Unable to log in to Squil
1,657 views
Skip to first unread message
Cody Sapp
Mar 12, 2012, 10:44:09 AM3/12/12
to security-onion
I've been trying to log in to Squil today, but every time I try, it
keeps giving me an error message saying "Unable to connect to
localhost on port 7734" and then takes me back to the log in screen.
Could someone help shed some light on this predicament?
keeps giving me an error message saying "Unable to connect to
localhost on port 7734" and then takes me back to the log in screen.
Could someone help shed some light on this predicament?
Scott Runnels
Mar 12, 2012, 10:51:21 AM3/12/12
to securit...@googlegroups.com
Hi Cody,
From the sguil server please run this command:
sudo netstat -na | grep 7734
If it returns something then the server is up and listening. If it returns nothing, then nothing is listening on 7734/tcp (the port sguild uses). If it returns nothing, try "sudo service nsm status" and paste the output into an email for us, please.
v/r
Scott
--
Scott Runnels
Scott Runnels
Cody Sapp
Mar 12, 2012, 10:59:21 AM3/12/12
to securit...@googlegroups.com
winninguser@winning:~$ sudo service nsm status
Status: securityonion
* sguil server [ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
Status: winning-eth0
* pcap_agent (sguil) [ OK ]
* sancp_agent (sguil) [ OK ]
* snort_agent (sguil) [ OK ]
* pads_agent (sguil) [ OK ]
* snort (alert data) [ OK ]
* barnyard2 (spooler, unified2 format) [ OK ]
* sancp (session data) [ OK ]
* pads (asset info) [ OK ]
* daemonlogger (full packet data) [ OK ]
* argus [ OK ]
* httpry [ OK ]
* httpry_agent (sguil) [ OK ]
Status: winning-eth1
* pcap_agent (sguil) [ OK ]
* sancp_agent (sguil) [ OK ]
* snort_agent (sguil) [ OK ]
* pads_agent (sguil) [ OK ]
* snort (alert data) [ OK ]
* barnyard2 (spooler, unified2 format) [ OK ]
* sancp (session data) [ OK ]
* pads (asset info) [ OK ]
* daemonlogger (full packet data) [ OK ]
* argus [ OK ]
* httpry [ OK ]
* httpry_agent (sguil) [ OK ]
Status: HIDS
* ossec_agent (sguil) [ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager 172.16.129.28 running 4474 3 12 Mar 10:50:32
proxy-1 proxy 172.16.129.28 running 5081 3 12 Mar 10:50:52
worker-1 worker 172.16.129.28 running 5320 2 12 Mar 10:50:59
worker-2 worker 172.16.129.28 running 5549 2 12 Mar 10:51:11
Scott Runnels
Mar 12, 2012, 11:15:01 AM3/12/12
to securit...@googlegroups.com
Looks like the sguil server isn't running. Try:
sudo service nsm restart
then check again with
sudo service nsm status
v/r
Scott
--
Scott Runnels
Scott Runnels
Cody Sapp
Mar 12, 2012, 11:18:23 AM3/12/12
to securit...@googlegroups.com
Tried that already and Sguil still won't work
Scott Runnels
Mar 12, 2012, 11:21:16 AM3/12/12
to securit...@googlegroups.com
Is there anything in /var/log/nsm/securityonion/sguild.log indicative of why sguil isn't starting?
v/r
Scott
--
Scott Runnels
Scott Runnels
Cody Sapp
Mar 12, 2012, 11:20:37 AM3/12/12
to securit...@googlegroups.com
By the way, that "sudo service nsm status" command was run after I had tried the "sudo service nsm restart" command
Cody Sapp
Mar 12, 2012, 11:24:03 AM3/12/12
to securit...@googlegroups.com
Here is what the file says:
Executing: sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
2012-03-12 14:49:24 pid(1622) Loading access list: /etc/nsm/securityonion/sguild.access
2012-03-12 14:49:24 pid(1622) Sensor access list set to ALLOW ANY.
2012-03-12 14:49:24 pid(1622) Client access list set to ALLOW ANY.
2012-03-12 14:49:24 pid(1622) Adding AutoCat Rule: ||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^URL||1
2012-03-12 14:49:24 pid(1622) Email Configuration:
2012-03-12 14:49:24 pid(1622) Config file: /etc/sguild/sguild.email
2012-03-12 14:49:24 pid(1622) Enabled: No
2012-03-12 14:49:24 pid(1622) Connecting to localhost on 3306 as sguil
2012-03-12 14:49:24 pid(1622) ERROR: Unable to connect to localhost on 3306: Make sure mysql is running.
2012-03-12 14:49:24 mysqlconnect/db server: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
SGUILD: Exiting...
Does the "3306" need to be changed to 7734?
Scott Runnels
Mar 12, 2012, 11:30:29 AM3/12/12
to securit...@googlegroups.com
Nope, 3306/tcp is the port mysqld runs on. Check the status of mysqld.
sudo service mysql status
v/r
Scott
--
Scott Runnels
Scott Runnels
Cody Sapp
Mar 12, 2012, 11:32:15 AM3/12/12
to securit...@googlegroups.com
winninguser@winning:~$ sudo service mysql status
[sudo] password for winninguser:
mysql start/running, process 2251
Scott Runnels
Mar 12, 2012, 11:47:56 AM3/12/12
to securit...@googlegroups.com
try manually connecting to the mysql service, something like this:
mysql -uroot securityonion_db -e 'SELECT COUNT(*) FROM event WHERE status=0'
v/r
Scott
--
Scott Runnels
Scott Runnels
Cody Sapp
Mar 12, 2012, 11:56:48 AM3/12/12
to securit...@googlegroups.com
Before I do, I found something that might be the problem. Here is a quote:
"Sguild takes a long time to start up. What's wrong?The most common reason for this is that you have a lot of uncategorized events in the database. Remember, sguil is not an alert browser. It assumes that an analyst will review every event and categorize it appropriately. When sguil starts up, it has to load in all the uncategorized events so that it can send them to the clients when they connect. If you haven't been categorizing things on a regular basis, the events will pile up and sguild will take a long time to start. If you keep up with the events every day, the startup time will be much more reasonable."
I basically have more than 2 million unclassified events, b/c my manager and I are unsure how to classify the events (we know the process, just not what each event should be classified as). I have told Snorby to ignore certain events, so should I label those as "False Positives"? I also remember someone telling me that there isn't a way to just delete old events from Snorby, but I just want to be sure that there is absolutely no way to get rid of old events in Snorby.
Scott Runnels
Mar 12, 2012, 12:02:40 PM3/12/12
to securit...@googlegroups.com
If you have a ton of events you definitely want to do some tuning! It will definitely spin sguil out of control if you have a massive number of uncategorized events.
I've got a document I'm working on for tuning that I'll get posted to the wiki.
v/r
Scott
--
Scott Runnels
Scott Runnels
Cody Sapp
Mar 12, 2012, 12:04:26 PM3/12/12
to securit...@googlegroups.com
Do you have an idea of when it will be up?
Scott Runnels
Mar 12, 2012, 12:09:11 PM3/12/12
to securit...@googlegroups.com
Working on it now--
Scott Runnels
Scott Runnels
Scott Runnels
Mar 12, 2012, 2:30:46 PM3/12/12
to securit...@googlegroups.com
Hi Cody,
Here is the wiki page I put together for tuning and managing alerts.
Scott
--
Scott Runnels
Scott Runnels
Heine Lysemose
Mar 12, 2012, 3:05:23 PM3/12/12
to securit...@googlegroups.com
Great documentation!
/Lysemose
NKWASIBWE REAGAN
Feb 9, 2016, 6:10:11 AM2/9/16
to security-onion, tgq...@mocs.utc.edu, reagan1155
security@security-onion-pc:~$ sudo service nsm status
Status: securityonion
* sguil server [ OK ]
Status: HIDS
* ossec_agent (sguil) [ OK ]
Status: Bro
Getting process status ...
* ossec_agent (sguil) [ OK ]
Status: Bro
Getting peer status ...
Name Type Host Status Pid Peers Started
bro standalone localhost running 11732 0 09 Feb 06:15:06
Status: security-onion-pc-eth0
* netsniff-ng (full packet data) [ FAIL ]
* pcap_agent (sguil) [ OK ]
* snort_agent-1 (sguil) [ OK ]
* snort-1 (alert data) [ OK ]
* barnyard2-1 (spooler, unified2 format) [ OK ]
* prads (sessions/assets) [ OK ]
* sancp_agent (sguil) [ OK ]
* pads_agent (sguil) [ OK ]
* argus [ OK ]
* http_agent (sguil) [ OK ]
security@security-onion-pc:~$
Doug Burks
Feb 9, 2016, 6:21:42 AM2/9/16
to securit...@googlegroups.com
Hi NKWASIBWE,
Have you checked the sguild log file
(/var/log/nsm/securityonion/sguild.log) for additional clues?
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Have you checked the sguild log file
(/var/log/nsm/securityonion/sguild.log) for additional clues?
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Reply all
Reply to author
Forward
0 new messages