Unable to connect to localhost on port 7736.
709 views
Skip to first unread message
John Naggets
Jul 20, 2017, 11:39:04 AM7/20/17
to security-onion
Hi,
I just finished installed SO as production Standalone server on an Ubuntu 14.04 LTS server and although the "nsm_sensor_ps-status" command shows everything as "OK" I can't connect to the squert web interface which says to "Connection failed".
By checking log files in /var/log/nsm I could find out in the file /var/log/nsm/sos1-p15p1/snort_agent-1.log that a service which should run on port 7736 does not seem to be running. Here below I copied the extract of that log file:
Executing: /usr/bin/snort_agent.tcl -c /etc/nsm/sos1-p15p1/snort_agent-1.conf
Unable to connect to localhost on port 7736.
Trying again in 15 seconds
Listening on port 8601 for barnyard connections.
Error: Invalid snort stats line: ################################### Perfmon stop: pid=30881 at=Thu Jul 20 15:32:12 2017 (1500564732) ###################################
Unable to connect to localhost on port 7736.
Trying again in 15 seconds
barnyard connected: sock1b69250 127.0.0.1 59466
Error: Invalid snort stats line: ################################### Perfmon start: pid=5601 at=Thu Jul 20 15:34:57 2017 (1500564897) ###################################
Error: Invalid snort stats line: #time,pkt_drop_percent,wire_mbits_per_sec.realtime,alerts_per_second,kpackets_wire_per_sec.realtime,avg_bytes_per_wire_packet,patmatch_percent,syns_per_second,synacks_per_second,new_sessions_per_second,deleted_sessions_per_second,total_sessions,max_sessions,stream_flushes_per_second,stream_faults,stream_timeouts,frag_creates_per_second,frag_completes_per_second,frag_inserts_per_second,frag_deletes_per_second,frag_autofrees_per_second,frag_flushes_per_second,current_frags,max_frags,frag_timeouts,frag_faults,iCPUs,usr[0],sys[0],idle[0],wire_mbits_per_sec.realtime,ipfrag_mbits_per_sec.realtime,ipreass_mbits_per_sec.realtime,rebuilt_mbits_per_sec.realtime,mbits_per_sec.realtime,avg_bytes_per_wire_packet,avg_bytes_per_ipfrag_packet,avg_bytes_per_ipreass_packet,avg_bytes_per_rebuilt_packet,avg_bytes_per_packet,kpackets_wire_per_sec.realtime,kpackets_ipfrag_per_sec.realtime,kpackets_ipreass_per_sec.realtime,kpackets_rebuilt_per_sec.realtime,kpackets_per_sec.realtime,pkt_stats.pkts_recv,pkt_stats.pkts_drop,total_blocked_verdicts,new_udp_sessions_per_second,deleted_udp_sessions_per_second,total_udp_sessions,max_udp_sessions,max_tcp_sessions_interval,curr_tcp_sessions_initializing,curr_tcp_sessions_established,curr_tcp_sessions_closing,tcp_sessions_midstream_per_second,tcp_sessions_closed_per_second,tcp_sessions_timedout_per_second,tcp_sessions_pruned_per_second,tcp_sessions_dropped_async_per_second,current_attribute_hosts,attribute_table_reloads,mpls_mbits_per_sec.realtime,avg_bytes_per_mpls_packet,kpackets_per_sec_mpls.realtime,total_tcp_filtered_packets,total_udp_filtered_packets,num_normalizations,ip4::trim,ip4::tos,ip4::df,ip4::rf,ip4::ttl,ip4::opts,icmp4::echo,ip6::ttl,ip6::opts,icmp6::echo,tcp::syn_opt,tcp::opt,tcp::pad,tcp::rsv,tcp::ns,tcp::urp,tcp::ecn_pkt,tcp::ecn_ssn,tcp::ts_ecr,tcp::ts_nop,tcp::ips_data,tcp::block,tcp::req_urg,tcp::req_pay,tcp::req_urp,tcp::trim_syn,tcp::trim_rst,tcp::trim_win,tcp::trim_mss,would_ip4::trim,would_ip4::tos,would_ip4::df,would_ip4::rf,would_ip4::ttl,would_ip4::opts,would_icmp4::echo,would_ip6::ttl,would_ip6::opts,would_icmp6::echo,would_tcp::syn_opt,would_tcp::opt,would_tcp::pad,would_tcp::rsv,would_tcp::ns,would_tcp::urp,would_tcp::ecn_pkt,would_tcp::ecn_ssn,would_tcp::ts_ecr,would_tcp::ts_nop,would_tcp::ips_data,would_tcp::block,would_tcp::req_urg,would_tcp::req_pay,would_tcp::req_urp,would_tcp::trim_syn,would_tcp::trim_rst,would_tcp::trim_win,would_tcp::trim_mss,total_injected_packets,frag3_mem_in_use,stream5_mem_in_use,total_alerts_per_second
Unable to connect to localhost on port 7736.
Trying again in 15 seconds
Any ideas what could be wrong here?
Best regards,
John
I just finished installed SO as production Standalone server on an Ubuntu 14.04 LTS server and although the "nsm_sensor_ps-status" command shows everything as "OK" I can't connect to the squert web interface which says to "Connection failed".
By checking log files in /var/log/nsm I could find out in the file /var/log/nsm/sos1-p15p1/snort_agent-1.log that a service which should run on port 7736 does not seem to be running. Here below I copied the extract of that log file:
Executing: /usr/bin/snort_agent.tcl -c /etc/nsm/sos1-p15p1/snort_agent-1.conf
Unable to connect to localhost on port 7736.
Trying again in 15 seconds
Listening on port 8601 for barnyard connections.
Error: Invalid snort stats line: ################################### Perfmon stop: pid=30881 at=Thu Jul 20 15:32:12 2017 (1500564732) ###################################
Unable to connect to localhost on port 7736.
Trying again in 15 seconds
barnyard connected: sock1b69250 127.0.0.1 59466
Error: Invalid snort stats line: ################################### Perfmon start: pid=5601 at=Thu Jul 20 15:34:57 2017 (1500564897) ###################################
Error: Invalid snort stats line: #time,pkt_drop_percent,wire_mbits_per_sec.realtime,alerts_per_second,kpackets_wire_per_sec.realtime,avg_bytes_per_wire_packet,patmatch_percent,syns_per_second,synacks_per_second,new_sessions_per_second,deleted_sessions_per_second,total_sessions,max_sessions,stream_flushes_per_second,stream_faults,stream_timeouts,frag_creates_per_second,frag_completes_per_second,frag_inserts_per_second,frag_deletes_per_second,frag_autofrees_per_second,frag_flushes_per_second,current_frags,max_frags,frag_timeouts,frag_faults,iCPUs,usr[0],sys[0],idle[0],wire_mbits_per_sec.realtime,ipfrag_mbits_per_sec.realtime,ipreass_mbits_per_sec.realtime,rebuilt_mbits_per_sec.realtime,mbits_per_sec.realtime,avg_bytes_per_wire_packet,avg_bytes_per_ipfrag_packet,avg_bytes_per_ipreass_packet,avg_bytes_per_rebuilt_packet,avg_bytes_per_packet,kpackets_wire_per_sec.realtime,kpackets_ipfrag_per_sec.realtime,kpackets_ipreass_per_sec.realtime,kpackets_rebuilt_per_sec.realtime,kpackets_per_sec.realtime,pkt_stats.pkts_recv,pkt_stats.pkts_drop,total_blocked_verdicts,new_udp_sessions_per_second,deleted_udp_sessions_per_second,total_udp_sessions,max_udp_sessions,max_tcp_sessions_interval,curr_tcp_sessions_initializing,curr_tcp_sessions_established,curr_tcp_sessions_closing,tcp_sessions_midstream_per_second,tcp_sessions_closed_per_second,tcp_sessions_timedout_per_second,tcp_sessions_pruned_per_second,tcp_sessions_dropped_async_per_second,current_attribute_hosts,attribute_table_reloads,mpls_mbits_per_sec.realtime,avg_bytes_per_mpls_packet,kpackets_per_sec_mpls.realtime,total_tcp_filtered_packets,total_udp_filtered_packets,num_normalizations,ip4::trim,ip4::tos,ip4::df,ip4::rf,ip4::ttl,ip4::opts,icmp4::echo,ip6::ttl,ip6::opts,icmp6::echo,tcp::syn_opt,tcp::opt,tcp::pad,tcp::rsv,tcp::ns,tcp::urp,tcp::ecn_pkt,tcp::ecn_ssn,tcp::ts_ecr,tcp::ts_nop,tcp::ips_data,tcp::block,tcp::req_urg,tcp::req_pay,tcp::req_urp,tcp::trim_syn,tcp::trim_rst,tcp::trim_win,tcp::trim_mss,would_ip4::trim,would_ip4::tos,would_ip4::df,would_ip4::rf,would_ip4::ttl,would_ip4::opts,would_icmp4::echo,would_ip6::ttl,would_ip6::opts,would_icmp6::echo,would_tcp::syn_opt,would_tcp::opt,would_tcp::pad,would_tcp::rsv,would_tcp::ns,would_tcp::urp,would_tcp::ecn_pkt,would_tcp::ecn_ssn,would_tcp::ts_ecr,would_tcp::ts_nop,would_tcp::ips_data,would_tcp::block,would_tcp::req_urg,would_tcp::req_pay,would_tcp::req_urp,would_tcp::trim_syn,would_tcp::trim_rst,would_tcp::trim_win,would_tcp::trim_mss,total_injected_packets,frag3_mem_in_use,stream5_mem_in_use,total_alerts_per_second
Unable to connect to localhost on port 7736.
Trying again in 15 seconds
Any ideas what could be wrong here?
Best regards,
John
Wes
Jul 20, 2017, 11:42:25 AM7/20/17
to security-onion
Have you tried restarting services with:
sudo service nsm restart
or have you tried rebooting?
Thanks,
Wes
John Naggets
Jul 20, 2017, 11:52:11 AM7/20/17
to security-onion
I tried reboot before that did not help. Now using the restart command restarted everything and it always mentions "OK" in green but still it does not work.
It seems that a process called sguild which should listen on port 7736 is not running.
It seems that a process called sguild which should listen on port 7736 is not running.
Wes Lambert
Jul 20, 2017, 12:17:10 PM7/20/17
to securit...@googlegroups.com
John,
sguild processes and stores alert data in the securityonion_db database.
You may want to try checking /var/log/nsm/securityonion/sguild.log for clues.
Also, please provide the output of sostat-redacted, attaching as a plain text file, or using a service like Pastebin.com.
Thanks,
Wes
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
John Naggets
Jul 20, 2017, 5:23:22 PM7/20/17
to security-onion
Hi Wes,
I don't have any /var/log/nsm/securityonion/sguild.log file and the /var/log/nsm/securityonion directory doesn't even exist.
Hopefully the output of the sostat-redacted will make more sense of what is going wrong here...
Best,
John
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.
I don't have any /var/log/nsm/securityonion/sguild.log file and the /var/log/nsm/securityonion directory doesn't even exist.
Hopefully the output of the sostat-redacted will make more sense of what is going wrong here...
Best,
John
>
> To post to this group, send email to securit...@googlegroups.com.
Wes Lambert
Jul 21, 2017, 6:42:32 AM7/21/17
to securit...@googlegroups.com
John,
From your sostat, I see few things:
Also looks like MySQL is having issues:Â
MySQL Checking for process: 1663 /usr/sbin/mysqld Checking for connection: nc: connect to localhost port 50000 (tcp) failed: Connection refused nc: connect to localhost port 50000 (tcp) failed: Connection refused
Also, this:
Checking APIKEY:
APIKEY not found on master server.
Are you sure you configured this machine as a standalone and not just a sensor?
The quickest and easiest route to a fix may be to run setup again.
Thanks,
Wes
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
John Naggets
Jul 21, 2017, 8:11:12 AM7/21/17
to security-onion
Thanks for checking.
That's weird why would SO check port 50000 for MySQL? I checked and the MySQL server is running on port 3306 and not 50000.
I have first installed this server as a sensor only server but then decided to use standalone. So what I did is to uninstall all SO packages, MySQL, etc and the re-install and re-run sosetup in standalone mode.
Is it possible that now SO thinks it is still in sensor-only mode although I re-ran sosetup as standalone server? If yes is there any way I can force SO to standalone mode?
Best,
J.
On Friday, July 21, 2017 at 12:42:32 PM UTC+2, Wes wrote:
> John,
>
>
That's weird why would SO check port 50000 for MySQL? I checked and the MySQL server is running on port 3306 and not 50000.
I have first installed this server as a sensor only server but then decided to use standalone. So what I did is to uninstall all SO packages, MySQL, etc and the re-install and re-run sosetup in standalone mode.
Is it possible that now SO thinks it is still in sensor-only mode although I re-ran sosetup as standalone server? If yes is there any way I can force SO to standalone mode?
Best,
J.
On Friday, July 21, 2017 at 12:42:32 PM UTC+2, Wes wrote:
> John,
>
>
> From your sostat, I see few things:
>
>
> Also looks like MySQL is having issues:Â
>
>
> MySQL
> Checking for process:
> 1663 /usr/sbin/mysqld
> Checking for connection:
> nc: connect to localhost port 50000 (tcp) failed: Connection refused
> nc: connect to localhost port 50000 (tcp) failed: Connection refused
>
>
> Also, this:
>
>
> Checking APIKEY:
>
> APIKEY not found on master server.Are you sure you configured this machine as a standalone and not just a sensor?The quickest and easiest route to a fix may be to run setup again.Thanks,Wes
>
>
> Also looks like MySQL is having issues:Â
>
>
> MySQL
> Checking for process:
> 1663 /usr/sbin/mysqld
> Checking for connection:
> nc: connect to localhost port 50000 (tcp) failed: Connection refused
> nc: connect to localhost port 50000 (tcp) failed: Connection refused
>
>
> Also, this:
>
>
> Checking APIKEY:
>
Wes
Jul 24, 2017, 7:27:29 AM7/24/17
to security-onion
In most circumstances, you shouldn't have to install/uninstall packages to re-run setup.
It may be easier at this point to perform a fresh install.
THanks,
Wes
John Naggets
Jul 25, 2017, 2:46:17 AM7/25/17
to security-onion
IMHO re-installing the OS is not an option as the software should have a clean un-install method.
Nevertheless I managed to re-install this time by running beforehand all possible nsm_*_delete commands possible, removing all packages one by one and then re-installing SO.
Would be nice if SO would have a clean un-install method not leaving anything on the OS.
Nevertheless I managed to re-install this time by running beforehand all possible nsm_*_delete commands possible, removing all packages one by one and then re-installing SO.
Would be nice if SO would have a clean un-install method not leaving anything on the OS.
Doug Burks
Jul 25, 2017, 3:02:52 PM7/25/17
to securit...@googlegroups.com
Hi John,
I've created the following issue:
Full uninstall method #1114
https://github.com/Security-Onion-Solutions/security-onion/issues/1114
Doug Burks
I've created the following issue:
Full uninstall method #1114
https://github.com/Security-Onion-Solutions/security-onion/issues/1114
John Naggets
Jul 25, 2017, 3:49:47 PM7/25/17
to security-onion
Thanks and thanks again Doug for all your effort!
Reply all
Reply to author
Forward
0 new messages