Re: [security-onion] Cannot connect to mysql
1,565 views
Skip to first unread message
Doug Burks
Aug 27, 2012, 9:15:07 AM8/27/12
to securit...@googlegroups.com
Hi Cody,
Have you tried starting mysql as follows?
sudo service mysql start
Then verify it's running with:
sudo service mysql status
Then try starting sguild:
sudo nsm_server_ps-start
Doug
On Mon, Aug 27, 2012 at 9:08 AM, Cody Sapp <tgq...@mocs.utc.edu> wrote:
> Okay, I've had this problem before, but now after a major update occurred, it is happening again. Basically, I try to log into sguil-client, but it keeps saying "Unable to connect to localhost on port 7734". I tried "sudo netstat -na | grep 7734" but that returns nothing. Then I execute "sudo service nsm status" and this is the output:
>
> Status: securityonion
> * sguil server [ FAIL ]
> Status: winning-eth0
> * pcap_agent (sguil) [ OK ]
> * sancp_agent (sguil) [ OK ]
> * snort_agent (sguil) [ OK ]
> * pads_agent (sguil) [ OK ]
> * snort (alert data) [ OK ]
> * barnyard2 (spooler, unified2 format) [ OK ]
> * sancp (session data) [ OK ]
> * pads (asset info) [ OK ]
> * daemonlogger (full packet data) [ OK ]
> * argus [ OK ]
> * http_agent (sguil) [ OK ]
> Status: winning-eth1
> * pcap_agent (sguil) [ OK ]
> * sancp_agent (sguil) [ OK ]
> * snort_agent (sguil) [ OK ]
> * pads_agent (sguil) [ OK ]
> * snort (alert data) [ OK ]
> * barnyard2 (spooler, unified2 format) [ OK ]
> * sancp (session data) [ OK ]
> * pads (asset info) [ OK ]
> * daemonlogger (full packet data) [ OK ]
> * argus [ OK ]
> * http_agent (sguil) [ OK ]
> Status: HIDS
> * ossec_agent (sguil) [ OK ]
> Status: Bro
> Name Type Host Status Pid Peers Started
> manager manager 172.16.129.14 running 8246 3 27 Aug 12:36:53
> proxy-1 proxy 172.16.129.14 running 8279 3 27 Aug 12:36:55
> winning-eth0 worker 172.16.129.14 running 8328 2 27 Aug 12:36:57
> winning-eth1 worker 172.16.129.14 running 8329 2 27 Aug 12:36:57
>
> So I know the problem is that the sguil server isn't running. I try "sudo service nsm restart", and everthing works fine except for this part at the top of the output:
>
> cat: /var/run/nsm/securityonion/sguild.pid: No such file or directory
> * stopping: sguil server (not running) [ WARN ]
> Usage: grep [OPTION]... PATTERN [FILE]...
> Try `grep --help' for more information.
> * starting: sguil server [ FAIL ]
> - check /var/log/nsm/securityonion/sguild.log for error messages
> So I look in /var/log/nsm/securityonion/sguild.log, and I find this error:
>
> 2012-08-27 13:02:37 pid(20833) Connecting to localhost on 3306 as sguil
> 2012-08-27 13:02:37 pid(20833) ERROR: Unable to connect to localhost on 3306: Make sure mysql is running.
> 2012-08-27 13:02:37 mysqlconnect/db server: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
> SGUILD: Exiting...
>
> So I run sudo service mysql status, and this is the output:
>
> mysql stop/waiting
>
> Someone mentioned to me the following command:
>
> mysql -uroot securityonion_db -e 'SELECT COUNT(*) FROM event WHERE status=0'
>
> However, I have never used this command, and I'm confused by the "'SELECT COUNT(*) FROM event WHERE status=0'" part. Am I supposed to replace the capitalized words with numbers, and if so, what numbers do I use? I have also heard that the problem could be solved by running the command "nsm_sensor_clear". But if I run that, will I lose anything that is really important?
>
> --
>
>
--
Doug Burks
http://securityonion.blogspot.com
Have you tried starting mysql as follows?
sudo service mysql start
Then verify it's running with:
sudo service mysql status
Then try starting sguild:
sudo nsm_server_ps-start
Doug
On Mon, Aug 27, 2012 at 9:08 AM, Cody Sapp <tgq...@mocs.utc.edu> wrote:
> Okay, I've had this problem before, but now after a major update occurred, it is happening again. Basically, I try to log into sguil-client, but it keeps saying "Unable to connect to localhost on port 7734". I tried "sudo netstat -na | grep 7734" but that returns nothing. Then I execute "sudo service nsm status" and this is the output:
>
> Status: securityonion
> * sguil server [ FAIL ]
> Status: winning-eth0
> * pcap_agent (sguil) [ OK ]
> * sancp_agent (sguil) [ OK ]
> * snort_agent (sguil) [ OK ]
> * pads_agent (sguil) [ OK ]
> * snort (alert data) [ OK ]
> * barnyard2 (spooler, unified2 format) [ OK ]
> * sancp (session data) [ OK ]
> * pads (asset info) [ OK ]
> * daemonlogger (full packet data) [ OK ]
> * argus [ OK ]
> * http_agent (sguil) [ OK ]
> Status: winning-eth1
> * pcap_agent (sguil) [ OK ]
> * sancp_agent (sguil) [ OK ]
> * snort_agent (sguil) [ OK ]
> * pads_agent (sguil) [ OK ]
> * snort (alert data) [ OK ]
> * barnyard2 (spooler, unified2 format) [ OK ]
> * sancp (session data) [ OK ]
> * pads (asset info) [ OK ]
> * daemonlogger (full packet data) [ OK ]
> * argus [ OK ]
> * http_agent (sguil) [ OK ]
> Status: HIDS
> * ossec_agent (sguil) [ OK ]
> Status: Bro
> Name Type Host Status Pid Peers Started
> manager manager 172.16.129.14 running 8246 3 27 Aug 12:36:53
> proxy-1 proxy 172.16.129.14 running 8279 3 27 Aug 12:36:55
> winning-eth0 worker 172.16.129.14 running 8328 2 27 Aug 12:36:57
> winning-eth1 worker 172.16.129.14 running 8329 2 27 Aug 12:36:57
>
> So I know the problem is that the sguil server isn't running. I try "sudo service nsm restart", and everthing works fine except for this part at the top of the output:
>
> cat: /var/run/nsm/securityonion/sguild.pid: No such file or directory
> * stopping: sguil server (not running) [ WARN ]
> Usage: grep [OPTION]... PATTERN [FILE]...
> Try `grep --help' for more information.
> * starting: sguil server [ FAIL ]
> - check /var/log/nsm/securityonion/sguild.log for error messages
> So I look in /var/log/nsm/securityonion/sguild.log, and I find this error:
>
> 2012-08-27 13:02:37 pid(20833) Connecting to localhost on 3306 as sguil
> 2012-08-27 13:02:37 pid(20833) ERROR: Unable to connect to localhost on 3306: Make sure mysql is running.
> 2012-08-27 13:02:37 mysqlconnect/db server: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
> SGUILD: Exiting...
>
> So I run sudo service mysql status, and this is the output:
>
> mysql stop/waiting
>
> Someone mentioned to me the following command:
>
> mysql -uroot securityonion_db -e 'SELECT COUNT(*) FROM event WHERE status=0'
>
> However, I have never used this command, and I'm confused by the "'SELECT COUNT(*) FROM event WHERE status=0'" part. Am I supposed to replace the capitalized words with numbers, and if so, what numbers do I use? I have also heard that the problem could be solved by running the command "nsm_sensor_clear". But if I run that, will I lose anything that is really important?
>
> --
>
>
--
Doug Burks
http://securityonion.blogspot.com
Cody Sapp
Aug 27, 2012, 9:16:54 AM8/27/12
to securit...@googlegroups.com
Yep, and this is what it returns:
start: Job failed to start
--
Doug Burks
Aug 27, 2012, 9:20:38 AM8/27/12
to securit...@googlegroups.com
Do the mysql logs say why it's failing to start? I hate to resort to
Windows tactics, but have you tried rebooting?
Thanks,
Doug
Windows tactics, but have you tried rebooting?
Thanks,
Doug
Cody Sapp
Aug 27, 2012, 9:30:37 AM8/27/12
to securit...@googlegroups.com
Rebooting didn't do anything. Where would the mysql logs usually be?
--
Doug Burks
Aug 27, 2012, 9:33:01 AM8/27/12
to securit...@googlegroups.com
/var/log/mysql/
Cody Sapp
Aug 27, 2012, 9:41:23 AM8/27/12
to securit...@googlegroups.com
Here is everything in the error.log:
120403 11:05:59 [Note] Plugin 'FEDERATED' is disabled.
120403 11:05:59 InnoDB: Started; log sequence number 0 549828
120403 11:05:59 [Note] Event Scheduler: Loaded 0 events
120403 11:05:59 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.41-3ubuntu12.10' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
120403 11:30:22 [Note] /usr/sbin/mysqld: Normal shutdown
120403 11:30:22 [Note] Event Scheduler: Purging the queue. 0 events
120403 11:30:22 InnoDB: Starting shutdown...
120403 11:30:25 InnoDB: Shutdown completed; log sequence number 0 549828
120403 11:30:25 [Note] /usr/sbin/mysqld: Shutdown complete
120403 11:31:39 [Note] Plugin 'FEDERATED' is disabled.
120403 11:31:39 InnoDB: Started; log sequence number 0 549828
120403 11:31:40 [Note] Event Scheduler: Loaded 0 events
120403 11:31:40 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.41-3ubuntu12.10' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
120403 11:36:53 [Note] /usr/sbin/mysqld: Normal shutdown
120403 11:36:53 [Note] Event Scheduler: Purging the queue. 0 events
120403 11:36:53 InnoDB: Starting shutdown...
120403 11:36:55 InnoDB: Shutdown completed; log sequence number 0 549828
120403 11:36:55 [Note] /usr/sbin/mysqld: Shutdown complete
120403 11:38:05 [Note] Plugin 'FEDERATED' is disabled.
120403 11:38:06 InnoDB: Started; log sequence number 0 549828
120403 11:38:06 [Note] Event Scheduler: Loaded 0 events
120403 11:38:06 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.41-3ubuntu12.10' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
120403 11:43:17 [Note] /usr/sbin/mysqld: Normal shutdown
120403 11:43:17 [Note] Event Scheduler: Purging the queue. 0 events
120403 11:43:17 InnoDB: Starting shutdown...
120403 11:43:20 InnoDB: Shutdown completed; log sequence number 0 549828
120403 11:43:20 [Note] /usr/sbin/mysqld: Shutdown complete
120403 11:46:14 [Note] Plugin 'FEDERATED' is disabled.
120403 11:46:14 InnoDB: Initializing buffer pool, size = 8.0M
120403 11:46:14 InnoDB: Completed initialization of buffer pool
120403 11:46:14 InnoDB: Started; log sequence number 0 549828
120403 11:46:14 InnoDB: Starting shutdown...
120403 11:46:19 InnoDB: Shutdown completed; log sequence number 0 549828
120403 11:46:20 [Note] Plugin 'FEDERATED' is disabled.
120403 11:46:20 InnoDB: Initializing buffer pool, size = 8.0M
120403 11:46:20 InnoDB: Completed initialization of buffer pool
120403 11:46:20 InnoDB: Started; log sequence number 0 549828
ERROR: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ALTER TABLE user ADD column Show_view_priv enum('N','Y') CHARACTER SET utf8 NOT ' at line 1
120403 11:46:20 [ERROR] Aborting
120403 11:46:20 InnoDB: Starting shutdown...
120403 11:46:25 InnoDB: Shutdown completed; log sequence number 0 549828
120403 11:46:25 [Note] /usr/sbin/mysqld: Shutdown complete
120403 11:46:25 [Note] Plugin 'FEDERATED' is disabled.
120403 11:46:25 InnoDB: Initializing buffer pool, size = 8.0M
120403 11:46:25 InnoDB: Completed initialization of buffer pool
120403 11:46:25 InnoDB: Started; log sequence number 0 549828
120403 11:46:25 InnoDB: Starting shutdown...
120403 11:46:30 InnoDB: Shutdown completed; log sequence number 0 549828
120403 11:46:30 [Note] Plugin 'FEDERATED' is disabled.
120403 11:46:30 InnoDB: Initializing buffer pool, size = 8.0M
120403 11:46:30 InnoDB: Completed initialization of buffer pool
120403 11:46:31 InnoDB: Started; log sequence number 0 549828
ERROR: 1050 Table 'plugin' already exists
120403 11:46:31 [ERROR] Aborting
120403 11:46:31 InnoDB: Starting shutdown...
120403 11:46:36 InnoDB: Shutdown completed; log sequence number 0 549828
120403 11:46:36 [Note] /usr/sbin/mysqld: Shutdown complete
120403 11:46:36 [Note] Plugin 'FEDERATED' is disabled.
120403 11:46:36 InnoDB: Initializing buffer pool, size = 8.0M
120403 11:46:36 InnoDB: Completed initialization of buffer pool
120403 11:46:36 InnoDB: Started; log sequence number 0 549828
120403 11:46:36 [Note] Event Scheduler: Loaded 0 events
120403 11:46:36 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.61-0ubuntu0.10.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
120403 11:50:01 [Note] /usr/sbin/mysqld: Normal shutdown
120403 11:50:01 [Note] Event Scheduler: Purging the queue. 0 events
120403 11:50:01 InnoDB: Starting shutdown...
120403 11:50:03 InnoDB: Shutdown completed; log sequence number 0 549828
120403 11:50:03 [Note] /usr/sbin/mysqld: Shutdown complete
120403 11:51:17 [Note] Plugin 'FEDERATED' is disabled.
120403 11:51:17 InnoDB: Initializing buffer pool, size = 8.0M
120403 11:51:17 InnoDB: Completed initialization of buffer pool
120403 11:51:18 InnoDB: Started; log sequence number 0 549828
120403 11:51:18 [Note] Event Scheduler: Loaded 0 events
120403 11:51:18 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.61-0ubuntu0.10.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
120403 14:05:57 [Note] /usr/sbin/mysqld: Normal shutdown
120403 14:05:57 [Note] Event Scheduler: Purging the queue. 0 events
120403 14:05:59 InnoDB: Starting shutdown...
120403 14:06:02 InnoDB: Shutdown completed; log sequence number 0 2289287
120403 14:06:02 [Note] /usr/sbin/mysqld: Shutdown complete
120403 18:06:30 [Note] Plugin 'FEDERATED' is disabled.
120403 18:06:30 InnoDB: Initializing buffer pool, size = 8.0M
120403 18:06:30 InnoDB: Completed initialization of buffer pool
120403 18:06:30 InnoDB: Started; log sequence number 0 2289287
120403 18:06:30 [Note] Event Scheduler: Loaded 0 events
120403 18:06:30 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.61-0ubuntu0.10.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
120403 18:08:01 [Note] /usr/sbin/mysqld: Normal shutdown
120403 18:08:01 [Note] Event Scheduler: Purging the queue. 0 events
120403 18:08:01 InnoDB: Starting shutdown...
120403 18:08:05 InnoDB: Shutdown completed; log sequence number 0 2289326
120403 18:08:05 [Note] /usr/sbin/mysqld: Shutdown complete
120403 18:08:06 [Note] Plugin 'FEDERATED' is disabled.
120403 18:08:06 InnoDB: Initializing buffer pool, size = 8.0M
120403 18:08:06 InnoDB: Completed initialization of buffer pool
120403 18:08:06 InnoDB: Started; log sequence number 0 2289326
120403 18:08:06 [Note] Event Scheduler: Loaded 0 events
120403 18:08:06 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.61-0ubuntu0.10.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
120405 12:13:58 [Note] /usr/sbin/mysqld: Normal shutdown
120405 12:13:58 [Note] Event Scheduler: Purging the queue. 0 events
120405 12:14:00 InnoDB: Starting shutdown...
120405 12:14:02 InnoDB: Shutdown completed; log sequence number 0 2289622
120405 12:14:02 [Note] /usr/sbin/mysqld: Shutdown complete
120405 12:15:21 [Note] Plugin 'FEDERATED' is disabled.
120405 12:15:21 InnoDB: Initializing buffer pool, size = 8.0M
120405 12:15:22 InnoDB: Completed initialization of buffer pool
120405 12:15:22 InnoDB: Started; log sequence number 0 2289622
120405 12:15:23 [Note] Event Scheduler: Loaded 0 events
120405 12:15:23 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.61-0ubuntu0.10.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
120502 12:36:59 [Note] /usr/sbin/mysqld: Normal shutdown
120502 12:36:59 [Note] Event Scheduler: Purging the queue. 0 events
120502 12:37:01 InnoDB: Starting shutdown...
120502 12:37:06 InnoDB: Shutdown completed; log sequence number 0 2289632
120502 12:37:06 [Note] /usr/sbin/mysqld: Shutdown complete
120502 12:40:30 [Note] Plugin 'FEDERATED' is disabled.
120502 12:40:30 InnoDB: Initializing buffer pool, size = 8.0M
120502 12:40:30 InnoDB: Completed initialization of buffer pool
120502 12:40:30 InnoDB: Started; log sequence number 0 2289632
120502 12:40:30 InnoDB: Starting shutdown...
120502 12:40:35 InnoDB: Shutdown completed; log sequence number 0 2289632
120502 12:40:35 [Note] Plugin 'FEDERATED' is disabled.
120502 12:40:35 InnoDB: Initializing buffer pool, size = 8.0M
120502 12:40:35 InnoDB: Completed initialization of buffer pool
120502 12:40:36 InnoDB: Started; log sequence number 0 2289632
ERROR: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ALTER TABLE user ADD column Show_view_priv enum('N','Y') CHARACTER SET utf8 NOT ' at line 1
120502 12:40:36 [ERROR] Aborting
120502 12:40:36 InnoDB: Starting shutdown...
120502 12:40:41 InnoDB: Shutdown completed; log sequence number 0 2289632
120502 12:40:41 [Note] /usr/sbin/mysqld: Shutdown complete
120502 12:40:41 [Note] Plugin 'FEDERATED' is disabled.
120502 12:40:41 InnoDB: Initializing buffer pool, size = 8.0M
120502 12:40:41 InnoDB: Completed initialization of buffer pool
120502 12:40:41 InnoDB: Started; log sequence number 0 2289632
120502 12:40:41 InnoDB: Starting shutdown...
120502 12:40:46 InnoDB: Shutdown completed; log sequence number 0 2289632
120502 12:40:46 [Note] Plugin 'FEDERATED' is disabled.
120502 12:40:46 InnoDB: Initializing buffer pool, size = 8.0M
120502 12:40:46 InnoDB: Completed initialization of buffer pool
120502 12:40:47 InnoDB: Started; log sequence number 0 2289632
ERROR: 1050 Table 'plugin' already exists
120502 12:40:47 [ERROR] Aborting
120502 12:40:47 InnoDB: Starting shutdown...
120502 12:40:52 InnoDB: Shutdown completed; log sequence number 0 2289632
120502 12:40:52 [Note] /usr/sbin/mysqld: Shutdown complete
120502 12:40:52 [Note] Plugin 'FEDERATED' is disabled.
120502 12:40:52 InnoDB: Initializing buffer pool, size = 8.0M
120502 12:40:52 InnoDB: Completed initialization of buffer pool
120502 12:40:52 InnoDB: Started; log sequence number 0 2289632
120502 12:40:52 [Note] Event Scheduler: Loaded 0 events
120502 12:40:52 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.62-0ubuntu0.10.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
120502 12:41:44 [Note] /usr/sbin/mysqld: Normal shutdown
120502 12:41:44 [Note] Event Scheduler: Purging the queue. 0 events
120502 12:41:44 InnoDB: Starting shutdown...
120502 12:41:49 InnoDB: Shutdown completed; log sequence number 0 2289632
120502 12:41:49 [Note] /usr/sbin/mysqld: Shutdown complete
120502 12:43:09 [Note] Plugin 'FEDERATED' is disabled.
120502 12:43:09 InnoDB: Initializing buffer pool, size = 8.0M
120502 12:43:09 InnoDB: Completed initialization of buffer pool
120502 12:43:11 InnoDB: Started; log sequence number 0 2289632
120502 12:43:11 [Note] Event Scheduler: Loaded 0 events
120502 12:43:11 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.62-0ubuntu0.10.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
120613 12:40:46 [Note] /usr/sbin/mysqld: Normal shutdown
120613 12:40:46 [Note] Event Scheduler: Purging the queue. 0 events
120613 12:40:46 InnoDB: Starting shutdown...
120613 12:40:51 InnoDB: Shutdown completed; log sequence number 0 2289642
120613 12:40:51 [Note] /usr/sbin/mysqld: Shutdown complete
120613 12:44:19 [Note] Plugin 'FEDERATED' is disabled.
120613 12:44:19 InnoDB: Initializing buffer pool, size = 8.0M
120613 12:44:19 InnoDB: Completed initialization of buffer pool
120613 12:44:20 InnoDB: Started; log sequence number 0 2289642
120613 12:44:20 InnoDB: Starting shutdown...
120613 12:44:25 InnoDB: Shutdown completed; log sequence number 0 2289642
120613 12:44:25 [Note] Plugin 'FEDERATED' is disabled.
120613 12:44:25 InnoDB: Initializing buffer pool, size = 8.0M
120613 12:44:25 InnoDB: Completed initialization of buffer pool
120613 12:44:25 InnoDB: Started; log sequence number 0 2289642
ERROR: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ALTER TABLE user ADD column Show_view_priv enum('N','Y') CHARACTER SET utf8 NOT ' at line 1
120613 12:44:25 [ERROR] Aborting
120613 12:44:25 InnoDB: Starting shutdown...
120613 12:44:31 InnoDB: Shutdown completed; log sequence number 0 2289642
120613 12:44:31 [Note] /usr/sbin/mysqld: Shutdown complete
120613 12:44:31 [Note] Plugin 'FEDERATED' is disabled.
120613 12:44:31 InnoDB: Initializing buffer pool, size = 8.0M
120613 12:44:31 InnoDB: Completed initialization of buffer pool
120613 12:44:31 InnoDB: Started; log sequence number 0 2289642
120613 12:44:31 InnoDB: Starting shutdown...
120613 12:44:36 InnoDB: Shutdown completed; log sequence number 0 2289642
120613 12:44:36 [Note] Plugin 'FEDERATED' is disabled.
120613 12:44:36 InnoDB: Initializing buffer pool, size = 8.0M
120613 12:44:36 InnoDB: Completed initialization of buffer pool
120613 12:44:36 InnoDB: Started; log sequence number 0 2289642
ERROR: 1050 Table 'plugin' already exists
120613 12:44:36 [ERROR] Aborting
120613 12:44:36 InnoDB: Starting shutdown...
120613 12:44:41 InnoDB: Shutdown completed; log sequence number 0 2289642
120613 12:44:41 [Note] /usr/sbin/mysqld: Shutdown complete
120613 12:44:42 [Note] Plugin 'FEDERATED' is disabled.
120613 12:44:42 InnoDB: Initializing buffer pool, size = 8.0M
120613 12:44:42 InnoDB: Completed initialization of buffer pool
120613 12:44:42 InnoDB: Started; log sequence number 0 2289642
120613 12:44:42 [Note] Event Scheduler: Loaded 0 events
120613 12:44:42 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.63-0ubuntu0.10.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
120802 12:43:05 [Note] /usr/sbin/mysqld: Normal shutdown
120802 12:43:05 [Note] Event Scheduler: Purging the queue. 0 events
120802 12:43:05 InnoDB: Starting shutdown...
120802 12:43:10 InnoDB: Shutdown completed; log sequence number 0 2289652
120802 12:43:10 [Note] /usr/sbin/mysqld: Shutdown complete
120802 12:44:40 [Note] Plugin 'FEDERATED' is disabled.
120802 12:44:40 InnoDB: Initializing buffer pool, size = 8.0M
120802 12:44:40 InnoDB: Completed initialization of buffer pool
120802 12:44:41 InnoDB: Started; log sequence number 0 2289652
120802 12:44:41 [Note] Event Scheduler: Loaded 0 events
120802 12:44:41 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.63-0ubuntu0.10.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
120807 12:28:56 [Note] /usr/sbin/mysqld: Normal shutdown
120807 12:28:56 [Note] Event Scheduler: Purging the queue. 0 events
120807 12:28:56 InnoDB: Starting shutdown...
120807 12:29:00 InnoDB: Shutdown completed; log sequence number 0 2289678
120807 12:29:01 [Note] /usr/sbin/mysqld: Shutdown complete
120807 12:30:22 [Note] Plugin 'FEDERATED' is disabled.
120807 12:30:22 InnoDB: Initializing buffer pool, size = 8.0M
120807 12:30:22 InnoDB: Completed initialization of buffer pool
120807 12:30:22 InnoDB: Started; log sequence number 0 2289678
120807 12:30:22 [Note] Event Scheduler: Loaded 0 events
120807 12:30:22 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.63-0ubuntu0.10.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
120815 7:20:12 [ERROR] /usr/sbin/mysqld: Can't open file: './securityonion_db/data_winning@002dossec_20120613.frm' (errno: 24)
120816 7:20:03 [ERROR] /usr/sbin/mysqld: Can't open file: './securityonion_db/data_winning@002dossec_20120524.frm' (errno: 24)
120821 7:25:22 [ERROR] /usr/sbin/mysqld: Can't open file: './securityonion_db/sancp_winning@002deth1_20120727.frm' (errno: 24)
120821 7:25:22 [ERROR] /usr/sbin/mysqld: Can't open file: './securityonion_db/event_winning@002dossec_20120524.frm' (errno: 24)
120821 19:42:03 [Note] /usr/sbin/mysqld: Normal shutdown
120821 19:42:03 [Note] Event Scheduler: Purging the queue. 0 events
120821 19:42:06 InnoDB: Starting shutdown...
120821 19:42:10 InnoDB: Shutdown completed; log sequence number 0 2289688
120821 19:42:10 [Note] /usr/sbin/mysqld: Shutdown complete
120821 19:46:43 [Note] Plugin 'FEDERATED' is disabled.
120821 19:46:43 InnoDB: Initializing buffer pool, size = 8.0M
120821 19:46:43 InnoDB: Completed initialization of buffer pool
120821 19:46:43 InnoDB: Started; log sequence number 0 2289688
120821 19:46:43 [Note] Event Scheduler: Loaded 0 events
120821 19:46:43 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.63-0ubuntu0.10.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
120821 19:47:11 [ERROR] /usr/sbin/mysqld: Can't open file: './securityonion_db/data_winning@002deth1_20120820.frm' (errno: 24)
120823 20:20:04 [ERROR] /usr/sbin/mysqld: Can't open file: './securityonion_db/data_winning@002deth1_20120814.frm' (errno: 24)
120823 20:59:06 [Note] /usr/sbin/mysqld: Normal shutdown
120823 20:59:06 [Note] Event Scheduler: Purging the queue. 0 events
120823 20:59:08 InnoDB: Starting shutdown...
120823 20:59:09 InnoDB: Shutdown completed; log sequence number 0 2289698
120823 20:59:09 [Note] /usr/sbin/mysqld: Shutdown complete
120823 20:59:09 [Note] Plugin 'FEDERATED' is disabled.
120823 20:59:09 InnoDB: Initializing buffer pool, size = 8.0M
120823 20:59:09 InnoDB: Completed initialization of buffer pool
120823 20:59:10 InnoDB: Started; log sequence number 0 2289698
120823 20:59:10 [Note] Event Scheduler: Loaded 0 events
120823 20:59:10 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.63-0ubuntu0.10.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
120823 21:19:43 [Note] /usr/sbin/mysqld: Normal shutdown
120823 21:19:43 [Note] Event Scheduler: Purging the queue. 0 events
120823 21:19:43 InnoDB: Starting shutdown...
120823 21:19:45 InnoDB: Shutdown completed; log sequence number 0 2289698
120823 21:19:45 [Note] /usr/sbin/mysqld: Shutdown complete
/var/log/mysql/
--
Doug Burks
Aug 27, 2012, 9:53:41 AM8/27/12
to securit...@googlegroups.com
I don't see anything in there with today's date on it.
Please send the output of the following:
sudo sostat
(redacting sensitive info as necessary)
Thanks,
Doug
Please send the output of the following:
sudo sostat
(redacting sensitive info as necessary)
Thanks,
Doug
Gregory Pendergast
Aug 27, 2012, 9:53:59 AM8/27/12
to securit...@googlegroups.com
I saw this problem a lot before I got Snort and Sguil autocat.conf
tuned sufficiently. I was getting too many uncategorized events in the
Sguil DB (couldn't tell you what that magic number was) and Sguil
would roll over and die.
To work through it, I set Days_to_keep to zero (SecurityOnion.conf),
then ran the Sguil DB purge script. Once done, I worked on identifying
snort sigs I could disable and events I could have Sguil auto
categorize.
Now that I've made progress on that front Sguil is stable and I've
been able to start turning Days_to_keep back up slowly.
Greg
Sent from my iPhone
> --
>
>
tuned sufficiently. I was getting too many uncategorized events in the
Sguil DB (couldn't tell you what that magic number was) and Sguil
would roll over and die.
To work through it, I set Days_to_keep to zero (SecurityOnion.conf),
then ran the Sguil DB purge script. Once done, I worked on identifying
snort sigs I could disable and events I could have Sguil auto
categorize.
Now that I've made progress on that front Sguil is stable and I've
been able to start turning Days_to_keep back up slowly.
Greg
Sent from my iPhone
>
>
Cody Sapp
Aug 27, 2012, 10:04:18 AM8/27/12
to securit...@googlegroups.com
=========================================================================
Service Status
=========================================================================
manager manager 172.16.129.14 running 7498 3 27 Aug 13:29:35
proxy-1 proxy 172.16.129.14 running 7531 3 27 Aug 13:29:37
winning-eth0 worker 172.16.129.14 running 7581 2 27 Aug 13:29:39
winning-eth1 worker 172.16.129.14 running 7580 2 27 Aug 13:29:39
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr 00:50:45:5d:0e:2c
inet addr:SECRET Bcast:SECRET Mask:SECRET
inet6 addr: SECRET Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:115171 errors:0 dropped:0 overruns:0 frame:0
TX packets:2769 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12525893 (12.5 MB) TX bytes:552138 (552.1 KB)
Interrupt:27
eth1 Link encap:Ethernet HWaddr SECRET
inet6 addr: SECRET Scope:Link
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1969518 errors:0 dropped:0 overruns:0 frame:0
TX packets:75 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1660895927 (1.6 GB) TX bytes:10127 (10.1 KB)
Interrupt:27
lo Link encap:Local Loopback
inet addr:SECRET Mask:SECRET
inet6 addr: SECRET Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:14378 errors:0 dropped:0 overruns:0 frame:0
TX packets:14378 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:30014132 (30.0 MB) TX bytes:30014132 (30.0 MB)
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 951G 811G 93G 90% /
udev 4.0G 4.0K 4.0G 1% /dev
tmpfs 1.6G 808K 1.6G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 4.0G 0 4.0G 0% /run/shm
=========================================================================
Network Sockets
=========================================================================
LEAVING THIS BLANK
=========================================================================
IDS Rules Update
=========================================================================
=========================================================================
CPU Usage
=========================================================================
top - 14:00:49 up 35 min, 1 user, load average: 3.40, 3.56, 3.24
Tasks: 168 total, 4 running, 155 sleeping, 0 stopped, 9 zombie
Cpu(s): 17.6%us, 38.0%sy, 3.2%ni, 39.5%id, 1.0%wa, 0.0%hi, 0.6%si, 0.0%st
Mem: 8275404k total, 3432876k used, 4842528k free, 106656k buffers
Swap: 12137184k total, 0k used, 12137184k free, 2442452k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7532 root 25 5 27856 11m 484 S 31 0.1 7:47.53 bro
7583 root 25 5 29912 15m 4540 S 31 0.2 6:17.77 bro
7580 root 20 0 50464 42m 10m R 27 0.5 8:53.51 bro
7531 root 20 0 22708 14m 3464 S 26 0.2 7:29.81 bro
7498 root 20 0 22632 14m 3472 R 22 0.2 7:40.63 bro
7581 root 20 0 27532 19m 7680 S 22 0.2 8:02.93 bro
7582 root 25 5 29860 15m 4532 R 22 0.2 7:00.44 bro
7499 root 25 5 27876 11m 476 S 20 0.1 7:56.83 bro
6390 sguil 20 0 513m 271m 134m S 8 3.4 6:19.71 snort
5958 sguil 20 0 509m 256m 134m S 4 3.2 1:47.83 snort
6075 sguil 20 0 7776 5884 4828 S 2 0.1 0:01.23 pads
6512 sguil 20 0 7776 5884 4828 S 2 0.1 0:12.74 pads
6577 sguil 20 0 6636 4912 4776 S 2 0.1 0:41.45 daemonlogger
14538 root 20 0 2832 1120 840 R 2 0.0 0:00.01 top
1 root 20 0 3640 2028 1288 S 0 0.0 0:00.91 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:01.00 ksoftirqd/0
5 root 20 0 0 0 0 S 0 0.0 0:00.56 kworker/u:0
6 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/1
10 root 20 0 0 0 0 S 0 0.0 0:01.07 ksoftirqd/1
11 root 20 0 0 0 0 S 0 0.0 0:00.45 kworker/0:1
12 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/1
13 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/2
15 root 20 0 0 0 0 S 0 0.0 0:03.22 ksoftirqd/2
16 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/2
17 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/3
19 root 20 0 0 0 0 S 0 0.0 0:03.31 ksoftirqd/3
20 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/3
21 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
22 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
23 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
24 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
25 root 20 0 0 0 0 S 0 0.0 0:00.35 kworker/u:1
26 root 20 0 0 0 0 S 0 0.0 0:00.00 sync_supers
27 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
28 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
29 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
30 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
31 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
32 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
33 root 20 0 0 0 0 S 0 0.0 0:00.00 khungtaskd
34 root 20 0 0 0 0 S 0 0.0 0:00.00 kswapd0
35 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
36 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
37 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
38 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
39 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
47 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
50 root 20 0 0 0 0 S 0 0.0 0:00.08 kworker/3:1
69 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq
70 root 20 0 0 0 0 S 0 0.0 0:00.77 kworker/2:1
71 root 20 0 0 0 0 S 0 0.0 0:00.24 kworker/3:2
226 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
234 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_1
258 root 20 0 0 0 0 S 0 0.0 0:00.05 kworker/1:1
260 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/1:2
262 root 20 0 0 0 0 S 0 0.0 0:00.94 kworker/0:2
267 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_2
344 root 20 0 0 0 0 S 0 0.0 0:00.48 jbd2/sda2-8
345 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
430 root 20 0 3080 872 508 S 0 0.0 0:00.09 upstart-udev-br
434 root 20 0 3180 1400 748 S 0 0.0 0:00.06 udevd
666 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpathd
667 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpath_handlerd
748 root 20 0 3176 988 332 S 0 0.0 0:00.00 udevd
760 root 20 0 3176 988 332 S 0 0.0 0:00.00 udevd
794 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
982 messageb 20 0 3536 1224 776 S 0 0.0 0:00.11 dbus-daemon
1004 root 20 0 4724 1580 1368 S 0 0.0 0:00.00 bluetoothd
1030 root 10 -10 0 0 0 S 0 0.0 0:00.00 krfcommd
1031 syslog 20 0 31044 1492 1036 S 0 0.0 0:00.49 rsyslogd
1033 root 20 0 2828 364 208 S 0 0.0 0:00.01 upstart-socket-
1038 avahi 20 0 4092 2220 1416 S 0 0.0 0:05.40 avahi-daemon
1039 avahi 20 0 3436 432 216 S 0 0.0 0:00.00 avahi-daemon
1194 root 20 0 6664 2272 1844 S 0 0.0 0:00.00 sshd
1257 root 20 0 10928 2968 2220 S 0 0.0 0:00.00 cupsd
1348 root 20 0 4432 780 660 S 0 0.0 0:00.00 getty
1354 root 20 0 4432 788 660 S 0 0.0 0:00.00 getty
1371 root 20 0 4432 780 660 S 0 0.0 0:00.00 getty
1380 root 20 0 4432 776 660 S 0 0.0 0:00.00 getty
1394 root 20 0 4432 772 660 S 0 0.0 0:00.00 getty
1427 root 20 0 2156 684 500 S 0 0.0 0:00.00 acpid
1438 root 20 0 3584 628 484 S 0 0.0 0:00.38 irqbalance
1443 daemon 20 0 2452 348 220 S 0 0.0 0:00.00 atd
1445 root 20 0 2600 888 700 S 0 0.0 0:00.00 cron
1745 Debian-e 20 0 7672 912 536 S 0 0.0 0:00.00 exim4
1871 ossec 20 0 3400 1616 700 S 0 0.0 0:33.33 ossec-analysisd
1875 root 20 0 2328 504 388 S 0 0.0 0:00.06 ossec-logcollec
1902 root 20 0 3528 2032 604 S 0 0.0 0:32.81 ossec-syscheckd
1909 ossec 20 0 2632 488 348 S 0 0.0 0:00.00 ossec-monitord
1919 root 20 0 34020 3008 2560 S 0 0.0 0:00.02 lightdm
1932 root 20 0 90616 16m 7432 S 0 0.2 0:04.57 Xorg
1950 root 20 0 18172 3368 2700 S 0 0.0 0:00.02 lightdm
1953 root 20 0 15808 3296 2828 S 0 0.0 0:00.02 accounts-daemon
1956 root 20 0 25196 3540 2728 S 0 0.0 0:00.04 polkitd
1974 root 20 0 34196 3336 2680 S 0 0.0 0:00.05 console-kit-dae
2047 lightdm 20 0 2216 536 468 S 0 0.0 0:00.00 lightdm-greeter
2052 lightdm 20 0 3240 640 456 S 0 0.0 0:00.00 dbus-daemon
2053 lightdm 20 0 42308 11m 9464 S 0 0.1 0:06.10 lightdm-gtk-gre
2055 lightdm 20 0 8388 2132 1820 S 0 0.0 0:00.00 gvfsd
2057 lightdm 20 0 33716 2480 2032 S 0 0.0 0:00.00 gvfs-fuse-daemo
2065 root 20 0 28372 3592 2924 S 0 0.0 0:00.03 upowerd
2222 root 20 0 8820 2364 1788 S 0 0.0 0:00.00 lightdm
2239 root 20 0 0 0 0 S 0 0.0 0:01.31 flush-8:0
2256 root 20 0 2356 572 468 S 0 0.0 0:00.17 vnstatd
2338 root 20 0 41140 9104 5212 S 0 0.1 0:00.19 apache2
2343 root 20 0 7812 1620 1432 S 0 0.0 0:00.00 PassengerWatchd
2347 root 20 0 17588 1828 1624 S 0 0.0 0:00.02 PassengerHelper
2354 root 20 0 11384 6308 2180 S 0 0.1 0:04.85 ruby
2359 nobody 20 0 15460 3664 2936 S 0 0.0 0:00.01 PassengerLoggin
2394 root 20 0 4432 780 660 S 0 0.0 0:00.00 getty
2396 www-data 20 0 41172 4556 652 S 0 0.1 0:00.00 apache2
2397 www-data 20 0 41172 4556 652 S 0 0.1 0:00.00 apache2
2398 www-data 20 0 41172 4556 652 S 0 0.1 0:00.00 apache2
2399 www-data 20 0 41172 4556 652 S 0 0.1 0:00.00 apache2
2400 www-data 20 0 41172 4556 652 S 0 0.1 0:00.00 apache2
2453 ntp 20 0 5744 1888 1432 S 0 0.0 0:00.15 ntpd
2455 root 20 0 5556 924 492 S 0 0.0 0:00.03 ntpd
2969 root 20 0 11788 3536 2756 S 0 0.0 0:00.06 sshd
3169 winningu 20 0 11788 1688 900 S 0 0.0 0:00.45 sshd
3170 winningu 20 0 11340 7736 1592 S 0 0.1 0:00.60 bash
5834 root 20 0 8328 3148 2292 S 0 0.0 0:00.29 tclsh
5873 root 20 0 8316 3132 2292 S 0 0.0 0:00.32 tclsh
5912 root 20 0 8584 3440 2324 S 0 0.0 0:00.38 tclsh
5914 root 20 0 4224 544 476 S 0 0.0 0:00.00 tail
5997 root 20 0 12536 5984 1384 S 0 0.1 0:03.96 barnyard2
6036 sguil 20 0 8272 5580 5172 S 0 0.1 0:02.52 sancp
6114 root 20 0 8308 3136 2304 S 0 0.0 0:00.25 tclsh
6116 root 20 0 4208 280 228 S 0 0.0 0:00.00 cat
6140 sguil 20 0 6636 4884 4748 S 0 0.1 0:05.17 daemonlogger
6183 sguil 20 0 31836 6552 1104 S 0 0.1 0:06.98 argus
6227 root 20 0 8328 3140 2292 S 0 0.0 0:00.26 tclsh
6266 root 20 0 8328 3152 2292 S 0 0.0 0:00.26 tclsh
6305 root 20 0 8316 3136 2292 S 0 0.0 0:00.27 tclsh
6344 root 20 0 8584 3436 2324 S 0 0.0 0:00.36 tclsh
6346 root 20 0 4224 540 472 S 0 0.0 0:00.00 tail
6421 root 20 0 12536 5988 1384 S 0 0.1 0:03.35 barnyard2
6467 sguil 20 0 8800 6176 5172 S 0 0.1 0:20.03 sancp
6551 root 20 0 8440 3240 2304 S 0 0.0 0:00.94 tclsh
6553 root 20 0 4208 284 228 S 0 0.0 0:00.01 cat
6626 sguil 20 0 34908 9584 1104 S 0 0.1 0:40.39 argus
6670 root 20 0 8328 3140 2292 S 0 0.0 0:00.26 tclsh
6712 root 20 0 8872 3196 1868 S 0 0.0 0:00.22 tclsh
7489 root 20 0 5192 1380 1196 S 0 0.0 0:00.01 bash
7522 root 20 0 5192 1384 1196 S 0 0.0 0:00.00 bash
7561 root 20 0 5192 1380 1196 S 0 0.0 0:00.01 bash
7564 root 20 0 5192 1380 1196 S 0 0.0 0:00.00 bash
12846 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/2:2
13137 root 20 0 5188 1364 1180 S 0 0.0 0:00.01 bash
13522 root 30 10 5196 1344 1152 S 0 0.0 0:00.00 bash
13605 root 39 19 1992 284 228 S 0 0.0 0:00.00 time
13606 root 30 10 4368 804 716 S 0 0.0 0:00.00 grep
13608 root 39 19 17116 6784 3600 S 0 0.1 0:00.14 python
13615 root 39 19 0 0 0 Z 0 0.0 0:00.00 python <defunct>
13971 root 39 19 0 0 0 Z 0 0.0 0:00.00 python <defunct>
14207 root 39 19 0 0 0 Z 0 0.0 0:00.00 python <defunct>
14208 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/2:0
14210 root 39 19 0 0 0 Z 0 0.0 0:00.00 python <defunct>
14212 root 39 19 0 0 0 Z 0 0.0 0:00.00 python <defunct>
14213 root 39 19 0 0 0 Z 0 0.0 0:00.00 python <defunct>
14214 root 39 19 0 0 0 Z 0 0.0 0:00.00 python <defunct>
14216 root 39 19 0 0 0 Z 0 0.0 0:00.00 python <defunct>
14217 root 20 0 7564 2068 1588 S 0 0.0 0:00.11 sudo
14219 root 39 19 0 0 0 Z 0 0.0 0:00.00 python <defunct>
14220 root 20 0 5172 1312 1148 S 0 0.0 0:00.00 sostat
14259 root 39 19 17328 4124 896 S 0 0.0 0:00.00 python
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/winning-eth0/dailylogs/
45G .
505M ./2012-07-08
517M ./2012-07-09
8.8G ./2012-07-10
2.4G ./2012-07-11
504M ./2012-07-12
497M ./2012-07-13
456M ./2012-07-14
456M ./2012-07-15
509M ./2012-07-16
484M ./2012-07-17
521M ./2012-07-18
473M ./2012-07-19
499M ./2012-07-20
486M ./2012-07-21
504M ./2012-07-22
537M ./2012-07-23
501M ./2012-07-24
484M ./2012-07-25
626M ./2012-07-26
612M ./2012-07-27
494M ./2012-07-28
478M ./2012-07-29
506M ./2012-07-30
1.1G ./2012-07-31
623M ./2012-08-01
1.9G ./2012-08-02
842M ./2012-08-03
517M ./2012-08-04
518M ./2012-08-05
1.9G ./2012-08-06
2.9G ./2012-08-07
645M ./2012-08-08
518M ./2012-08-09
648M ./2012-08-10
472M ./2012-08-11
504M ./2012-08-12
507M ./2012-08-13
480M ./2012-08-14
550M ./2012-08-15
538M ./2012-08-16
446M ./2012-08-17
476M ./2012-08-18
581M ./2012-08-19
724M ./2012-08-20
523M ./2012-08-21
528M ./2012-08-22
5.1G ./2012-08-23
36M ./2012-08-27
/nsm/sensor_data/winning-eth1/dailylogs/
655G .
1.7G ./2012-07-08
9.4G ./2012-07-09
12G ./2012-07-10
16G ./2012-07-11
20G ./2012-07-12
16G ./2012-07-13
3.8G ./2012-07-14
1.8G ./2012-07-15
14G ./2012-07-16
16G ./2012-07-17
13G ./2012-07-18
13G ./2012-07-19
8.5G ./2012-07-20
3.6G ./2012-07-21
3.7G ./2012-07-22
13G ./2012-07-23
23G ./2012-07-24
18G ./2012-07-25
17G ./2012-07-26
13G ./2012-07-27
3.3G ./2012-07-28
2.3G ./2012-07-29
18G ./2012-07-30
18G ./2012-07-31
15G ./2012-08-01
21G ./2012-08-02
18G ./2012-08-03
6.0G ./2012-08-04
4.3G ./2012-08-05
33G ./2012-08-06
19G ./2012-08-07
21G ./2012-08-08
17G ./2012-08-09
22G ./2012-08-10
4.9G ./2012-08-11
994M ./2012-08-12
17G ./2012-08-13
15G ./2012-08-14
17G ./2012-08-15
19G ./2012-08-16
16G ./2012-08-17
4.6G ./2012-08-18
3.1G ./2012-08-19
19G ./2012-08-20
17G ./2012-08-21
16G ./2012-08-22
64G ./2012-08-23
2.9G ./2012-08-27
/nsm/bro/logs/
4.4G .
43M ./2012-07-08
103M ./2012-07-09
124M ./2012-07-10
121M ./2012-07-11
125M ./2012-07-12
115M ./2012-07-13
66M ./2012-07-14
62M ./2012-07-15
133M ./2012-07-16
121M ./2012-07-17
141M ./2012-07-18
132M ./2012-07-19
120M ./2012-07-20
63M ./2012-07-21
58M ./2012-07-22
127M ./2012-07-23
159M ./2012-07-24
148M ./2012-07-25
149M ./2012-07-26
210M ./2012-07-27
98M ./2012-07-28
64M ./2012-07-29
160M ./2012-07-30
178M ./2012-07-31
162M ./2012-08-01
101M ./2012-08-02
53M ./2012-08-03
29M ./2012-08-04
29M ./2012-08-05
87M ./2012-08-06
81M ./2012-08-07
85M ./2012-08-08
76M ./2012-08-09
71M ./2012-08-10
21M ./2012-08-11
17M ./2012-08-12
52M ./2012-08-13
56M ./2012-08-14
61M ./2012-08-15
61M ./2012-08-16
64M ./2012-08-17
23M ./2012-08-18
20M ./2012-08-19
47M ./2012-08-20
57M ./2012-08-21
67M ./2012-08-22
64M ./2012-08-23
51M ./2012-08-24
31M ./2012-08-25
28M ./2012-08-26
21M ./2012-08-27
93M ./stats
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/winning-eth0/snort.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/winning-eth1/snort.stats last reported pkt_drop_percent as 0.000
=========================================================================
Sguil Uncategorized Events
=========================================================================
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
--
Doug Burks
Aug 27, 2012, 10:25:23 AM8/27/12
to securit...@googlegroups.com
What is the output of the following?
grep -i mysql /var/log/daemon.log
Thanks,
Doug
grep -i mysql /var/log/daemon.log
Thanks,
Doug
Cody Sapp
Aug 27, 2012, 10:28:27 AM8/27/12
to securit...@googlegroups.com
Aug 21 19:46:44 winning /etc/mysql/debian-start[1490]: Upgrading MySQL tables if necessary.
Aug 21 19:46:44 winning /etc/mysql/debian-start[1493]: /usr/bin/mysql_upgrade: the '--basedir' option is always ignored
Aug 21 19:46:44 winning /etc/mysql/debian-start[1493]: Looking for 'mysql' as: /usr/bin/mysql
Aug 21 19:46:44 winning /etc/mysql/debian-start[1493]: Looking for 'mysqlcheck' as: /usr/bin/mysqlcheck
Aug 21 19:46:44 winning /etc/mysql/debian-start[1493]: This installation of MySQL is already upgraded to 5.1.63, use --force if you still need to run mysql_upgrade
Aug 21 19:46:44 winning /etc/mysql/debian-start[1500]: Checking for insecure root accounts.
Aug 21 19:46:44 winning /etc/mysql/debian-start[1504]: WARNING: mysql.user contains 1 root accounts without password!
Aug 21 19:46:44 winning /etc/mysql/debian-start[1505]: Triggering myisam-recover for all MyISAM tables
Aug 23 20:59:10 winning /etc/mysql/debian-start[12507]: Upgrading MySQL tables if necessary.
Aug 23 20:59:10 winning /etc/mysql/debian-start[12512]: /usr/bin/mysql_upgrade: the '--basedir' option is always ignored
Aug 23 20:59:10 winning /etc/mysql/debian-start[12512]: Looking for 'mysql' as: /usr/bin/mysql
Aug 23 20:59:10 winning /etc/mysql/debian-start[12512]: Looking for 'mysqlcheck' as: /usr/bin/mysqlcheck
Aug 23 20:59:10 winning /etc/mysql/debian-start[12512]: This installation of MySQL is already upgraded to 5.1.63, use --force if you still need to run mysql_upgrade
Aug 23 20:59:10 winning /etc/mysql/debian-start[12541]: Checking for insecure root accounts.
Aug 23 20:59:10 winning /etc/mysql/debian-start[12545]: WARNING: mysql.user contains 1 root accounts without password!
Aug 23 20:59:10 winning /etc/mysql/debian-start[12546]: Triggering myisam-recover for all MyISAM tables
--
Cody Sapp
Aug 27, 2012, 10:38:55 AM8/27/12
to securit...@googlegroups.com
August 23 was the day I had to start a major update for security onion (took several hours to get everything done), and I had to leave before it finished. When I came back today, I restarted security onion, and when I logged on to security onion, that is when I noticed that sguil server was not up.
Doug Burks
Aug 27, 2012, 10:43:15 AM8/27/12
to securit...@googlegroups.com
What major update? Were you prompted to update to Ubuntu 12.04?
http://securityonion.blogspot.com/2012/08/security-onion-and-ubuntu-12041.html
http://securityonion.blogspot.com/2012/08/security-onion-and-ubuntu-12041.html
Cody Sapp
Aug 27, 2012, 10:45:48 AM8/27/12
to securit...@googlegroups.com
It wasn't that update. I don't recall what it was, though. Like I said, it was available on August 23, but I don't think it was an ubuntu update.
--
Doug Burks
Aug 27, 2012, 10:49:45 AM8/27/12
to securit...@googlegroups.com
Check /var/log/apt/ for more details about the update(s).
Cody Sapp
Aug 27, 2012, 10:52:07 AM8/27/12
to securit...@googlegroups.com
Nothing in there about the update. It may not have been a security onion update, but more like a server update or something. I don't know entirely. All I do know is it took a few hours to get everything downloaded and updated.
--
Cody Sapp
Aug 27, 2012, 11:01:42 AM8/27/12
to securit...@googlegroups.com
Aside from sguil not being up though, everything else is normal.
Doug Burks
Aug 27, 2012, 11:04:50 AM8/27/12
to securit...@googlegroups.com
I don't understand what you mean.
In your current version of Security Onion, there should only be two
kinds of updates:
1. updates to the core OS packages from Ubuntu - this would come from
the graphical Update Manager application or from a command line
invocation of "apt-get update && apt-get dist-upgrade"
2. updates to SecurityOnion-specific applications - this would come
from the Security Onion update script:
sudo -i "curl -L
http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh
> ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
So what prompted you to update? What action did you perform? When
was the last time you had done an update?
Thanks,
Doug
In your current version of Security Onion, there should only be two
kinds of updates:
1. updates to the core OS packages from Ubuntu - this would come from
the graphical Update Manager application or from a command line
invocation of "apt-get update && apt-get dist-upgrade"
2. updates to SecurityOnion-specific applications - this would come
from the Security Onion update script:
sudo -i "curl -L
http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh
> ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"
So what prompted you to update? What action did you perform? When
was the last time you had done an update?
Thanks,
Doug
Cody Sapp
Aug 27, 2012, 11:07:35 AM8/27/12
to securit...@googlegroups.com
I was prompted to take the update when I ssh into security onion on August 23. It said I had to do a certain update right then and there. This is the first time that kind of thing ever happened.
--
Doug Burks
Aug 27, 2012, 11:16:06 AM8/27/12
to securit...@googlegroups.com
What is the output of the following?
uname -a
Cody Sapp
Aug 27, 2012, 11:16:48 AM8/27/12
to securit...@googlegroups.com
Linux winning 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 athlon i386 GNU/Linux
--
Doug Burks
Aug 27, 2012, 11:19:39 AM8/27/12
to securit...@googlegroups.com
You're running Linux kernel 3.2. Sounds like you upgraded to Ubuntu 12.04.
Doug
Doug
Cody Sapp
Aug 27, 2012, 11:20:45 AM8/27/12
to securit...@googlegroups.com
So I guess it might have been an Ubuntu update, but how does that help?
--
Cody Sapp
Aug 27, 2012, 11:27:47 AM8/27/12
to securit...@googlegroups.com
Okay, the common error message says "Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)". I logged into root and went to the directory "/var/run/mysqld/", but I noticed there isn't a mysqld.sock listed. Is that the problem?
Doug Burks
Aug 27, 2012, 11:33:07 AM8/27/12
to securit...@googlegroups.com
http://securityonion.blogspot.com/2012/08/security-onion-and-ubuntu-12041.html
As I mentioned in the blog post, "This is untested, unsupported, and
is likely to break your system." Upgrading to 12.04 broke your MySQL
and most likely your tcl/tk configuration. There are likely other
issues as well.
Unfortunately, I won't have time to help you fix this as I have to
focus on getting our new Security Onion version (based on Ubuntu
12.04) finished up. Perhaps somebody else on the list can help you
troubleshoot and work through the issues, but the quickest fix may be
to simply reinstall Security Onion from scratch (and avoid the Ubuntu
12.04 upgrade when prompted).
Doug
As I mentioned in the blog post, "This is untested, unsupported, and
is likely to break your system." Upgrading to 12.04 broke your MySQL
and most likely your tcl/tk configuration. There are likely other
issues as well.
Unfortunately, I won't have time to help you fix this as I have to
focus on getting our new Security Onion version (based on Ubuntu
12.04) finished up. Perhaps somebody else on the list can help you
troubleshoot and work through the issues, but the quickest fix may be
to simply reinstall Security Onion from scratch (and avoid the Ubuntu
12.04 upgrade when prompted).
Doug
Doug Burks
Feb 22, 2013, 7:24:53 AM2/22/13
to securit...@googlegroups.com
Hi raduion1981,
Were you running the old Security Onion 10.04? Please perform a fresh
installation using the new Security Onion 12.04:
http://code.google.com/p/security-onion/wiki/Installation
Thanks,
Doug
On Fri, Feb 22, 2013 at 7:09 AM, <radui...@gmail.com> wrote:
> Hi, I'm posting here as I have the same problem, after the weekend I started having problems with Security Onion, on snorby and squil I can see no events, and when I try with the sguil-client, also locally, I receive the error "Unable to connect to localhost on port 7734". Since Monday I tried most of the possible fixes I found here (including restarts:) but with no success, so kindly ask for your support guys.. Theoretically mysql runs: "Job is already running: mysql start/running, process 1144". The strange thing is that when I try sudo sostat it displays sudo: sostat: command not found
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
Were you running the old Security Onion 10.04? Please perform a fresh
installation using the new Security Onion 12.04:
http://code.google.com/p/security-onion/wiki/Installation
Thanks,
Doug
On Fri, Feb 22, 2013 at 7:09 AM, <radui...@gmail.com> wrote:
> Hi, I'm posting here as I have the same problem, after the weekend I started having problems with Security Onion, on snorby and squil I can see no events, and when I try with the sguil-client, also locally, I receive the error "Unable to connect to localhost on port 7734". Since Monday I tried most of the possible fixes I found here (including restarts:) but with no success, so kindly ask for your support guys.. Theoretically mysql runs: "Job is already running: mysql start/running, process 1144". The strange thing is that when I try sudo sostat it displays sudo: sostat: command not found
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
radu ion
Feb 22, 2013, 10:26:14 AM2/22/13
to securit...@googlegroups.com
Hi Doug, and thanks for your very quick reply!
Yes, I'm running 10.04, I would have preferred to stick with this version and make it work - as I already made a lot of settings on it, but if there is no fix for my problem I will update. Is it any chance that it will work if I make an upgrade, or it needs a fresh install of 12.04 from scratch?
Thanks again and all the best!
Radu
Doug Burks
Feb 22, 2013, 10:36:25 AM2/22/13
to securit...@googlegroups.com
There is no in-place upgrade path from Security Onion 10.04 to 12.04
as you'll be moving from 32-bit to 64-bit (assuming your hardware
supports 64-bit). Please install Security Onion 12.04 from scratch:
https://code.google.com/p/security-onion/wiki/Installation
Thanks,
Doug
as you'll be moving from 32-bit to 64-bit (assuming your hardware
supports 64-bit). Please install Security Onion 12.04 from scratch:
https://code.google.com/p/security-onion/wiki/Installation
Thanks,
Doug
Reply all
Reply to author
Forward
0 new messages