SGUIL the events reappear the next day

[4evernoob]

In SGUIL the events reappear the next day after I F8 them from the log. Also 90 percent of the time when I F8 enties I get an error message:
ERROR: Some events may not have been updated. Events may be missing from the DB....

This started around 7/27 which is around the time that my log retention fell to 1 day. I found the problem and corrected that and the retention time is now rising daily.

The events that return go back to 7/27.

[Wes]

Please provide the output of sostat-redacted, attaching as a plain text file, or using a service like Pastebin.com

Thanks,
Wes

[4evernoob]

Yesterday after clearing events in Squil they were still in Squert so I cleared them there and today they seem to be gone but after clearing events again today there were still a small percentage of today's events still showing in Squert.

Thanks Wes.

[4evernoob]

On Thursday, August 10, 2017 at 1:28:11 PM UTC-5, 4evernoob wrote:
> Yesterday after clearing events in Squil they were still in Squert so I cleared them there and today they seem to be gone but after clearing events again today there were still a small percentage of today's events still showing in Squert.
>
> Thanks Wes.

Were you able to find anything?

[4evernoob]

I have gotten a couple of these today when attempting to get a transcript on the event out of SGUIL. The events are only one or two days old so they should be there.

1502605353 1502604526 1502603693 1502602864 1502602055 1502601216 1502600406
ERROR: Unable to find the matching pcap file based on the time.
The requested event time is: 1502582646

[Wes]

Would you be able to provide an updated copy of output for sostat-redacted?

Thanks,
Wes

[4evernoob]

Ok here you go.

[Wes]

On Monday, August 14, 2017 at 5:19:53 PM UTC-4, 4evernoob wrote:
> Ok here you go.

Are you receiving these errors for specific types of events/traffic only?

Thanks,
Wes

[4evernoob]

No it seems to be that I can F8 them from SGUIL and I can close SGUIL and reopen it and they wont be there but they come back the next day and the only way to get rid of them is F8 in SQUERT so the last time I deleted with SQUERT was the 11th so have everything since the 11th in SQUERT even though I have F8'd them repeatedly in SQUIL.
Another part of this is there are some entries that I can not pull up a transcript on, they error with something like or similiar to...

ERROR: Unable to find the matching pcap file based on the time.

You know I just remembered something. I got sick and tired of doing the UTC translation that I set the system time to CTD or /American/Chicago with no effect but I didn't set it back to UTC until just now. Do you think that had anything to do with it?

[Wes Lambert]

You''ll definitely want to ensure your system time is set to UTC, as otherwise, it could lead to unpredictable results.

https://github.com/Security-Onion-Solutions/security-onion/wiki/TimeZones#why-does-security-onion-use-utc

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[4evernoob]

Yes that fixed it. Everything seems normal so far today.
Thanks for your help Wes.