Gerry,
Are you referring to the login page not loading at all, or the fact that when you try to login using the Squert login prompt, it says "connection failed"?
If the second case holds true, you could try adding a new user in the Sguil database, or changing the password of the existing user:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Passwords#sguil
Thanks,
Wes
The Squert login page loads and asks me to login to continue. When I attempt to login, I get the connection failed message.
As you suggested, I tried creating a new user in the Sguil database and still could not login - I received the connection failed message again. Note, the new user works fine with Sguil.
The Squert login page shows that I am running Version 1.5.0.
Thanks,
Gerry
Gerry,
You could try cutting back on some of the uncategorized events in Sguil to see if that helps.
You could also try the following:
#Stop the NSM service
sudo service nsm stop
#Confirm components managed by NSM service are stopped
sudo service nsm status
#Restart MySQL
sudo service mysql restart
#Start NSM service
sudo service nsm start
#Confirm components managed by NSM service are started
sudo service nsm status
Then try logging in to Squert.
If that doesn't help, try rebooting the machine. You could also try looking for clues in /var/log/mysql.
It looks like this error occurs only if Squert is not able to connect to (the socket for) sguild, otherwise, you would get an "authentication failed" message.
(https://github.com/int13h/squert/blob/master/.scripts/clicat.tcl)
Please try these steps and let me know the results.
Also, Snorby is now considered un-maintained, so it may be wise to begin transitioning to the other interfaces for viewing alerts/data, as it (Snorby) is being removed from Security Onion in the future.
https://github.com/Security-Onion-Solutions/security-onion/wiki/Snorby
Thanks,
Wes
I tried all of your suggestions and still cannot connect - same error. I modified the error message in the clicat.tcl script and my modified message did not appear. Consequently, I searched the entire Squert directory looking for a "Connection Failed" message and found this in the login.php file. I modified the error message in that file and the modified error message was displayed when I attempted to login. If I am interpreting the error properly, it appears that the data base is not being selected properly.
Here is the code snippet with my modified error message ("Connection Failed1")- I removed several line of code in the first If statement for brevity:
$db = mysql_connect($dbHost,$dbUser,$dbPass);
$link = mysql_select_db($dbName, $db);
if ($link) {
$user = cleanUp($username);
$query = "SELECT * FROM user_info WHERE username = '$user'";
$result = mysql_query($query);
$numRows = mysql_num_rows($result);
.....
} else {
$err = 'The user name or password is incorrect.';
$focus = 'username';
}
} else {
$err = 'The user name or password is incorrect.';
$focus = 'username';
}
} else {
$err = 'Connection Failed1';
}
Any thoughts?
Thanks for all of your help.
Gerry
Gerry,
Try taking a look at /var/www/squert/.inc/config.php and see if any of the parameters look strange.
Here is a similar thread that may be of assistance:
https://groups.google.com/forum/#!msg/security-onion/vQvNNg2JSEc/ITGJAsV3M3AJ
You could also try checking securityonion_db for any corruption with the following:
sudo mysqlcheck -c securityonion_db
Thanks,
Wes
Hello Wes,
I ran the mysqlcheck as suggested and did not have any errors.
I also tried the command line suggestions in the link you provided me and received a 1045 Error. It looks like I might have a problem with the mysql user account. Do you have a good reference for troubleshooting mysql?
To confirm, did you attempt to connect using the following command, and then entering the password for the dbUser?
mysql -u readonly -p securityonion_db
Thanks,
Wes
I found a mysql reference and recreated the user/password combination that is in my config.php file. I then granted right for this user to the securityonion_db and now I can login!
Awesome! Glad to hear it.
Wes