Snort IDS 2 TB of disk space completely filled......needs to perform disk clean up of some type.
466 views
Skip to first unread message
adrian fernandez
May 4, 2015, 5:24:25 PM5/4/15
to securit...@googlegroups.com
Hey everyone,
So i was taking a look at one of our SO servers and why it wasnt sending syslogs or if it was even collecting data, and i found out my 2 TB drive is completely full. What could i run to clean up the space, or is there any set of log files i could delete manually?
So i was taking a look at one of our SO servers and why it wasnt sending syslogs or if it was even collecting data, and i found out my 2 TB drive is completely full. What could i run to clean up the space, or is there any set of log files i could delete manually?
Heine Lysemose
May 5, 2015, 4:23:21 AM5/5/15
to securit...@googlegroups.com
Hi
You could change the DaysToKeep in you SecurityOnion.conf file...
Or you could manually delete the oldest files under /nsm
Could you share the output of sudo sostat-redacted so we can see how much data you have retained?
Regards,
Lysemose
On May 4, 2015 11:24 PM, "adrian fernandez" <cisco...@gmail.com> wrote:
Hey everyone,
So i was taking a look at one of our SO servers and why it wasnt sending syslogs or if it was even collecting data, and i found out my 2 TB drive is completely full. What could i run to clean up the space, or is there any set of log files i could delete manually?
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
adrian fernandez
May 5, 2015, 10:07:01 AM5/5/15
to securit...@googlegroups.com
Hey Lysemose,
Here you go:
=========================================================================
Service Status
=========================================================================
Status: HIDS
* ossec_agent (sguil)[ FAIL ]
Status: Bro
sed: couldn't open temporary file /opt/bro/etc/sedP8appt: No space left on device
error: cannot acquire lock: [Errno 28] No space left on device
Status: SO-server-eth1
* snort_agent-1 (sguil)[ FAIL ]
* snort-1 (alert data)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* barnyard2-1 (spooler, unified2 format)[ OK ]
Status: SO-server-eth2
* snort_agent-1 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
Status: SO-server-eth3
* snort_agent-1 (sguil)[ FAIL ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:245764 errors:0 dropped:0 overruns:0 frame:0
TX packets:27545 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:134447427 (134.4 MB) TX bytes:2995760 (2.9 MB)
Interrupt:16 Memory:dfc00000-dfc20000
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1743297676 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1975422375745 (1.9 TB) TX bytes:0 (0.0 B)
Interrupt:17 Memory:dfb00000-dfb20000
eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:18 Memory:dfa00000-dfa20000
eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:19 Memory:df900000-df920000
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:29989 errors:0 dropped:0 overruns:0 frame:0
TX packets:29989 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2280495 (2.2 MB) TX bytes:2280495 (2.2 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
2280495 29989 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2280495 29989 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
134447427 245764 0 0 0 100470
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2995760 27545 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
1975422393933 1743297703 0 0 0 1744853
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 1.8T 1.8T 0 100% /
udev 3.9G 4.0K 3.9G 1% /dev
tmpfs 796M 760K 796M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 3.9G 0 3.9G 0% /run/shm
overflow 1.0M 68K 956K 7% /tmp
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
cupsd 1061 root 8u IPv6 11488 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1061 root 9u IPv4 11489 0t0 TCP X.X.X.X:631 (LISTEN)
avahi-dae 1065 avahi 12u IPv4 13420 0t0 UDP *:5353
avahi-dae 1065 avahi 13u IPv6 13421 0t0 UDP *:5353
avahi-dae 1065 avahi 14u IPv4 13422 0t0 UDP *:54565
avahi-dae 1065 avahi 15u IPv6 13423 0t0 UDP *:41734
sshd 1598 root 3r IPv4 1618 0t0 TCP *:ssh_port (LISTEN)
sshd 1598 root 4u IPv6 1620 0t0 TCP *:ssh_port (LISTEN)
salt-mini 1895 root 14u IPv4 25617 0t0 TCP X.X.X.X:47119->X.X.X.X:4505 (ESTABLISHED)
snmpd 1940 snmp 8u IPv4 28669 0t0 UDP *:161
snmpd 1940 snmp 10u IPv4 28668 0t0 UDP *:38673
starman 2022 www-data 5u IPv6 9926 0t0 TCP *:3154 (LISTEN)
xrdp 2071 xrdp 6u IPv4 10080 0t0 TCP *:3389 (LISTEN)
xrdp-sesm 2073 root 6u IPv4 16538 0t0 TCP X.X.X.X:3350 (LISTEN)
/usr/sbin 2233 root 4u IPv4 11730 0t0 TCP *:443 (LISTEN)
/usr/sbin 2233 root 5u IPv4 11733 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2233 root 6u IPv4 11735 0t0 TCP *:444 (LISTEN)
/usr/sbin 2270 www-data 4u IPv4 11730 0t0 TCP *:443 (LISTEN)
/usr/sbin 2270 www-data 5u IPv4 11733 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2270 www-data 6u IPv4 11735 0t0 TCP *:444 (LISTEN)
/usr/sbin 2271 www-data 4u IPv4 11730 0t0 TCP *:443 (LISTEN)
/usr/sbin 2271 www-data 5u IPv4 11733 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2271 www-data 6u IPv4 11735 0t0 TCP *:444 (LISTEN)
/usr/sbin 2272 www-data 4u IPv4 11730 0t0 TCP *:443 (LISTEN)
/usr/sbin 2272 www-data 5u IPv4 11733 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2272 www-data 6u IPv4 11735 0t0 TCP *:444 (LISTEN)
/usr/sbin 2273 www-data 4u IPv4 11730 0t0 TCP *:443 (LISTEN)
/usr/sbin 2273 www-data 5u IPv4 11733 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2273 www-data 6u IPv4 11735 0t0 TCP *:444 (LISTEN)
/usr/sbin 2274 www-data 4u IPv4 11730 0t0 TCP *:443 (LISTEN)
/usr/sbin 2274 www-data 5u IPv4 11733 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2274 www-data 6u IPv4 11735 0t0 TCP *:444 (LISTEN)
ntpd 2820 ntp 16u IPv4 25687 0t0 UDP *:123
ntpd 2820 ntp 17u IPv6 25688 0t0 UDP *:123
ntpd 2820 ntp 18u IPv4 25694 0t0 UDP X.X.X.X:123
ntpd 2820 ntp 19u IPv4 25695 0t0 UDP X.X.X.X:123
ntpd 2820 ntp 20u IPv6 25696 0t0 UDP [X.X.X.X]:123
ntpd 2820 ntp 21u IPv6 25697 0t0 UDP [X.X.X.X]:123
ssh 3828 root 3r IPv4 22105 0t0 TCP X.X.X.X:33685->X.X.X.X:ssh_port (ESTABLISHED)
ssh 3828 root 4u IPv6 21037 0t0 TCP [X.X.X.X]:3306 (LISTEN)
ssh 3828 root 5u IPv4 21038 0t0 TCP X.X.X.X:3306 (LISTEN)
ssh 3828 root 6u IPv4 26383 0t0 TCP X.X.X.X:58365->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 7u IPv4 46408 0t0 TCP X.X.X.X:58438->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 8u IPv4 57190 0t0 TCP X.X.X.X:58499->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 9u IPv4 76787 0t0 TCP X.X.X.X:58535->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 10u IPv4 88031 0t0 TCP X.X.X.X:58559->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 11u IPv4 108184 0t0 TCP X.X.X.X:58580->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 12u IPv4 119628 0t0 TCP X.X.X.X:58605->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 13u IPv4 140612 0t0 TCP X.X.X.X:58626->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 14u IPv4 159951 0t0 TCP X.X.X.X:58665->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 15u IPv4 172951 0t0 TCP X.X.X.X:58714->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 16u IPv4 189654 0t0 TCP X.X.X.X:58755->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 17u IPv4 202459 0t0 TCP X.X.X.X:58804->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 18u IPv4 224542 0t0 TCP X.X.X.X:58853->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 19u IPv4 244797 0t0 TCP X.X.X.X:58905->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 20u IPv4 254724 0t0 TCP X.X.X.X:58947->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 21u IPv4 272860 0t0 TCP X.X.X.X:58996->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 22u IPv4 290096 0t0 TCP X.X.X.X:59045->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 23u IPv4 303871 0t0 TCP X.X.X.X:59094->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 24u IPv4 321320 0t0 TCP X.X.X.X:59154->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 25u IPv4 340168 0t0 TCP X.X.X.X:59207->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 26u IPv4 354964 0t0 TCP X.X.X.X:59277->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 27u IPv4 371174 0t0 TCP X.X.X.X:59350->X.X.X.X:3154 (FIN_WAIT2)
error: cannot acquire lock: [Errno 28] No space left on device
/usr/bin/sostat: line 201: /bin/ls: Argument list too long
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
ssh 3828 root 28u IPv4 387267 0t0 TCP X.X.X.X:59415->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 29u IPv4 403723 0t0 TCP X.X.X.X:59500->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 30u IPv4 415663 0t0 TCP X.X.X.X:59559->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 31u IPv4 425925 0t0 TCP X.X.X.X:59596->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 32u IPv4 443460 0t0 TCP X.X.X.X:59627->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 33u IPv4 453857 0t0 TCP X.X.X.X:59664->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 34u IPv4 462351 0t0 TCP X.X.X.X:59699->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 35u IPv4 478443 0t0 TCP X.X.X.X:59755->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 36u IPv4 490704 0t0 TCP X.X.X.X:59816->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 37u IPv4 498298 0t0 TCP X.X.X.X:59877->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 38u IPv4 513428 0t0 TCP X.X.X.X:59938->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 39u IPv4 521839 0t0 TCP X.X.X.X:59999->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 40u IPv4 535387 0t0 TCP X.X.X.X:60066->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 41u IPv4 546573 0t0 TCP X.X.X.X:60127->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 42u IPv4 554984 0t0 TCP X.X.X.X:60189->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 43u IPv4 570827 0t0 TCP X.X.X.X:60250->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 44u IPv4 581329 0t0 TCP X.X.X.X:60309->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 45u IPv4 598341 0t0 TCP X.X.X.X:60382->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 46u IPv4 609561 0t0 TCP X.X.X.X:60467->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 47u IPv4 615215 0t0 TCP X.X.X.X:60552->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 48u IPv4 630832 0t0 TCP X.X.X.X:60623->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 49u IPv4 639570 0t0 TCP X.X.X.X:60708->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 50u IPv4 651189 0t0 TCP X.X.X.X:60781->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 51u IPv4 660462 0t0 TCP X.X.X.X:60815->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 52u IPv4 677010 0t0 TCP X.X.X.X:60851->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 53u IPv4 686733 0t0 TCP X.X.X.X:60888->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 54u IPv4 694206 0t0 TCP X.X.X.X:60923->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 55u IPv4 711244 0t0 TCP X.X.X.X:60966->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 56u IPv4 718667 0t0 TCP X.X.X.X:32770->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 57u IPv4 730814 0t0 TCP X.X.X.X:32807->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 58u IPv4 744764 0t0 TCP X.X.X.X:32844->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 59u IPv4 754090 0t0 TCP X.X.X.X:32881->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 60u IPv4 765790 0t0 TCP X.X.X.X:32930->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 61u IPv4 778057 0t0 TCP X.X.X.X:32985->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 62u IPv4 793116 0t0 TCP X.X.X.X:33046->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 63u IPv4 801744 0t0 TCP X.X.X.X:33107->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 64u IPv4 813530 0t0 TCP X.X.X.X:33168->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 65u IPv4 829670 0t0 TCP X.X.X.X:33240->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 66u IPv4 838085 0t0 TCP X.X.X.X:33293->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 67u IPv4 849603 0t0 TCP X.X.X.X:33354->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 68u IPv4 865318 0t0 TCP X.X.X.X:33415->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 69u IPv4 871338 0t0 TCP X.X.X.X:33466->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 70u IPv4 883970 0t0 TCP X.X.X.X:33527->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 71u IPv4 897302 0t0 TCP X.X.X.X:33577->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 72u IPv4 906764 0t0 TCP X.X.X.X:33614->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 73u IPv4 919366 0t0 TCP X.X.X.X:33651->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 74u IPv4 926693 0t0 TCP X.X.X.X:33682->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 75u IPv4 939593 0t0 TCP X.X.X.X:33717->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 76u IPv4 958515 0t0 TCP X.X.X.X:33765->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 77u IPv4 966998 0t0 TCP X.X.X.X:33802->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 78u IPv4 977283 0t0 TCP X.X.X.X:33833->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 79u IPv4 983903 0t0 TCP X.X.X.X:33871->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 80u IPv4 997761 0t0 TCP X.X.X.X:33907->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 81u IPv4 1006250 0t0 TCP X.X.X.X:33954->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 82u IPv4 1026108 0t0 TCP X.X.X.X:33991->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 83u IPv4 1033731 0t0 TCP X.X.X.X:34029->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 84u IPv4 1048738 0t0 TCP X.X.X.X:34065->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 85u IPv4 1056370 0t0 TCP X.X.X.X:34096->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 86u IPv4 1069495 0t0 TCP X.X.X.X:34146->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 87u IPv4 1076060 0t0 TCP X.X.X.X:34207->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 88u IPv4 1085407 0t0 TCP X.X.X.X:34268->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 89u IPv4 1106179 0t0 TCP X.X.X.X:34330->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 90u IPv4 1113929 0t0 TCP X.X.X.X:34390->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 91u IPv4 1124815 0t0 TCP X.X.X.X:34449->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 92u IPv4 1132422 0t0 TCP X.X.X.X:34480->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 93u IPv4 1150005 0t0 TCP X.X.X.X:34518->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 94u IPv4 1159499 0t0 TCP X.X.X.X:34553->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 95u IPv4 1169083 0t0 TCP X.X.X.X:34590->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 96u IPv4 1187891 0t0 TCP X.X.X.X:34633->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 97u IPv4 1198462 0t0 TCP X.X.X.X:34674->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 98u IPv4 1207861 0t0 TCP X.X.X.X:34711->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 99u IPv4 1215289 0t0 TCP X.X.X.X:34742->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 100u IPv4 1232019 0t0 TCP X.X.X.X:34779->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 101u IPv4 1240679 0t0 TCP X.X.X.X:34816->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 102u IPv4 1257620 0t0 TCP X.X.X.X:34877->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 103u IPv4 1265983 0t0 TCP X.X.X.X:34927->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 104u IPv4 1275331 0t0 TCP X.X.X.X:34988->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 105u IPv4 1286795 0t0 TCP X.X.X.X:35049->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 106u IPv4 1303589 0t0 TCP X.X.X.X:35110->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 107u IPv4 1310343 0t0 TCP X.X.X.X:35158->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 108u IPv4 1321739 0t0 TCP X.X.X.X:35193->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 109u IPv4 1333857 0t0 TCP X.X.X.X:35230->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 110u IPv4 1344222 0t0 TCP X.X.X.X:35267->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 111u IPv4 1355542 0t0 TCP X.X.X.X:35304->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 112u IPv4 1372135 0t0 TCP X.X.X.X:35352->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 113u IPv4 1384797 0t0 TCP X.X.X.X:35389->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 114u IPv4 1392451 0t0 TCP X.X.X.X:35426->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 115u IPv4 1403764 0t0 TCP X.X.X.X:35463->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 116u IPv4 1419510 0t0 TCP X.X.X.X:35500->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 117u IPv4 1428191 0t0 TCP X.X.X.X:35540->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 118u IPv4 1444884 0t0 TCP X.X.X.X:35577->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 119u IPv4 1454518 0t0 TCP X.X.X.X:35614->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 120u IPv4 1463026 0t0 TCP X.X.X.X:35651->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 121u IPv4 1478724 0t0 TCP X.X.X.X:35687->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 122u IPv4 1485546 0t0 TCP X.X.X.X:35738->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 123u IPv4 1502543 0t0 TCP X.X.X.X:35799->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 124u IPv4 1512820 0t0 TCP X.X.X.X:35862->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 125u IPv4 1522346 0t0 TCP X.X.X.X:35921->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 126u IPv4 1539123 0t0 TCP X.X.X.X:35982->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 127u IPv4 1546952 0t0 TCP X.X.X.X:36039->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 128u IPv4 1560698 0t0 TCP X.X.X.X:36097->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 129u IPv4 1572391 0t0 TCP X.X.X.X:36158->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 130u IPv4 1584259 0t0 TCP X.X.X.X:36219->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 131u IPv4 1592705 0t0 TCP X.X.X.X:36281->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 132u IPv4 1609759 0t0 TCP X.X.X.X:36342->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 133u IPv4 1616546 0t0 TCP X.X.X.X:36394->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 134u IPv4 1626032 0t0 TCP X.X.X.X:36455->X.X.X.X:3154 (FIN_WAIT2)
tclsh 17888 root 3u IPv4 2092079 0t0 TCP X.X.X.X:8201 (LISTEN)
barnyard2 18008 root 3u IPv4 2094173 0t0 TCP X.X.X.X:50884->X.X.X.X:8201 (ESTABLISHED)
sshd 19176 root 3r IPv4 2086594 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:64937 (ESTABLISHED)
sshd 19382 SO-user 3u IPv4 2086594 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:64937 (ESTABLISHED)
/opt/elsa 23154 www-data 5u IPv6 9926 0t0 TCP *:3154 (LISTEN)
/opt/elsa 23156 www-data 5u IPv6 9926 0t0 TCP *:3154 (LISTEN)
/opt/elsa 23164 www-data 5u IPv6 9926 0t0 TCP *:3154 (LISTEN)
/opt/elsa 23234 www-data 5u IPv6 9926 0t0 TCP *:3154 (LISTEN)
/opt/elsa 23275 www-data 5u IPv6 9926 0t0 TCP *:3154 (LISTEN)
bro 25499 root 4u IPv4 383420 0t0 UDP X.X.X.X:60182->X.X.X.X:53
bro 25538 root 0u IPv4 382379 0t0 TCP *:47764 (LISTEN)
bro 25538 root 1u IPv6 382380 0t0 TCP *:47764 (LISTEN)
bro 25538 root 4u IPv4 383420 0t0 UDP X.X.X.X:60182->X.X.X.X:53
=========================================================================
IDS Rules Update
=========================================================================
=========================================================================
CPU Usage
=========================================================================
top - 14:04:28 up 16:20, 1 user, load average: 5.21, 6.36, 5.94
Tasks: 214 total, 7 running, 207 sleeping, 0 stopped, 0 zombie
Cpu(s): 65.4%us, 3.8%sy, 0.2%ni, 30.1%id, 0.2%wa, 0.0%hi, 0.4%si, 0.0%st
Mem: 8149776k total, 3053360k used, 5096416k free, 403784k buffers
Swap: 12433792k total, 0k used, 12433792k free, 704380k cached
%CPU %MEM COMMAND
107 0.8 /opt/elsa/web/lib/Web.psgi
27.8 0.1 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-1.conf -d /nsm/sensor_data/SO-server-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-1 -i 1 -U
27.3 0.1 barnyard2 -c /etc/nsm/SO-server-eth3/barnyard2-1.conf -d /nsm/sensor_data/SO-server-eth3/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth3/barnyard2.waldo-1 -i 1 -U
25.6 0.1 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2-1.conf -d /nsm/sensor_data/SO-server-eth2/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo-1 -i 1 -U
16.2 6.6 snort -c /etc/nsm/SO-server-eth3/snort.conf -u sguil -g sguil -i eth3 -F /etc/nsm/SO-server-eth3/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth3/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth3/snort-1.stats -U -m 112
15.5 6.6 snort -c /etc/nsm/SO-server-eth2/snort.conf -u sguil -g sguil -i eth2 -F /etc/nsm/SO-server-eth2/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth2/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth2/snort-1.stats -U -m 112
12.3 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
8.8 0.9 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.2 0.1 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.1 0.1 -bash
0.1 0.0 [kworker/7:0]
0.0 0.0 [kworker/5:1]
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/6:1]
0.0 0.0 [kworker/0:1]
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/2:1]
0.0 0.0 [kworker/0:2]
0.0 0.4 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 bash /opt/bro/share/broctl/scripts/helpers/start /nsm/bro/spool/SO-server-eth2-1 -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-1.conf
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /sbin/init
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/bin/ssh -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50015:localhost:3154 bba...@X.X.X.X
0.0 0.0 cron
0.0 0.0 [migration/0]
0.0 0.0 [migration/2]
0.0 0.0 [migration/1]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [flush-8:0]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [migration/4]
0.0 0.0 [migration/5]
0.0 0.0 [migration/6]
0.0 0.0 [migration/7]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 PassengerHelperAgent
0.0 0.0 [watchdog/0]
0.0 0.1 /usr/bin/python /opt/bro/bin/broctl cron
0.0 0.0 [watchdog/1]
0.0 0.0 [watchdog/4]
0.0 0.0 [watchdog/5]
0.0 0.0 [watchdog/7]
0.0 0.0 [sync_supers]
0.0 0.0 [watchdog/2]
0.0 0.0 [watchdog/3]
0.0 0.0 [watchdog/6]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.1 Passenger spawn server
0.0 0.0 PassengerLoggingAgent
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [khungtaskd]
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/2:0]
0.0 0.0 [kworker/3:0]
0.0 0.0 [kworker/4:0]
0.0 0.0 [cpuset]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [bdi-default]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [kswapd0]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [scsi_eh_5]
0.0 0.0 [kworker/u:5]
0.0 0.0 [kworker/u:6]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/7:1]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [kworker/5:2]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kpsmoused]
0.0 0.0 [kworker/6:2]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 su -c salt-minion
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 atd
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 /usr/sbin/xrdp
0.0 0.0 /usr/sbin/xrdp-sesman
0.0 0.0 PassengerWatchdog
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50015:localhost:3154 bba...@X.X.X.X
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.7 /opt/elsa/web/lib/Web.psgi
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 sleep 1
0.0 0.7 /opt/elsa/web/lib/Web.psgi
0.0 0.5 /opt/elsa/web/lib/Web.psgi
0.0 0.4 /opt/elsa/web/lib/Web.psgi
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 CRON
0.0 0.0 /bin/sh -c grep "BRO_ENABLED=yes" /etc/nsm/securityonion.conf >/dev/null 2>&1 && /opt/bro/bin/broctl cron
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 /bin/sh -c sh
0.0 0.0 sh
0.0 0.0 /bin/sh -c sh
0.0 0.0 sh
0.0 0.0 /bin/sh -c sh
0.0 0.0 sh
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth2/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth3/dailylogs/ - 0 days
4.0K .
/nsm/bro/logs/ - 0 days
345G .
345G ./stats
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth1/snort-1.stats last reported pkt_drop_percent as 24.083
ERROR: No stats found in /nsm/sensor_data/SO-server-eth2/snort-1.stats
ERROR: No stats found in /nsm/sensor_data/SO-server-eth3/snort-1.stats
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 3
Standard (non DNA) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/17964-eth2.266
Appl. Name : snort-cluster-53-socket-0
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098
/proc/net/pf_ring/18130-eth3.267
Appl. Name : snort-cluster-54-socket-0
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098
/proc/net/pf_ring/25499-eth2.36
Appl. Name : bro-eth2
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
Checking for connection:
nc: connect to localhost port 514 (tcp) failed: Connection refused
MySQL
Checking for process:
Checking for connection:
nc: connect to localhost port 50000 (tcp) failed: Connection refused
Sphinx
Checking for process:
Checking for connection:
nc: connect to localhost port 9306 (tcp) failed: Connection refused
ELSA Buffers in Queue:
ELSA Directory Sizes:
255G /nsm/elsa/data
1.1M /var/lib/mysql/syslog
1.2T /var/lib/mysql/syslog_data
ELSA Index Date Range:
autossh
Checking for process:
3826 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50015:localhost:3154 bba...@X.X.X.X
Checking APIKEY:
APIKEY matches server.
starman
Checking for processes:
2022 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
Here you go:
=========================================================================
Service Status
=========================================================================
Status: HIDS
* ossec_agent (sguil)[ FAIL ]
Status: Bro
sed: couldn't open temporary file /opt/bro/etc/sedP8appt: No space left on device
error: cannot acquire lock: [Errno 28] No space left on device
Status: SO-server-eth1
* snort_agent-1 (sguil)[ FAIL ]
* snort-1 (alert data)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* barnyard2-1 (spooler, unified2 format)[ OK ]
Status: SO-server-eth2
* snort_agent-1 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
Status: SO-server-eth3
* snort_agent-1 (sguil)[ FAIL ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:245764 errors:0 dropped:0 overruns:0 frame:0
TX packets:27545 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:134447427 (134.4 MB) TX bytes:2995760 (2.9 MB)
Interrupt:16 Memory:dfc00000-dfc20000
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1743297676 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1975422375745 (1.9 TB) TX bytes:0 (0.0 B)
Interrupt:17 Memory:dfb00000-dfb20000
eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:18 Memory:dfa00000-dfa20000
eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:19 Memory:df900000-df920000
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:29989 errors:0 dropped:0 overruns:0 frame:0
TX packets:29989 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2280495 (2.2 MB) TX bytes:2280495 (2.2 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
2280495 29989 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2280495 29989 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
134447427 245764 0 0 0 100470
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2995760 27545 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
1975422393933 1743297703 0 0 0 1744853
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 1.8T 1.8T 0 100% /
udev 3.9G 4.0K 3.9G 1% /dev
tmpfs 796M 760K 796M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 3.9G 0 3.9G 0% /run/shm
overflow 1.0M 68K 956K 7% /tmp
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
cupsd 1061 root 8u IPv6 11488 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1061 root 9u IPv4 11489 0t0 TCP X.X.X.X:631 (LISTEN)
avahi-dae 1065 avahi 12u IPv4 13420 0t0 UDP *:5353
avahi-dae 1065 avahi 13u IPv6 13421 0t0 UDP *:5353
avahi-dae 1065 avahi 14u IPv4 13422 0t0 UDP *:54565
avahi-dae 1065 avahi 15u IPv6 13423 0t0 UDP *:41734
sshd 1598 root 3r IPv4 1618 0t0 TCP *:ssh_port (LISTEN)
sshd 1598 root 4u IPv6 1620 0t0 TCP *:ssh_port (LISTEN)
salt-mini 1895 root 14u IPv4 25617 0t0 TCP X.X.X.X:47119->X.X.X.X:4505 (ESTABLISHED)
snmpd 1940 snmp 8u IPv4 28669 0t0 UDP *:161
snmpd 1940 snmp 10u IPv4 28668 0t0 UDP *:38673
starman 2022 www-data 5u IPv6 9926 0t0 TCP *:3154 (LISTEN)
xrdp 2071 xrdp 6u IPv4 10080 0t0 TCP *:3389 (LISTEN)
xrdp-sesm 2073 root 6u IPv4 16538 0t0 TCP X.X.X.X:3350 (LISTEN)
/usr/sbin 2233 root 4u IPv4 11730 0t0 TCP *:443 (LISTEN)
/usr/sbin 2233 root 5u IPv4 11733 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2233 root 6u IPv4 11735 0t0 TCP *:444 (LISTEN)
/usr/sbin 2270 www-data 4u IPv4 11730 0t0 TCP *:443 (LISTEN)
/usr/sbin 2270 www-data 5u IPv4 11733 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2270 www-data 6u IPv4 11735 0t0 TCP *:444 (LISTEN)
/usr/sbin 2271 www-data 4u IPv4 11730 0t0 TCP *:443 (LISTEN)
/usr/sbin 2271 www-data 5u IPv4 11733 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2271 www-data 6u IPv4 11735 0t0 TCP *:444 (LISTEN)
/usr/sbin 2272 www-data 4u IPv4 11730 0t0 TCP *:443 (LISTEN)
/usr/sbin 2272 www-data 5u IPv4 11733 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2272 www-data 6u IPv4 11735 0t0 TCP *:444 (LISTEN)
/usr/sbin 2273 www-data 4u IPv4 11730 0t0 TCP *:443 (LISTEN)
/usr/sbin 2273 www-data 5u IPv4 11733 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2273 www-data 6u IPv4 11735 0t0 TCP *:444 (LISTEN)
/usr/sbin 2274 www-data 4u IPv4 11730 0t0 TCP *:443 (LISTEN)
/usr/sbin 2274 www-data 5u IPv4 11733 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2274 www-data 6u IPv4 11735 0t0 TCP *:444 (LISTEN)
ntpd 2820 ntp 16u IPv4 25687 0t0 UDP *:123
ntpd 2820 ntp 17u IPv6 25688 0t0 UDP *:123
ntpd 2820 ntp 18u IPv4 25694 0t0 UDP X.X.X.X:123
ntpd 2820 ntp 19u IPv4 25695 0t0 UDP X.X.X.X:123
ntpd 2820 ntp 20u IPv6 25696 0t0 UDP [X.X.X.X]:123
ntpd 2820 ntp 21u IPv6 25697 0t0 UDP [X.X.X.X]:123
ssh 3828 root 3r IPv4 22105 0t0 TCP X.X.X.X:33685->X.X.X.X:ssh_port (ESTABLISHED)
ssh 3828 root 4u IPv6 21037 0t0 TCP [X.X.X.X]:3306 (LISTEN)
ssh 3828 root 5u IPv4 21038 0t0 TCP X.X.X.X:3306 (LISTEN)
ssh 3828 root 6u IPv4 26383 0t0 TCP X.X.X.X:58365->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 7u IPv4 46408 0t0 TCP X.X.X.X:58438->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 8u IPv4 57190 0t0 TCP X.X.X.X:58499->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 9u IPv4 76787 0t0 TCP X.X.X.X:58535->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 10u IPv4 88031 0t0 TCP X.X.X.X:58559->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 11u IPv4 108184 0t0 TCP X.X.X.X:58580->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 12u IPv4 119628 0t0 TCP X.X.X.X:58605->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 13u IPv4 140612 0t0 TCP X.X.X.X:58626->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 14u IPv4 159951 0t0 TCP X.X.X.X:58665->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 15u IPv4 172951 0t0 TCP X.X.X.X:58714->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 16u IPv4 189654 0t0 TCP X.X.X.X:58755->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 17u IPv4 202459 0t0 TCP X.X.X.X:58804->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 18u IPv4 224542 0t0 TCP X.X.X.X:58853->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 19u IPv4 244797 0t0 TCP X.X.X.X:58905->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 20u IPv4 254724 0t0 TCP X.X.X.X:58947->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 21u IPv4 272860 0t0 TCP X.X.X.X:58996->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 22u IPv4 290096 0t0 TCP X.X.X.X:59045->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 23u IPv4 303871 0t0 TCP X.X.X.X:59094->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 24u IPv4 321320 0t0 TCP X.X.X.X:59154->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 25u IPv4 340168 0t0 TCP X.X.X.X:59207->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 26u IPv4 354964 0t0 TCP X.X.X.X:59277->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 27u IPv4 371174 0t0 TCP X.X.X.X:59350->X.X.X.X:3154 (FIN_WAIT2)
error: cannot acquire lock: [Errno 28] No space left on device
/usr/bin/sostat: line 201: /bin/ls: Argument list too long
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
ssh 3828 root 28u IPv4 387267 0t0 TCP X.X.X.X:59415->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 29u IPv4 403723 0t0 TCP X.X.X.X:59500->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 30u IPv4 415663 0t0 TCP X.X.X.X:59559->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 31u IPv4 425925 0t0 TCP X.X.X.X:59596->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 32u IPv4 443460 0t0 TCP X.X.X.X:59627->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 33u IPv4 453857 0t0 TCP X.X.X.X:59664->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 34u IPv4 462351 0t0 TCP X.X.X.X:59699->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 35u IPv4 478443 0t0 TCP X.X.X.X:59755->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 36u IPv4 490704 0t0 TCP X.X.X.X:59816->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 37u IPv4 498298 0t0 TCP X.X.X.X:59877->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 38u IPv4 513428 0t0 TCP X.X.X.X:59938->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 39u IPv4 521839 0t0 TCP X.X.X.X:59999->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 40u IPv4 535387 0t0 TCP X.X.X.X:60066->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 41u IPv4 546573 0t0 TCP X.X.X.X:60127->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 42u IPv4 554984 0t0 TCP X.X.X.X:60189->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 43u IPv4 570827 0t0 TCP X.X.X.X:60250->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 44u IPv4 581329 0t0 TCP X.X.X.X:60309->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 45u IPv4 598341 0t0 TCP X.X.X.X:60382->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 46u IPv4 609561 0t0 TCP X.X.X.X:60467->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 47u IPv4 615215 0t0 TCP X.X.X.X:60552->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 48u IPv4 630832 0t0 TCP X.X.X.X:60623->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 49u IPv4 639570 0t0 TCP X.X.X.X:60708->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 50u IPv4 651189 0t0 TCP X.X.X.X:60781->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 51u IPv4 660462 0t0 TCP X.X.X.X:60815->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 52u IPv4 677010 0t0 TCP X.X.X.X:60851->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 53u IPv4 686733 0t0 TCP X.X.X.X:60888->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 54u IPv4 694206 0t0 TCP X.X.X.X:60923->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 55u IPv4 711244 0t0 TCP X.X.X.X:60966->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 56u IPv4 718667 0t0 TCP X.X.X.X:32770->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 57u IPv4 730814 0t0 TCP X.X.X.X:32807->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 58u IPv4 744764 0t0 TCP X.X.X.X:32844->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 59u IPv4 754090 0t0 TCP X.X.X.X:32881->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 60u IPv4 765790 0t0 TCP X.X.X.X:32930->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 61u IPv4 778057 0t0 TCP X.X.X.X:32985->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 62u IPv4 793116 0t0 TCP X.X.X.X:33046->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 63u IPv4 801744 0t0 TCP X.X.X.X:33107->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 64u IPv4 813530 0t0 TCP X.X.X.X:33168->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 65u IPv4 829670 0t0 TCP X.X.X.X:33240->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 66u IPv4 838085 0t0 TCP X.X.X.X:33293->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 67u IPv4 849603 0t0 TCP X.X.X.X:33354->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 68u IPv4 865318 0t0 TCP X.X.X.X:33415->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 69u IPv4 871338 0t0 TCP X.X.X.X:33466->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 70u IPv4 883970 0t0 TCP X.X.X.X:33527->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 71u IPv4 897302 0t0 TCP X.X.X.X:33577->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 72u IPv4 906764 0t0 TCP X.X.X.X:33614->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 73u IPv4 919366 0t0 TCP X.X.X.X:33651->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 74u IPv4 926693 0t0 TCP X.X.X.X:33682->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 75u IPv4 939593 0t0 TCP X.X.X.X:33717->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 76u IPv4 958515 0t0 TCP X.X.X.X:33765->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 77u IPv4 966998 0t0 TCP X.X.X.X:33802->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 78u IPv4 977283 0t0 TCP X.X.X.X:33833->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 79u IPv4 983903 0t0 TCP X.X.X.X:33871->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 80u IPv4 997761 0t0 TCP X.X.X.X:33907->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 81u IPv4 1006250 0t0 TCP X.X.X.X:33954->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 82u IPv4 1026108 0t0 TCP X.X.X.X:33991->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 83u IPv4 1033731 0t0 TCP X.X.X.X:34029->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 84u IPv4 1048738 0t0 TCP X.X.X.X:34065->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 85u IPv4 1056370 0t0 TCP X.X.X.X:34096->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 86u IPv4 1069495 0t0 TCP X.X.X.X:34146->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 87u IPv4 1076060 0t0 TCP X.X.X.X:34207->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 88u IPv4 1085407 0t0 TCP X.X.X.X:34268->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 89u IPv4 1106179 0t0 TCP X.X.X.X:34330->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 90u IPv4 1113929 0t0 TCP X.X.X.X:34390->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 91u IPv4 1124815 0t0 TCP X.X.X.X:34449->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 92u IPv4 1132422 0t0 TCP X.X.X.X:34480->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 93u IPv4 1150005 0t0 TCP X.X.X.X:34518->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 94u IPv4 1159499 0t0 TCP X.X.X.X:34553->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 95u IPv4 1169083 0t0 TCP X.X.X.X:34590->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 96u IPv4 1187891 0t0 TCP X.X.X.X:34633->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 97u IPv4 1198462 0t0 TCP X.X.X.X:34674->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 98u IPv4 1207861 0t0 TCP X.X.X.X:34711->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 99u IPv4 1215289 0t0 TCP X.X.X.X:34742->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 100u IPv4 1232019 0t0 TCP X.X.X.X:34779->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 101u IPv4 1240679 0t0 TCP X.X.X.X:34816->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 102u IPv4 1257620 0t0 TCP X.X.X.X:34877->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 103u IPv4 1265983 0t0 TCP X.X.X.X:34927->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 104u IPv4 1275331 0t0 TCP X.X.X.X:34988->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 105u IPv4 1286795 0t0 TCP X.X.X.X:35049->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 106u IPv4 1303589 0t0 TCP X.X.X.X:35110->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 107u IPv4 1310343 0t0 TCP X.X.X.X:35158->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 108u IPv4 1321739 0t0 TCP X.X.X.X:35193->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 109u IPv4 1333857 0t0 TCP X.X.X.X:35230->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 110u IPv4 1344222 0t0 TCP X.X.X.X:35267->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 111u IPv4 1355542 0t0 TCP X.X.X.X:35304->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 112u IPv4 1372135 0t0 TCP X.X.X.X:35352->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 113u IPv4 1384797 0t0 TCP X.X.X.X:35389->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 114u IPv4 1392451 0t0 TCP X.X.X.X:35426->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 115u IPv4 1403764 0t0 TCP X.X.X.X:35463->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 116u IPv4 1419510 0t0 TCP X.X.X.X:35500->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 117u IPv4 1428191 0t0 TCP X.X.X.X:35540->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 118u IPv4 1444884 0t0 TCP X.X.X.X:35577->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 119u IPv4 1454518 0t0 TCP X.X.X.X:35614->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 120u IPv4 1463026 0t0 TCP X.X.X.X:35651->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 121u IPv4 1478724 0t0 TCP X.X.X.X:35687->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 122u IPv4 1485546 0t0 TCP X.X.X.X:35738->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 123u IPv4 1502543 0t0 TCP X.X.X.X:35799->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 124u IPv4 1512820 0t0 TCP X.X.X.X:35862->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 125u IPv4 1522346 0t0 TCP X.X.X.X:35921->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 126u IPv4 1539123 0t0 TCP X.X.X.X:35982->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 127u IPv4 1546952 0t0 TCP X.X.X.X:36039->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 128u IPv4 1560698 0t0 TCP X.X.X.X:36097->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 129u IPv4 1572391 0t0 TCP X.X.X.X:36158->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 130u IPv4 1584259 0t0 TCP X.X.X.X:36219->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 131u IPv4 1592705 0t0 TCP X.X.X.X:36281->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 132u IPv4 1609759 0t0 TCP X.X.X.X:36342->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 133u IPv4 1616546 0t0 TCP X.X.X.X:36394->X.X.X.X:3154 (FIN_WAIT2)
ssh 3828 root 134u IPv4 1626032 0t0 TCP X.X.X.X:36455->X.X.X.X:3154 (FIN_WAIT2)
tclsh 17888 root 3u IPv4 2092079 0t0 TCP X.X.X.X:8201 (LISTEN)
barnyard2 18008 root 3u IPv4 2094173 0t0 TCP X.X.X.X:50884->X.X.X.X:8201 (ESTABLISHED)
sshd 19176 root 3r IPv4 2086594 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:64937 (ESTABLISHED)
sshd 19382 SO-user 3u IPv4 2086594 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:64937 (ESTABLISHED)
/opt/elsa 23154 www-data 5u IPv6 9926 0t0 TCP *:3154 (LISTEN)
/opt/elsa 23156 www-data 5u IPv6 9926 0t0 TCP *:3154 (LISTEN)
/opt/elsa 23164 www-data 5u IPv6 9926 0t0 TCP *:3154 (LISTEN)
/opt/elsa 23234 www-data 5u IPv6 9926 0t0 TCP *:3154 (LISTEN)
/opt/elsa 23275 www-data 5u IPv6 9926 0t0 TCP *:3154 (LISTEN)
bro 25499 root 4u IPv4 383420 0t0 UDP X.X.X.X:60182->X.X.X.X:53
bro 25538 root 0u IPv4 382379 0t0 TCP *:47764 (LISTEN)
bro 25538 root 1u IPv6 382380 0t0 TCP *:47764 (LISTEN)
bro 25538 root 4u IPv4 383420 0t0 UDP X.X.X.X:60182->X.X.X.X:53
=========================================================================
IDS Rules Update
=========================================================================
=========================================================================
CPU Usage
=========================================================================
top - 14:04:28 up 16:20, 1 user, load average: 5.21, 6.36, 5.94
Tasks: 214 total, 7 running, 207 sleeping, 0 stopped, 0 zombie
Cpu(s): 65.4%us, 3.8%sy, 0.2%ni, 30.1%id, 0.2%wa, 0.0%hi, 0.4%si, 0.0%st
Mem: 8149776k total, 3053360k used, 5096416k free, 403784k buffers
Swap: 12433792k total, 0k used, 12433792k free, 704380k cached
%CPU %MEM COMMAND
107 0.8 /opt/elsa/web/lib/Web.psgi
27.8 0.1 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-1.conf -d /nsm/sensor_data/SO-server-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-1 -i 1 -U
27.3 0.1 barnyard2 -c /etc/nsm/SO-server-eth3/barnyard2-1.conf -d /nsm/sensor_data/SO-server-eth3/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth3/barnyard2.waldo-1 -i 1 -U
25.6 0.1 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2-1.conf -d /nsm/sensor_data/SO-server-eth2/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo-1 -i 1 -U
16.2 6.6 snort -c /etc/nsm/SO-server-eth3/snort.conf -u sguil -g sguil -i eth3 -F /etc/nsm/SO-server-eth3/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth3/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth3/snort-1.stats -U -m 112
15.5 6.6 snort -c /etc/nsm/SO-server-eth2/snort.conf -u sguil -g sguil -i eth2 -F /etc/nsm/SO-server-eth2/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth2/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth2/snort-1.stats -U -m 112
12.3 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
8.8 0.9 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.2 0.1 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.1 0.1 -bash
0.1 0.0 [kworker/7:0]
0.0 0.0 [kworker/5:1]
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/6:1]
0.0 0.0 [kworker/0:1]
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/2:1]
0.0 0.0 [kworker/0:2]
0.0 0.4 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 bash /opt/bro/share/broctl/scripts/helpers/start /nsm/bro/spool/SO-server-eth2-1 -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-1.conf
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /sbin/init
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/bin/ssh -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50015:localhost:3154 bba...@X.X.X.X
0.0 0.0 cron
0.0 0.0 [migration/0]
0.0 0.0 [migration/2]
0.0 0.0 [migration/1]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [flush-8:0]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [migration/4]
0.0 0.0 [migration/5]
0.0 0.0 [migration/6]
0.0 0.0 [migration/7]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 PassengerHelperAgent
0.0 0.0 [watchdog/0]
0.0 0.1 /usr/bin/python /opt/bro/bin/broctl cron
0.0 0.0 [watchdog/1]
0.0 0.0 [watchdog/4]
0.0 0.0 [watchdog/5]
0.0 0.0 [watchdog/7]
0.0 0.0 [sync_supers]
0.0 0.0 [watchdog/2]
0.0 0.0 [watchdog/3]
0.0 0.0 [watchdog/6]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.1 Passenger spawn server
0.0 0.0 PassengerLoggingAgent
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [khungtaskd]
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/2:0]
0.0 0.0 [kworker/3:0]
0.0 0.0 [kworker/4:0]
0.0 0.0 [cpuset]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [bdi-default]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [kswapd0]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [scsi_eh_5]
0.0 0.0 [kworker/u:5]
0.0 0.0 [kworker/u:6]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/7:1]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [kworker/5:2]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kpsmoused]
0.0 0.0 [kworker/6:2]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 su -c salt-minion
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 atd
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 /usr/sbin/xrdp
0.0 0.0 /usr/sbin/xrdp-sesman
0.0 0.0 PassengerWatchdog
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50015:localhost:3154 bba...@X.X.X.X
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.7 /opt/elsa/web/lib/Web.psgi
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 sleep 1
0.0 0.7 /opt/elsa/web/lib/Web.psgi
0.0 0.5 /opt/elsa/web/lib/Web.psgi
0.0 0.4 /opt/elsa/web/lib/Web.psgi
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 CRON
0.0 0.0 /bin/sh -c grep "BRO_ENABLED=yes" /etc/nsm/securityonion.conf >/dev/null 2>&1 && /opt/bro/bin/broctl cron
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 /bin/sh -c sh
0.0 0.0 sh
0.0 0.0 /bin/sh -c sh
0.0 0.0 sh
0.0 0.0 /bin/sh -c sh
0.0 0.0 sh
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth2/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth3/dailylogs/ - 0 days
4.0K .
/nsm/bro/logs/ - 0 days
345G .
345G ./stats
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth1/snort-1.stats last reported pkt_drop_percent as 24.083
ERROR: No stats found in /nsm/sensor_data/SO-server-eth2/snort-1.stats
ERROR: No stats found in /nsm/sensor_data/SO-server-eth3/snort-1.stats
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 3
Standard (non DNA) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/17964-eth2.266
Appl. Name : snort-cluster-53-socket-0
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098
/proc/net/pf_ring/18130-eth3.267
Appl. Name : snort-cluster-54-socket-0
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098
/proc/net/pf_ring/25499-eth2.36
Appl. Name : bro-eth2
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
Checking for connection:
nc: connect to localhost port 514 (tcp) failed: Connection refused
MySQL
Checking for process:
Checking for connection:
nc: connect to localhost port 50000 (tcp) failed: Connection refused
Sphinx
Checking for process:
Checking for connection:
nc: connect to localhost port 9306 (tcp) failed: Connection refused
ELSA Buffers in Queue:
ELSA Directory Sizes:
255G /nsm/elsa/data
1.1M /var/lib/mysql/syslog
1.2T /var/lib/mysql/syslog_data
ELSA Index Date Range:
autossh
Checking for process:
3826 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50015:localhost:3154 bba...@X.X.X.X
Checking APIKEY:
APIKEY matches server.
starman
Checking for processes:
2022 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
Doug Burks
May 5, 2015, 10:15:41 AM5/5/15
to securit...@googlegroups.com
Looks like the majority of your disk is being used by ELSA:
1.2T /var/lib/mysql/syslog_data
When you ran Setup, what did you specify for ELSA log_size_limit?
grep log_size_limit /etc/elsa_node.conf
I'd recommend the following:
# stop all services
sudo service nsm stop
# lower the log_size_limit setting in /etc/elsa_node.conf
# restart syslog-ng
sudo service syslog-ng restart
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
1.2T /var/lib/mysql/syslog_data
When you ran Setup, what did you specify for ELSA log_size_limit?
grep log_size_limit /etc/elsa_node.conf
I'd recommend the following:
# stop all services
sudo service nsm stop
# lower the log_size_limit setting in /etc/elsa_node.conf
# restart syslog-ng
sudo service syslog-ng restart
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
adrian fernandez
May 5, 2015, 10:34:29 AM5/5/15
to securit...@googlegroups.com
Wow, it looks like its set to 957000000000 = 957 GB = pretty much a TB lol. I went ahead and lowered it to 300 GB for now. Is there any sort of best practice/recommended size limit for elsa logs, or any logs for that matter? OR is it just based off of how personal preference?
Doug Burks
May 5, 2015, 10:38:34 AM5/5/15
to securit...@googlegroups.com
You should size your logs (and your hardware) according to how long
you need to be able to refer back to your logs (1 week, 1 month, etc.)
On Tue, May 5, 2015 at 10:34 AM, adrian fernandez <cisco...@gmail.com> wrote:
> Wow, it looks like its set to 957000000000 = 957 GB = pretty much a TB lol. I went ahead and lowered it to 300 GB for now. Is there any sort of best practice/recommended size limit for elsa logs, or any logs for that matter? OR is it just based off of how personal preference?
>
you need to be able to refer back to your logs (1 week, 1 month, etc.)
On Tue, May 5, 2015 at 10:34 AM, adrian fernandez <cisco...@gmail.com> wrote:
> Wow, it looks like its set to 957000000000 = 957 GB = pretty much a TB lol. I went ahead and lowered it to 300 GB for now. Is there any sort of best practice/recommended size limit for elsa logs, or any logs for that matter? OR is it just based off of how personal preference?
>
adrian fernandez
May 5, 2015, 2:53:47 PM5/5/15
to securit...@googlegroups.com
Hey Doug,
i was able to manually delete one of my log files that was taking up almost 350 GB of space, and then finally changed the log size limit in elsa (before i wasnt able to do it since the hard drive was completely full). Afterwards, i was noticing that i still wasnt receiving data/collecting data on that server, so i performed the following:
-re-ran the sensor setup from scratch, and specified the elsa log size again.
-rebooted the server
-reran the sudo apt-get update and sudo apt-get upgrade commands. downloaded a boatload of updates. rebooted afterwards.
-reconfigured my /etc/syslog-ng/syslog-ng.conf file to send syslogs to my two servers.
Once all of this was done, i was able to successfully collect data and send syslogs to my two servers.
You have helped me tons today!!!! Thanks for your help!!!!
I do have another question though....I still see that a large amount of space is being used up on the drives. Is there an easy way to look at what log files are taking up the most space? I want to see if i can alleviate space on the drive, and possibly reconfigure the length i would keep data and/or size of file.
i was able to manually delete one of my log files that was taking up almost 350 GB of space, and then finally changed the log size limit in elsa (before i wasnt able to do it since the hard drive was completely full). Afterwards, i was noticing that i still wasnt receiving data/collecting data on that server, so i performed the following:
-re-ran the sensor setup from scratch, and specified the elsa log size again.
-rebooted the server
-reran the sudo apt-get update and sudo apt-get upgrade commands. downloaded a boatload of updates. rebooted afterwards.
-reconfigured my /etc/syslog-ng/syslog-ng.conf file to send syslogs to my two servers.
Once all of this was done, i was able to successfully collect data and send syslogs to my two servers.
You have helped me tons today!!!! Thanks for your help!!!!
I do have another question though....I still see that a large amount of space is being used up on the drives. Is there an easy way to look at what log files are taking up the most space? I want to see if i can alleviate space on the drive, and possibly reconfigure the length i would keep data and/or size of file.
Doug Burks
May 7, 2015, 8:46:06 AM5/7/15
to securit...@googlegroups.com
On Tue, May 5, 2015 at 2:53 PM, adrian fernandez <cisco...@gmail.com> wrote:
> I do have another question though....I still see that a large amount of space is being used up on the drives. Is there an easy way to look at what log files are taking up the most space? I want to see if i can alleviate space on the drive, and possibly reconfigure the length i would keep data and/or size of file.
Run "sudo sostat" and look at the "Log Archive" and "ELSA" sections.
> I do have another question though....I still see that a large amount of space is being used up on the drives. Is there an easy way to look at what log files are taking up the most space? I want to see if i can alleviate space on the drive, and possibly reconfigure the length i would keep data and/or size of file.
You could also investigate using standard Linux tools.
Reply all
Reply to author
Forward
0 new messages