Removing a sensor
Ric Woodard
I looked at /var/log/nsm/sensor-clean.log and it is filled with "OOPS: The server "" does not exist!"
It seems the most logical solution would be to remove the old sensor altogether. I had the sensor setup offsite to monitor another office but have since taken it down and am getting ready to rebuild it to help with another sensor that is being overloaded.
What is the best practice method of removing the old sensor? Doing a search of the forum turned up nsm_sensor_del but I'm not quite sure if that's something that is finished and is recommended to be used.
Also, when I finish the new sensor, what is the best method of adding it without deleting all of the previous configuration?
Thanks -- I apologize if this has been answered before but I did not find any recent results and wanted to be sure.
Doug Burks
Replies inline.
On Tue, Nov 4, 2014 at 12:11 PM, Ric Woodard <ricwo...@gmail.com> wrote:
> Due to Issue 620, I'm finding that netsniff-ng is being stopped. After looking into the issue itself, I find that it is most likely due to a missing sensor which means there are no pcaps to be found to delete. Netsniff-ng is stopped on 2 out of 3 servers and it happens daily. I'm not real sure why it is not stopped on the 3rd but all the evidence would point to nsm_sensor_clean
>
> I looked at /var/log/nsm/sensor-clean.log and it is filled with "OOPS: The server
> "" does not exist!"
What is the output of the following?
cat /etc/nsm/servertab
cat /etc/nsm/sensortab
It may also help to provide us with some sostat-redacted output so we
get a better feel for your sensor configuration.
> It seems the most logical solution would be to remove the old sensor altogether. I had the sensor setup offsite to monitor another office but have since taken it down and am getting ready to rebuild it to help with another sensor that is being overloaded.
>
> What is the best practice method of removing the old sensor? Doing a search of the forum turned up nsm_sensor_del but I'm not quite sure if that's something that is finished and is recommended to be used.
- disable the sensor interface by commenting out the sensor in
/etc/nsm/sensortab
OR
- use nsm_sensor_del to delete the sensor configuration
OR
- re-run Setup to wipe all config/data
> Also, when I finish the new sensor, what is the best method of adding it without deleting all of the previous configuration?
now you're saying you don't want to delete the previous configuration.
Can you tell us more about what exactly you're trying to do?
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Ric Woodard
------
cat /etc/nsm/servertab
# The server table is used as a quick look up for the NSMnow administration
# scripts. Each line represents a unique server on this host (due to the current limitations of sguil, this is restricted to 1). The values defined
# are:
# - name: the name of the server
# - auto: the server is capable of auto assumption
#
# name auto
securityonion 1
-------
There is no output for /etc/nsm/sensortab (I'm running these commands on the server). I had a 4th sensor but I have since removed it and am rebuilding it. I need to remove said sensor but when it is rebuilt I will want to add the new sensor (different hostnames and IP's).
I mentioned nsm_sensor_del as something that I saw in another post when I performed a search on the 'remove sensor' topic. I wasn't sure if it was still recommended to be used.
--
I'm not sure I understand. You were asking about nsm_sensor_del, but
now you're saying you don't want to delete the previous configuration.
--
I meant I do not want to re-run setup and have all of the configuration lost. I do not care of this one sensors configuration is blown away but when I re-add the sensor with a new hostname/IP, I want to add it to the existing setup.
I have attached sostat-redacted in a txt file. I've noticed there are a lot of mentions of salt in the sostat and I use salt occasionally but not sure why there would be that many running processes.
If nsm_sensor_clean only removes the configuration from that individual sensor then it sounds like that would be the best route to take. Is there an nsm_sensor_add that allows a sensor to be added seamlessly into the setup?
Doug Burks
On Tue, Nov 4, 2014 at 5:54 PM, Ric Woodard <ricwo...@gmail.com> wrote:
> I'm attempting to remove a sensor. The output of etc/nsm/servertab is:
>
> ------
> cat /etc/nsm/servertab
> # The server table is used as a quick look up for the NSMnow administration
> # scripts. Each line represents a unique server on this host (due to the current limitations of sguil, this is restricted to 1). The values defined
> # are:
> # - name: the name of the server
> # - auto: the server is capable of auto assumption
> #
> # name auto
> securityonion 1
> -------
>
> There is no output for /etc/nsm/sensortab (I'm running these commands on the server).
server), since I was replying to your statement that the SENSOR's
/var/log/nsm/sensor-clean.log is filled with "OOPS: The server "" does
not exist!". Can you provide the output of those commands from the
sensor box?
> I had a 4th sensor but I have since removed it and am rebuilding it. I need to remove said sensor but when it is rebuilt I will want to add the new sensor (different hostnames and IP's).
you should be able to simply run Setup on it and join it to your
master server.
> I mentioned nsm_sensor_del as something that I saw in another post when I performed a search on the 'remove sensor' topic. I wasn't sure if it was still recommended to be used.
That won't do anything if the master server has no sensor interfaces
of its own.
> I'm not sure I understand. You were asking about nsm_sensor_del, but
> now you're saying you don't want to delete the previous configuration.
> --
> I meant I do not want to re-run setup and have all of the configuration lost.
> I do not care of this one sensors configuration is blown away but when I re-add the sensor with a new hostname/IP, I want to add it to the existing setup.
you should be able to simply run Setup and join it to your master
server.
> I have attached sostat-redacted in a txt file.
from your sensor box?
> I've noticed there are a lot of mentions of salt in the sostat and I use salt occasionally but not sure why there would be that many running processes.
that doesn't help, check your salt configuration in /opt/onionsalt/.
I also noticed the following at the top of your sostat:
Status: securityonion
* sguil server[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
You should take a look at the sguild log file:
/var/log/nsm/securityonion/sguild.log
Ric Woodard
With the sensor no longer able to be accessed, how do you tell the master server to stop looking for the sensor?
Doug Burks
- /etc/elsa_web.conf and restart Apache
- MySQL database securityonion_db, sensor table (you can simply set
active='N') and restart sguild
- if running salt, then remove the sensor box from /opt/onionsalt/salt/top.sls.
On Wed, Nov 5, 2014 at 6:30 PM, Ric Woodard <ricwo...@gmail.com> wrote:
> I know where the confusion is coming from. The sensor I removed has already been wiped (not my decision). What I want to do is remove the sensor from the master server. It seems nsm_sensor_del needs to be run on the sensor you want removed and I thought you could run it on the master server and select a sensor to be removed.
>
> With the sensor no longer able to be accessed, how do you tell the master server to stop looking for the sensor?
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.