data and sensors not appearing in squert

[lakebum]

I have a setup with 1 server and 7 sensors. Elsa shows 7 nodes with XX million logs indexed and X million logs archived. Squert on the other hand does not show me any events and when clicking on the sensor button it only shows the sensor in the same physical location a the server. none of the other 6 sensors appear. Last change was earlier this week, when I finally upgraded the HWE and ran soup on each of the devices starting with the server then each sensors. I looked at it after the updates and even used the summary page in a presentation. Today is the first I've looked at it since, but do not have data showing in Squert nor remote sensors.

[Wes]

On Thursday, July 27, 2017 at 3:16:28 PM UTC-4, lakebum wrote:
> I have a setup with 1 server and 7 sensors. Elsa shows 7 nodes with XX million logs indexed and X million logs archived. Squert on the other hand does not show me any events and when clicking on the sensor button it only shows the sensor in the same physical location a the server. none of the other 6 sensors appear. Last change was earlier this week, when I finally upgraded the HWE and ran soup on each of the devices starting with the server then each sensors. I looked at it after the updates and even used the summary page in a presentation. Today is the first I've looked at it since, but do not have data showing in Squert nor remote sensors.

lakebum,

Keep in mind, Squert, by default, only shows alerts for the current day.

Please provide the output of sostat-redacted for the master server, a suspect sensor, and a working sensor, attaching as a plain text file, or using a service like Pastebin.com.

Thanks,
Wes

[lakebum]

Attached. I re-read what I had originally posted and it is apparent not to write out a question for help when someone is in your office talking to you. So I will give a better explanation.

I did not know Squert only showed current day, but we have been in office for nearly 8 hours, some traffic would have tripped a sensor. Squert has no data being presented and no filters are setup that would be preventing or narrowing the scope.

When I click on sensors, the only items that show up are server-ossec | localsite_sensor-eth1 | localsite_sensor-eth0 | localsite_sensor-ossec. None of the sensors at our other 6 remote sites, show up in the list of sensors.

The server is at the same site as "localsite-sensor".

[Wes]

Have you tried using Sguil or looking in ELSA to see if you get the same result?

From the master output:

=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
100002

=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0

=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
3703235 1:2101411 GPL SNMP public access udp
271340 1:2100366 GPL ICMP_INFO PING *NIX
244266 1:2009702 ET POLICY DNS Update From External net
62590 1:2019003 ET TROJAN Windows netstat Microsoft Windows DOS prompt command exit OUTBOUND
12516 1:2014380 ET POLICY HTTP POST invalid method case outbound
9528 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
9469 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
9410 1:2024379 ET POLICY Outdated Flash Version M2
6361 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
6160 1:2101603 GPL WEB_SERVER DELETE attempt
5042 1:2009475 ET POLICY TeamViewer Dyngate User-Agent
2319 1:2014726 ET POLICY Outdated Flash Version M1
2140 1:2009700 ET VOIP Multiple Unauthorized SIP Responses UDP
2119 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
2019 1:2008578 ET SCAN Sipvicious Scan
1999 1:2011716 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
1427 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
1138 1:2101960 GPL RPC portmap NFS request TCP
768 1:2008117 ET TFTP Outbound TFTP Data Transfer
731 1:2402000 ET DROP Dshield Block Listed Source group 1
644 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
630 1:2001219 ET SCAN Potential SSH Scan
578 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
433 1:2012726 ET SCAN OpenVAS User-Agent Inbound
418 1:2002910 ET SCAN Potential VNC Scan 5800-5820
383 1:2016016 ET DOS DNS Amplification Attack Inbound
308 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
239 1:2101616 GPL DNS named version attempt
214 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
206 1:2017778 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access getGalleryImage
206 1:2017781 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendMail
206 1:2017780 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access postToSocial

From the remote sensor output:
----
Status: SO-server-eth1
* netsniff-ng (full packet data)[ FAIL ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* barnyard2-1 (spooler, unified2 format)[ OK ]

You may want to try restarting netsniff-ng:

sudo nsm_sensor_ps-restart --only pcap
----
From the local sensor output:

* netsniff-ng (full packet data)[ FAIL ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort_agent-2 (SO-user)[ OK ]
* snort-1 (alert data)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* snort-2 (alert data)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!

Are you using BPF to filter out any traffic?

Also, try having a look at /var/log/nsm/hostname-interface/netsniff-ng.log and /var/log/nsm/hostname-interface/snortu-x.log for clues.

Thanks,
Wes