
Doug Burks
http://securityonion.blogspot.com