GUI interface no longer working

[epson...@verizon.net]

I have a standalone instance of Security Onion which has been operational for several months. I have not changed anything on the SO server between yesterday, when it worked, and today. I ran "sudo soup" this morning before I tried to access the GUI. Now the GUI isn't working. I don't see ports 80 or 443 even listed in "netstat -a." I have attached the output from "sudo sostat-redacted." Thank you in advance for any help.

[Doug Burks]

Hi epsonrocks,

Have you tried restarting the Apache web server?
sudo service apache2 restart

Have you tried rebooting the box?
sudo reboot

On Thu, Jun 11, 2015 at 11:35 AM, <epson...@verizon.net> wrote:
> I have a standalone instance of Security Onion which has been operational for several months. I have not changed anything on the SO server between yesterday, when it worked, and today. I ran "sudo soup" this morning before I tried to access the GUI. Now the GUI isn't working. I don't see ports 80 or 443 even listed in "netstat -a." I have attached the output from "sudo sostat-redacted." Thank you in advance for any help.
>

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[epson...@verizon.net]

Doug, yes I tried both. No change.

[Doug Burks]

Please provide the full output of the following:
sudo service apache2 restart

On Thu, Jun 11, 2015 at 1:12 PM, <epson...@verizon.net> wrote:
> Doug, yes I tried both. No change.
>

[Al]

al@securityonion:~$ sudo service apache2 restart
[sudo] password for al:
* Restarting web server apache2 [ OK ]
al@securityonion:~$

On 6/11/2015 1:28 PM, Doug Burks wrote:
> sudo service apache2 restart

[Doug Burks]

Have you checked the Apache log files in /var/log/apache2/ for additional clues?

[Al]

Within directory

/var/log/apache2/

I see file error.log which contains:


[Thu Jun 11 13:02:32 2015] [notice] SIGHUP received. Attempting to restart
[Thu Jun 11 13:02:34 2015] [notice] Apache/2.2.22 (Ubuntu)
Phusion_Passenger/3.0.14 PHP/5.3.10-1ubuntu3.18 with Suhosin-Patch mod_ssl/
2.2.22 OpenSSL/1.0.1 mod_perl/2.0.5 Perl/v5.14.2 configured -- resuming
normal operations
[Thu Jun 11 13:11:11 2015] [notice] caught SIGTERM, shutting down
[Thu Jun 11 13:14:46 2015] [error] Error while loading
/opt/elsa/web/lib/Web.psgi: Cannot read config file: /etc/elsa_web.conf
at /usr
/share/perl5/Config/JSON.pm line
49\n\tConfig::JSON::__ANON__('Config::JSON=HASH(0x7fa516f3ec38)',
'/etc/elsa_web.conf') called at con
structor Config::JSON::new (defined at /usr/share/perl5/Config/JSON.pm
line 668) line 41\n\tConfig::JSON::new('Config::JSON', '/etc/el
sa_web.conf') called at /opt/elsa/web/lib/Utils.pm line
49\n\tClass::MOP::Class:::around('CODE(0x7fa5136b7c18)', 'Controller',
'config
_file', '/etc/elsa_web.conf') called at
/usr/lib/perl5/Class/MOP/Method/Wrapped.pm line
162\n\tClass::MOP::Method::Wrapped::__ANON__('
Controller', 'config_file', '/etc/elsa_web.conf') called at
/usr/lib/perl5/Class/MOP/Method/Wrapped.pm line 91\n\tController::BUILDARG
S('Controller', 'config_file', '/etc/elsa_web.conf') called at
constructor Controller::new (defined at /opt/elsa/web/lib/Controller.pm
line 2520) line 6\n\tController::new('Controller', 'config_file',
'/etc/elsa_web.conf') called at /opt/elsa/web/lib/Web.psgi line 25\
n\trequire /opt/elsa/web/lib/Web.psgi called at (eval 6) line 3\n\teval
'package Plack::Sandbox::_2fopt_2felsa_2fweb_2flib_2fWeb_2epsg
i;\n{\n my $app = do $_file;\n if ( !$app && ( my $error = $@ ||
$! )) { die $error; }\n $app;\n}\n\n;' called at /usr/share/
perl5/Plack/Util.pm line
118\n\tPlack::Util::_load_sandbox('/opt/elsa/web/lib/Web.psgi') called
at /usr/share/perl5/Plack/Util.pm line
155\n\tPlack::Util::load_psgi('/opt/elsa/web/lib/Web.psgi') called at
/usr/share/perl5/Plack/Handler/Apache2.pm line 32\n\tPlack::Han
dler::Apache2::load_app('Plack::Handler::Apache2',
'/opt/elsa/web/lib/Web.psgi') called at
/usr/share/perl5/Plack/Handler/Apache2.pm l
ine 24\n\tPlack::Handler::Apache2::preload('Plack::Handler::Apache2',
'/opt/elsa/web/lib/Web.psgi') called at /etc/apache2/elsa_startu
p.pl line 17\n\tmain::BEGIN() called at /opt/elsa/web/lib/Web.psgi line
0\n\teval {...} called at /opt/elsa/web/lib/Web.psgi line 0\n\
trequire /etc/apache2/elsa_startup.pl called at (eval 2) line 1\n\teval
'require qCompilation failed in require at (eval 2) line 1.\n
[Thu Jun 11 13:14:46 2015] [error] Can't load Perl file:
/etc/apache2/elsa_startup.pl for server
securityonion.co.goochland.va.us:0, e
xiting...

But I have no idea what to do with this.

[Doug Burks]

What is the output of the following?

ls -alh /etc/elsa_*

ls -alh /etc/apache2/

[Al]

al@securityonion:/$ ls -alh /etc/elsa_*
ls: cannot access /etc/elsa_*: No such file or directory

al@securityonion:/$ ls -alh /etc/apache2/
total 112K
drwxr-xr-x 7 root root 4.0K Jun 11 13:02 .
drwxr-xr-x 122 root root 12K Jun 11 15:02 ..
-rw-r--r-- 1 root root 8.2K Jun 11 13:02 apache2.conf
-rw-r--r-- 1 root root 8.2K Jun 11 13:02 apache2.conf.20150611
drwxr-xr-x 2 root root 4.0K Jun 3 15:35 conf.d
-rw-r--r-- 1 root root 383 Jun 11 13:02 elsa_startup.pl
-rw-r--r-- 1 root root 1.3K Feb 7 2012 envvars
-rw-r--r-- 1 root root 0 Dec 8 2014 httpd.conf
-rw-r--r-- 1 root root 31K Feb 7 2012 magic
drwxr-xr-x 2 root root 12K Jun 11 13:02 mods-available
drwxr-xr-x 2 root root 4.0K Jun 11 13:02 mods-enabled
-rw-r--r-- 1 root root 730 Dec 8 2014 ports.conf
drwxr-xr-x 2 root root 4.0K Jun 3 15:35 sites-available
drwxr-xr-x 2 root root 4.0K Dec 8 2014 sites-enabled

[Doug Burks]

Were you using ELSA previously?

[Dave]

On Thursday, June 11, 2015 at 11:08:09 AM UTC-5, epson...@verizon.net wrote:
> I have a standalone instance of Security Onion which has been operational for several months. I have not changed anything on the SO server between yesterday, when it worked, and today. I ran "sudo soup" this morning before I tried to access the GUI. Now the GUI isn't working. I don't see ports 80 or 443 even listed in "netstat -a." I have attached the output from "sudo sostat-redacted." Thank you in advance for any help.

I just experienced the same issue. I have only been running an SO version from last week and when I ran sudo soup today, everything is now broken. No access to Snorby, Squert and my Barnyard syslog alerts to my SIEM are no longer getting out.

[Doug Burks]

Hi Dave,

Please try the following:

sudo a2dismod perl

sudo service apache2 restart

[Dave]

That worked to get Snorby and Squert running again, but no new Snort alerts are showing up.

[Doug Burks]

I'd recommend comparing /etc/syslog-ng/syslog-ng.conf to the backup
file /etc/syslog-ng/syslog-ng.conf.YYYYMMDD (replacing YYYYMMDD with
the actual date).

On Thu, Jun 11, 2015 at 4:19 PM, Dave <dlgard...@gmail.com> wrote:
> That worked to get Snorby and Squert running again, but no new Snort alerts are showing up.
>

[Dave]

The syslog-ng.conf has been appended with duplicate config data.

[Doug Burks]

Remove any unnecessary config and restart syslog-ng:
sudo service syslog-ng restart

On Thu, Jun 11, 2015 at 4:32 PM, Dave <dlgard...@gmail.com> wrote:
> The syslog-ng.conf has been appended with duplicate config data.
>

[Dave]

I restored the main file and restarted, but no change in Snorby or via syslog to my log server. However, I should re-state that I was using a Barnyard2.conf output for sysloging my alerts.

[Dave]

I'm not sure if this is normal, but I did notice the following errors in my /var/log/nsm/barnyard2-snorby.log file...

== Initialization Complete ==--

______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.13 (Build 333) TCL
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <fir...@securixlive.com>

ERROR: Unable to open directory '' (No such file or directory)
ERROR: Unable to find the next spool file!

[Doug Burks]

Those two barnyard error messages are normal. Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-rule-update-show-barnyard2-errors

Your update probably included Ubuntu's new OpenSSL packages, which are
preventing snort_agent from starting and therefore preventing
barnyard2 from sending Snort alerts.

[Doug Burks]

Created two issues based on the symptoms in this thread:

Issue 746: ELSA 1205 package enabled perl module on non-ELSA systems
https://github.com/Security-Onion-Solutions/security-onion/issues/746

Issue 747: ELSA 1205 package duplicated syslog-ng.conf entries on
non-ELSA systems
https://github.com/Security-Onion-Solutions/security-onion/issues/747

An updated package that should resolve these issues has been submitted
for testing:
https://groups.google.com/d/topic/security-onion-testing/zY6CxwPrUGU/discussion

[Al]

Actually, no I was not using ELSA.

[Doug Burks]

Right, these are issues that only occur if you're NOT using ELSA.
(Which probably explains why they didn't get caught in testing, since
folks testing the ELSA packages would have tested with ELSA enabled.)

[epson...@verizon.net]

Doug, running these two commands has solved my problem. Thank you!

[Doug Burks]

This fix happens automatically in the latest ELSA packages which are
now available in the stable PPA:
http://blog.securityonion.net/2015/06/new-elsa-packages-resolve-three-issues.html