Alerts show in squert but not on sguil
Matt .
I usually do a run through of alerts using squirt via web browser to bulk close what I can. Then when I need to do one or a few alerts at a time I use the sguil UI.
Well, on one server I'm currently seeing a few alerts in squert, but nothing in sguil. From past experience I know I can close them out in sguil, but I'd like to know why this is happening.
The alerts in question is 1 group of 4 RDP connection, and 1 instance of a DOS policy (false positive). And as I typed this new alerts have appeared (show in both qguil and dquert as normal), and the "ghost" alerts remain. I've tried multiple browsers on 2 systems in case the was a caching issue.
Attached is sostat-redacted.
Yes I know there is a small issue with the NIC dropping less than 1% of packets, getting Intel is an outstanding ask I have.
Thanks,
Matt
Doug Burks
I'm not sure I understand exactly what you're saying, but here is a
difference between Sguil and Squert which may help explain what you're
seeing.
Sguil's RealTime Events tab should show you all uncategorized events
in the database.
Squert by default shows you uncategorized events with today's date on
them. This can be adjusted using the Interval setting at the top of
the Squert page.
Does that help?
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Matt .
This is all for uncategorized alerts, from today. I keep current on categorizing alerts, and usually don't have anything uncategorized unless it's a large quantity of alerts I need to sift through.
The Squert interface is showing a few uncategorized alerts from today. One alert is 3 hours old, the other 4 are about 2 hours old. These alerts don't show in sguil.
4 recent alerts have come in, and show properly in both sguil and squert.
Doug Burks
On Tue, Aug 18, 2015 at 5:29 PM, Matt . <sttw...@gmail.com> wrote:
> Yes I'm aware thanks, I've used Security Onion 24x7 for over 1.5yr now.
> This is all for uncategorized alerts, from today. I keep current on categorizing alerts, and usually don't have anything uncategorized unless it's a large quantity of alerts I need to sift through.
>
> The Squert interface is showing a few uncategorized alerts from today. One alert is 3 hours old, the other 4 are about 2 hours old. These alerts don't show in sguil.
> 4 recent alerts have come in, and show properly in both sguil and squert.
/var/log/apache2/ for any additional clues?
Matt .
I had categorized todays events via squert. And left the "ghost" uncategorized events from yesterday. Then in Sguil it showed over 40 uncategorized events. I did see errors in sguild.log regarding mismatched events, no errors for apache. I then rebooted and the "ghost" uncategorized events are gone. Maybe I should put a patent on that phrase!
I'll start up a new thread if I see this again.