Re-ran sosetup on Sensor, now it can NOT connect to master server
697 views
Skip to first unread message
Grant Sims
Jan 29, 2015, 9:05:41 AM1/29/15
to securit...@googlegroups.com
i reran sosetup on a sensor and now it wont connect to the master server. when i run sostat on the sensor it hangs at "Checking APIKEY:" if i run it from the master it says disconnected. i do have another sensor that is working correctly. i tried rebooting the master server and the sensor with issues with no luck. i can manually ssh from the sensor to the server.
also upon reboot if i do an sudo service nsm status, all services show "FAIL" i can manually start them but this isnt what i expect. if i do start the services manually the sensor is still not able to connect to the master.also if i run sostat-radacted on the sensor it hangs after it shows my LINK Statistics. any ideas?
attached is the master server sostat
also upon reboot if i do an sudo service nsm status, all services show "FAIL" i can manually start them but this isnt what i expect. if i do start the services manually the sensor is still not able to connect to the master.also if i run sostat-radacted on the sensor it hangs after it shows my LINK Statistics. any ideas?
attached is the master server sostat
Doug Burks
Jan 29, 2015, 10:59:07 AM1/29/15
to securit...@googlegroups.com
Hi Grant,
Replies inline.
On Thu, Jan 29, 2015 at 9:05 AM, Grant Sims <sims....@gmail.com> wrote:
> i reran sosetup on a sensor and now it wont connect to the master server. when i run sostat on the sensor it hangs at "Checking APIKEY:" if i run it from the master it says disconnected. i do have another sensor that is working correctly. i tried rebooting the master server and the sensor with issues with no luck. i can manually ssh from the sensor to the server.
Sounds like the sensor is not connecting to the master server via
autossh properly. Check /var/log/nsm/sosetup.log on your sensor for
additional clues.
> also upon reboot if i do an sudo service nsm status, all services show "FAIL" i can manually start them but this isnt what i expect.
What you're most likely seeing here is the fact that services wait 60
seconds after booting to ensure that all network links are up. Have
you tried waiting more than a minute and then checking "sudo service
nsm status"?
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Replies inline.
On Thu, Jan 29, 2015 at 9:05 AM, Grant Sims <sims....@gmail.com> wrote:
> i reran sosetup on a sensor and now it wont connect to the master server. when i run sostat on the sensor it hangs at "Checking APIKEY:" if i run it from the master it says disconnected. i do have another sensor that is working correctly. i tried rebooting the master server and the sensor with issues with no luck. i can manually ssh from the sensor to the server.
autossh properly. Check /var/log/nsm/sosetup.log on your sensor for
additional clues.
> also upon reboot if i do an sudo service nsm status, all services show "FAIL" i can manually start them but this isnt what i expect.
seconds after booting to ensure that all network links are up. Have
you tried waiting more than a minute and then checking "sudo service
nsm status"?
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Grant
Jan 29, 2015, 11:34:38 AM1/29/15
to securit...@googlegroups.com
looking at the sosetup.log of a working sensor and comparing with the one thats having issues is almost the same. the only difference is at the end of the file on the sensor that is NOT working has this...
[INFO ] Loading fresh modules for state activity
[INFO ] Fetching file from saltenv 'base', ** done ** 'top.sls'
Passed invalid arguments: object of type 'ConstructorError' has no len()
otherwise they are the same. i get errors about database already exist but that makes sense because im rerunning the sosetup.
not sure if it helps but when the sosetup gets to "Configuring elsa" it takes almost 5 hours to complete. has lots of "indexing index 'perm' and 'temps'
also i waited 10 min after a reboot and still shows all services as fail...
user@sensor:/var/log/nsm$ sudo service nsm status
Status: HIDS
* ossec_agent (sguil) [ FAIL ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager x.x.x.x running 4499 3 29 Jan 16:25:02
proxy proxy x.x.x.x running 4655 3 29 Jan 16:25:05
sensor-eth1-1 worker x.x.x.x running 4808 2 29 Jan 16:25:07
sensor-eth2-1 worker 1x.x.x.x running 4969 2 29 Jan 16:25:09
Status: sensor-eth1
* netsniff-ng (full packet data) [ FAIL ]
* pcap_agent (sguil) [ FAIL ]
* snort_agent-1 (sguil) [ FAIL ]
* snort-1 (alert data) [ FAIL ]
* barnyard2-1 (spooler, unified2 format) [ FAIL ]
Status: sensor-eth2
* netsniff-ng (full packet data) [ FAIL ]
* pcap_agent (sguil) [ FAIL ]
* snort_agent-1 (sguil) [ FAIL ]
* snort-1 (alert data) [ FAIL ]
* barnyard2-1 (spooler, unified2 format) [ FAIL ]
Thanks for the help!
On Thursday, 29 January 2015 10:59:07 UTC-5, Doug Burks wrote:
> Hi Grant,
>
> Replies inline.
[INFO ] Loading fresh modules for state activity
[INFO ] Fetching file from saltenv 'base', ** done ** 'top.sls'
Passed invalid arguments: object of type 'ConstructorError' has no len()
otherwise they are the same. i get errors about database already exist but that makes sense because im rerunning the sosetup.
not sure if it helps but when the sosetup gets to "Configuring elsa" it takes almost 5 hours to complete. has lots of "indexing index 'perm' and 'temps'
also i waited 10 min after a reboot and still shows all services as fail...
user@sensor:/var/log/nsm$ sudo service nsm status
Status: HIDS
* ossec_agent (sguil) [ FAIL ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager x.x.x.x running 4499 3 29 Jan 16:25:02
proxy proxy x.x.x.x running 4655 3 29 Jan 16:25:05
sensor-eth1-1 worker x.x.x.x running 4808 2 29 Jan 16:25:07
sensor-eth2-1 worker 1x.x.x.x running 4969 2 29 Jan 16:25:09
Status: sensor-eth1
* netsniff-ng (full packet data) [ FAIL ]
* pcap_agent (sguil) [ FAIL ]
* snort_agent-1 (sguil) [ FAIL ]
* snort-1 (alert data) [ FAIL ]
* barnyard2-1 (spooler, unified2 format) [ FAIL ]
Status: sensor-eth2
* netsniff-ng (full packet data) [ FAIL ]
* pcap_agent (sguil) [ FAIL ]
* snort_agent-1 (sguil) [ FAIL ]
* snort-1 (alert data) [ FAIL ]
* barnyard2-1 (spooler, unified2 format) [ FAIL ]
Thanks for the help!
On Thursday, 29 January 2015 10:59:07 UTC-5, Doug Burks wrote:
> Hi Grant,
>
> Replies inline.
Doug Burks
Jan 29, 2015, 11:40:09 AM1/29/15
to securit...@googlegroups.com
Very strange. Your quickest and easiest fix may be to wipe the box
and install from scratch.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
and install from scratch.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Grant Sims
Jan 29, 2015, 11:42:11 AM1/29/15
to securit...@googlegroups.com
it is a remote location without console access. is there a way to "wipe" the sensor but keep ip connectivity? i am just hoping there is a way to remove what i need to and then rerun setup? thanks
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/hvZ4oYyM73M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
Doug Burks
Jan 29, 2015, 12:33:50 PM1/29/15
to securit...@googlegroups.com
Setup should be wiping data, but it seems that your system is in an
inconsistent state which is preventing that. You can take a look at
/usr/bin/sosetup and try manually wiping the data, but it may get
complicated.
If you'd be interested in commercial support to resolve this issue,
please send me an email off-list.
inconsistent state which is preventing that. You can take a look at
/usr/bin/sosetup and try manually wiping the data, but it may get
complicated.
If you'd be interested in commercial support to resolve this issue,
please send me an email off-list.
Grant
Jan 30, 2015, 1:16:47 PM1/30/15
to securit...@googlegroups.com
Thanks, for now i will just rebuild the server. Thanks for all of your help as always!
n Thursday, 29 January 2015 12:33:50 UTC-5, Doug Burks wrote:
> Setup should be wiping data, but it seems that your system is in an
> inconsistent state which is preventing that. You can take a look at
> /usr/bin/sosetup and try manually wiping the data, but it may get
> complicated.
>
> If you'd be interested in commercial support to resolve this issue,
> please send me an email off-list.
>
n Thursday, 29 January 2015 12:33:50 UTC-5, Doug Burks wrote:
> Setup should be wiping data, but it seems that your system is in an
> inconsistent state which is preventing that. You can take a look at
> /usr/bin/sosetup and try manually wiping the data, but it may get
> complicated.
>
> If you'd be interested in commercial support to resolve this issue,
> please send me an email off-list.
>
Reply all
Reply to author
Forward
0 new messages