Re: [security-onion] Elsa No longer logging
210 views
Skip to first unread message
Doug Burks
May 20, 2015, 8:34:34 PM5/20/15
to securit...@googlegroups.com
Hi Mike,
Try starting Sphinx manually from the command line as it is started in
/etc/init/sphinxsearch.conf to see if any errors show up.
On Wed, May 20, 2015 at 12:46 PM, Mike Nonchalant <exa...@gmail.com> wrote:
> Hi Securityonion pros
> I ran out of disk space... After fixing the issue everything seems to be normal...except elsa
>
> Snorby has been running just fine
>
> Elsa ossec gives error "no nodes available"
> everything else queries with 0
>
>
> here are some logs. Please help?
>
> searchd --status
> Sphinx 2.1.9-id64-release (rel21-r4761)
> Copyright (c) 2001-2014, Andrew Aksyonoff
> Copyright (c) 2008-2014, Sphinx Technologies Inc (http://sphinxsearch.com)
>
> using config file '/etc/sphinxsearch/sphinx.conf'...
> WARNING: failed to connect to 0.0.0.0:9312: Connection refused
>
> FATAL: failed to connect to daemon: please specify listen with sphinx protocol in your config file
>
> =========================================================================
> ELSA
> =========================================================================
> Syslog-ng
> Checking for process:
> 2704 supervising syslog-ng
> 2705 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
> Checking for connection:
> Connection to localhost 514 port [tcp/shell] succeeded!
>
> MySQL
> Checking for process:
> 2737 /usr/sbin/mysqld
> Checking for connection:
> Connection to localhost 3306 port [tcp/mysql] succeeded!
>
> Sphinx
> Checking for process:
> Checking for connection:
> nc: connect to localhost port 9306 (tcp) failed: Connection refused
>
> ELSA Buffers in Queue:
> 1815
> If this number is consistently higher than 20, please see:
> https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
>
> ELSA Directory Sizes:
> 20G /nsm/elsa/data
> 17M /var/lib/mysql/syslog
> 2.0G /var/lib/mysql/syslog_data
>
>
>
>
> Thanks!
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Try starting Sphinx manually from the command line as it is started in
/etc/init/sphinxsearch.conf to see if any errors show up.
On Wed, May 20, 2015 at 12:46 PM, Mike Nonchalant <exa...@gmail.com> wrote:
> Hi Securityonion pros
> I ran out of disk space... After fixing the issue everything seems to be normal...except elsa
>
> Snorby has been running just fine
>
> Elsa ossec gives error "no nodes available"
> everything else queries with 0
>
>
> here are some logs. Please help?
>
> searchd --status
> Sphinx 2.1.9-id64-release (rel21-r4761)
> Copyright (c) 2001-2014, Andrew Aksyonoff
> Copyright (c) 2008-2014, Sphinx Technologies Inc (http://sphinxsearch.com)
>
> using config file '/etc/sphinxsearch/sphinx.conf'...
> WARNING: failed to connect to 0.0.0.0:9312: Connection refused
>
> FATAL: failed to connect to daemon: please specify listen with sphinx protocol in your config file
>
> =========================================================================
> ELSA
> =========================================================================
> Syslog-ng
> Checking for process:
> 2704 supervising syslog-ng
> 2705 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
> Checking for connection:
> Connection to localhost 514 port [tcp/shell] succeeded!
>
> MySQL
> Checking for process:
> 2737 /usr/sbin/mysqld
> Checking for connection:
> Connection to localhost 3306 port [tcp/mysql] succeeded!
>
> Sphinx
> Checking for process:
> Checking for connection:
> nc: connect to localhost port 9306 (tcp) failed: Connection refused
>
> ELSA Buffers in Queue:
> 1815
> If this number is consistently higher than 20, please see:
> https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
>
> ELSA Directory Sizes:
> 20G /nsm/elsa/data
> 17M /var/lib/mysql/syslog
> 2.0G /var/lib/mysql/syslog_data
>
>
>
>
> Thanks!
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Reply all
Reply to author
Forward
0 new messages