Unable to connect to localhost on port 7734

[Jeffery]

I am absolutely pulling my hair out over this. I did a fresh
installation of Security Onion 20110913 to disk. All good. I Double-
click the Sguil desktop shortcut, enter the Username/Password I set up
during both Advanced and Quick setups. I have done both setups
multiple times. Nevertheless, each and every time I get the error
message "Unable to connect to localhost on port 7734"

jeffery@gunjin:~$ sudo netstat -anp | grep 773
unix 3 [ ] STREAM CONNECTED 8790 1773/xfce4-
volumed
unix 3 [ ] STREAM CONNECTED 8782 1773/xfce4-
volumed
unix 3 [ ] STREAM CONNECTED 8774 1773/xfce4-
volumed
unix 3 [ ] STREAM CONNECTED 8699 1773/xfce4-
volumed
unix 3 [ ] STREAM CONNECTED 8692 1773/xfce4-
volumed
unix 3 [ ] STREAM CONNECTED 7739 1669/xfce4-
session @/tmp/.ICE-unix/1669
unix 3 [ ] STREAM CONNECTED 7738 1687/xfce4-
panel
unix 3 [ ] STREAM CONNECTED 7734 1080/
X @/tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 7733 1689/xfce4-
settings
unix 3 [ ] STREAM CONNECTED 7730 1080/
X @/tmp/.X11-unix/X0

No issues with the firewall;
jeffery@gunjin:~$ sudo ufw status
[sudo] password for kan0:
Status: active

To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
7734/tcp ALLOW Anywhere
7736/tcp ALLOW Anywhere

Please help. I feel like I am overlooking something very simple.

[Scott]

So this might be a stupid question to ask but did you confirm all the
necessary services are running for Squil? I did a fresh install at
Defcon and it took me a few minutes to get all the services running
properly. You've been through the setup processes enough times that
the config is probably correct. What about logs for sguil or the
messages file? Do they offer any indication of whether or not sguil is
having a problem? I'm all questions, no answers. Hopefully it helps
kick over a rock you may have missed.

Scott

[Karolis karolis]

Hi Jeffery,

I had similar problem don't know if you have same problem. If you have very busy network with lots of events then every time the sguil server starts it loads those event to memory and this could take for awhile, just wait.

[sa_zh]

Hi Jeffery


Is Sguil running at all?

You can check the status of the server like this:
sudo nsm --server --status
or
sudo nsm --all --status

Maybe try restarting the server:
sudo nsm --server --restart



Cheers
Oli

[Jeffery Myers]

Forgive the delay.  I should mention that I used the latest 

Security Onion 20110914

 .iso to create an appliance in VirtualBox running on a Mac OS X (Lion) host.  Done this numerous times with numerous distros.  Routine stuff.  I allocated 768MB RAM.  Yes, I know that the recommended amount is 1GB.

Checking to see if services are running:
jeffery@soserver:~$ sudo nsm --server --status
[sudo] password for jeffery:
Status: securityonion
  * sguil server                                                       [ FAIL ]
  * stale PID file found, deleting!

Checking Log
jeffery@soserver:~$ nano /var/log/nsm/securityonion/sguild.log

Executing: sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access
ERROR: This version of tcl was compile with threading enabled. Sguil is NOT compatible with threading.
SGUILD: Exiting...

Attempting to restart service
jeffery@soserver:/var/log/nsm/securityonion$ sudo nsm --server --restart
Restarting: securityonion
  * stopping: sguil server (not running)                                                                                                                                   [ WARN ]
  * starting: sguil server                                                                                                                                                 [ FAIL ]
    - check /var/log/nsm/securityonion/sguild.log for error messages

After the attempt to restart
jeffery@soserver:~$ nano /var/log/nsm/securityonion/sguild.log

Executing: sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access
ERROR: This version of tcl was compile with threading enabled. Sguil is NOT compatible with threading.
SGUILD: Exiting...

Thanks all for the assistance.  SecurityOnion is a solid package.  I need to get it running. I need to get my head totally around it.  I currently use a collection of other network security, monitoring, scanners, IDSs,.  Many open source and some licensed.  I really love the approach that you guys have taken with SecurityOnion and I feel like the future is bold and bright for this appliance.  Thanks again.  I hope the additional info will be helpful in your effort to help me.:)

[Doug Burks]

Hi Jeffery,

Thanks for trying Security Onion! Sorry you're having issues.

I'm confused when you say you're using "the latest Security Onion
20110914 .iso". There is no 20110914 ISO image. The most recent ISO
image is 20110607. Do you mean you installed the 20110607 ISO image
and then did an in-place upgrade to version 20110914? Based on your
logs below, it seems like there is a problem with the tcl packages.
Not sure why that would be if you started with 20110607 and did an
in-place upgrade to 20110914.

Please reply and include the log file
/var/log/securityonionupgrade.log so we can see what happened during
the upgrade.

Thanks,
--
Doug Burks, GSE, CISSP | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org

[Jeffery Myers]

Doug,
This is an honor.  Thank you.

I used security-onion-live-20110607.iso to create the VirtualBox appliance.  I just ran the 201109015 inplace upgrade script:

sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Upgrade ran without errors:
* Upgrade to 20110915 complete.
Your Security Onion installation is up to date.

I attempted to start Sguil using the desktop shortcut and once again no joy.  "Unable to connect .... port 7734" A screenshot is attached.

Logfile attached:
/var/log/securityonionupgrade.log

Sguild log says:
"ERROR: This version of tcl was compile with threading enabled. Sguil is NOT compatible with threading."  squild.log file is attached.

Thanks again for the assistance. 

[Jeffery Myers]

Screenshot
"Unable to connect on port 7734"

[Doug Burks]

Hi Jeffery,

I don't see any problems in your securityonionupgrade.log file.

Somehow your tcl installation is incorrect. Did you install any
additional packages or any tcl updates manually?

Could you try starting over from scratch in a fresh VM (should only
take a few minutes) and follow the Installation instructions on the
wiki (making sure not to install any additional packages or any tcl
updates manually)?
http://code.google.com/p/security-onion/wiki/Installation

If that doesn't work, another thing you can try is just installing
from the ISO and then immediately running Setup (without installing
any Ubuntu or Security Onion updates). Once you've got that working,
then try installing all updates and verify that everything still
works.

Thanks,
Doug Burks

[Jeffery Myers]

Doug,

No, sir.  I have not applied any manual updates or made any other changes.  I immediately archive a "clean" .ova-formatted backup of each appliance I create-- no updates, no added software with the possible exception of the Virtualbox Guest additions.  I have already built the VM a couple of times using a fresh backup.  SecurityOnion runs as advertised on the fresh install.  Sguil seems to break after the first and rather large batch of updates from Ubuntu are applied.  One of the updates that  is applied is tcl8.3.  I am guessing that this is the culprit.  I will follow your suggestions and then advise.

thanks,

Jeffery

[Jeffery Myers]

Deleted and restored fresh VM from my Virtualbox archive and everything works just fine.  I am about the apply 

sudo apt-get update

sudo apt-get upgrade

[Doug Burks]

Jeffery,

The suspense is killing me! Please let us know what happened after
your apt-get upgrade! :)

Thanks,
--
Doug Burks, GSE, CISSP | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org

[Jeffery Myers]

Doug,

Sorry for the delay. Swamped for a little bit.  

I applied the updates to fresh Virtualbox VM running Security Onion.  I used Synaptic.  It was interesting to note that Tcl8.5 update was available but not required this time.  Previous updates automatically applied Tcl8.3.  All updates were applied correctly.  I restarted the Virtualbox VM then started Sguil started and it ran correctly.  Happiness!!!  All good.  Once again it appears that the Tcl8.5 update was the issue before.  Again sorry for the delay.   Pretty busy.  

Jeffery

[Doug Burks]

Hi Jeffery,

No problem. I'm glad everything's working correctly now!

Thanks,
--
Doug Burks, GSE, CISSP | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org

[Jeffery Myers]

Doug,

Yes, everything was working great until i applied the Tcl8.5 update and then Squil gave me the "Unable to connect to localhost on port 7734" error again.  Once again, I have done nothing whatsoever to the VM other than apply the normal updates to the OS, apply the updates to SecurityOnion using the upgrade script, and upgrade Firefox.  SecurityOnion runs just fine after the Firefox 6 upgrade of course.  There is something going on with Tcl8.3 and Tcl8.5 that Sguil does not like.  

Jeffery

[Doug Burks]

Hi Jeffery,

I should have clarified in my previous reply. The reason that the
tcl8.5 update was "available but not required" (as you put it) is
because it has been put on hold by the 20110607 upgrade:
http://securityonion.blogspot.com/2011/06/security-onion-20110607-featuring-sguil.html

Sguil is not compatible with tcl threading (as you've experienced).
In 20110607, I compiled and deployed tcl8.5 WITHOUT threading and put
the normal tcl8.5 (WITH theading) on hold to prevent it from being
installed. I did this using the command:
wajig hold tcl8.5 tk8.5 tcl8.4 itcl3 itk3 iwidgets4

I know that:
- apt-get upgrade will not install the threaded tcl8.5
- the graphical Updates Manager has the threaded tcl8.5 greyed out and
unavailable

What exactly did you do to force the threaded tcl8.5 to install?

Thanks,
--
Doug Burks, GSE, CISSP | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org

[Jeffery Myers]

Doug,

As I mentioned, I applied a host of updates. I restarted the VM.  Started Sguil.  All good.  Then,

sudo apt-get update 

sudo apt-get upgrade (this showed that Tcl8.5 was available for upgrade but was held back.)

sudo apt-get install tcl8.5

Your explanation is clear. My issue began when tcl8.3 was available for upgrade and would install automatically along with a ton of other initial upgrades.  Sguil would then break due to the threading issue. Since then, I noticed that tcl8.5 was held back but I installed it anyway just to see if tcl8.5 threading was now compatible with Squil. 

[Doug Burks]

Thanks for your reply. I've added this to the FAQ:
http://code.google.com/p/security-onion/wiki/FAQ
http://code.google.com/p/security-onion/wiki/tcl

Regards,
Doug

--