Re: No logs in Kibana after modifiying syslog-ng.conf to send Sguil alerts to Syslog server
389 views
Skip to first unread message
Message has been deleted
Wes
Nov 14, 2017, 9:14:08 AM11/14/17
to security-onion
On Monday, November 13, 2017 at 7:00:59 PM UTC-5, Stafford Waltho wrote:
> I have successfully in the past, using a previous release of Security Onion managed to send Sguil alerts to an external Syslog server by modifying the syslog-ng.conf file in accordance with the following link https://github.com/Security-Onion-Solutions/security-onion/wiki/ThirdPartyIntegration
>
> However when I do the same whilst using the latest beta release which now includes Kibana I suddenly stop seeing logs in Kibana as soon as i make the change. Everything in Kibana was fine until I modified the syslog-ng.conf file and now I only see old logs and nothing new. Im seeing Sguil logs just fine in my Syslog server. Any ideas ?
> I have successfully in the past, using a previous release of Security Onion managed to send Sguil alerts to an external Syslog server by modifying the syslog-ng.conf file in accordance with the following link https://github.com/Security-Onion-Solutions/security-onion/wiki/ThirdPartyIntegration
>
> However when I do the same whilst using the latest beta release which now includes Kibana I suddenly stop seeing logs in Kibana as soon as i make the change. Everything in Kibana was fine until I modified the syslog-ng.conf file and now I only see old logs and nothing new. Im seeing Sguil logs just fine in my Syslog server. Any ideas ?
Stafford,
Do you see any errors in the log(s)?
tail -100 /var/log/logstash/logstash.log
tail -100 /var/log/elasticsearch/{hostname}.log
If you set DEBUG back to its original value (/etc/sguild/sguild.conf), do logs seem to come back through?
You may need to restart the Elastic Stack after adjusting:
sudo so-elastic-restart
Thanks,
Wes
Message has been deleted
Message has been deleted
Doug Burks
Nov 30, 2017, 5:05:18 PM11/30/17
to securit...@googlegroups.com
Hi Stafford,
Please try purging the logstash queue and then rebooting to ensure we
don't have any stray processes running:
sudo so-elastic-stop
sudo rm /nsm/logstash/queue/main/*
sudo reboot
On Sat, Nov 25, 2017 at 9:34 AM, 'Stafford Waltho' via security-onion
<securit...@googlegroups.com> wrote:
> Hi Wes
>
> I have the follwing error in /var/log/logstash/logstash.log
>
> [ERROR][logstash.pipeline ] Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {"exception"=>"undefined method `>' for nil:NilClass", "backtrace"=>["(eval):984802:in `initialize'", "org/jruby/RubyArray.java:1613:in `each'", "(eval):984800:in `initialize'", "org/jruby/RubyProc.java:281:in `call'", "(eval):984852:in `initialize'", "org/jruby/RubyArray.java:1613:in `each'", "(eval):984842:in `initialize'", "org/jruby/RubyProc.java:281:in `call'", "(eval):60584:in `filter_func'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:398:in `filter_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:379:in `worker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:342:in `start_workers'"]}
> [2017-11-25T14:18:38,602][FATAL][logstash.runner ] An unexpected error occurred! {:error=>#<NoMethodError: undefined method `>' for nil:NilClass>, :backtrace=>["(eval):984802:in `initialize'", "org/jruby/RubyArray.java:1613:in `each'", "(eval):984800:in `initialize'", "org/jruby/RubyProc.java:281:in `call'", "(eval):984852:in `initialize'", "org/jruby/RubyArray.java:1613:in `each'", "(eval):984842:in `initialize'", "org/jruby/RubyProc.java:281:in `call'", "(eval):60584:in `filter_func'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:398:in `filter_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:379:in `worker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:342:in `start_workers'"]}
>
>
> I tried your other suggestions too and they made no difference
>
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Please try purging the logstash queue and then rebooting to ensure we
don't have any stray processes running:
sudo so-elastic-stop
sudo rm /nsm/logstash/queue/main/*
sudo reboot
On Sat, Nov 25, 2017 at 9:34 AM, 'Stafford Waltho' via security-onion
<securit...@googlegroups.com> wrote:
>
> I have the follwing error in /var/log/logstash/logstash.log
>
> [ERROR][logstash.pipeline ] Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {"exception"=>"undefined method `>' for nil:NilClass", "backtrace"=>["(eval):984802:in `initialize'", "org/jruby/RubyArray.java:1613:in `each'", "(eval):984800:in `initialize'", "org/jruby/RubyProc.java:281:in `call'", "(eval):984852:in `initialize'", "org/jruby/RubyArray.java:1613:in `each'", "(eval):984842:in `initialize'", "org/jruby/RubyProc.java:281:in `call'", "(eval):60584:in `filter_func'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:398:in `filter_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:379:in `worker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:342:in `start_workers'"]}
> [2017-11-25T14:18:38,602][FATAL][logstash.runner ] An unexpected error occurred! {:error=>#<NoMethodError: undefined method `>' for nil:NilClass>, :backtrace=>["(eval):984802:in `initialize'", "org/jruby/RubyArray.java:1613:in `each'", "(eval):984800:in `initialize'", "org/jruby/RubyProc.java:281:in `call'", "(eval):984852:in `initialize'", "org/jruby/RubyArray.java:1613:in `each'", "(eval):984842:in `initialize'", "org/jruby/RubyProc.java:281:in `call'", "(eval):60584:in `filter_func'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:398:in `filter_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:379:in `worker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:342:in `start_workers'"]}
>
>
> I tried your other suggestions too and they made no difference
>
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
0 new messages