OSSEC Failing

[Wes]

Since I've updated my SO installation, the OSSEC won't start properly. I've looked at permissions for the directory (even though I have not changed them recently), and they seem to be fine. I've tried rebooting and restarting ossec-hids-server, but get the following:

ossec_agent(sguil) [FAIL]

and

Deleting PID file '/var/ossec/var/run/ossec-logcollector-1289.pid' not used...
ossec-monitord not running ..
ossec-logcollector not running ..
ossec-remoted not running ..
ossec-syscheckd not running ..
ossec-analysisd not running ..
ossec-maild not running ..
Killing ossec-execd ..
ossec-csyslogd not running ..
OSSEC HIDS v2.8 Stopped
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
Started ossec-csyslogd...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
2015/08/11 13:06:30 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2015/08/11 13:06:30 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2015/08/11 13:06:38 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2015/08/11 13:06:38 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2015/08/11 13:06:51 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2015/08/11 13:06:51 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
ossec-syscheckd did not start correctly.

/var/log/nsm/ossec_agent.log.log shows:
--------------------------------------
Executing: /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p 5 -c /etc/nsm/ossec/ossec_agent.conf
Error: Unable to read /var/ossec/logs/alerts/alerts.log

alert.log shows:
-----------------
-rw-r----- 2 ossec ossec 244K Jul 29 23:55 /var/ossec/logs/alerts/alerts.log

sostat-redacted below:
----------------------------------------------------------------------------

=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ FAIL ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:37610 errors:0 dropped:0 overruns:0 frame:0
TX packets:26964 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:25733153 (25.7 MB) TX bytes:6291813 (6.2 MB)

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:36211 errors:0 dropped:0 overruns:0 frame:0
TX packets:36211 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:29800055 (29.8 MB) TX bytes:29800055 (29.8 MB)


=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
29800055 36211 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
29800055 36211 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
25733153 37610 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
6291813 26964 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/it--hq--onion--01--vg-root 95G 13G 77G 15% /
udev 2.0G 4.0K 2.0G 1% /dev
tmpfs 395M 288K 395M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 2.0G 0 2.0G 0% /run/shm
/dev/sda1 236M 181M 44M 81% /boot

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 947 root 3u IPv4 9365 0t0 TCP *:ssh_port (LISTEN)
sshd 947 root 4u IPv6 9367 0t0 TCP *:ssh_port (LISTEN)
salt-mini 1117 root 10u IPv4 15065 0t0 TCP X.X.X.X:39789->X.X.X.X:4506 (ESTABLISHED)
salt-mini 1117 root 27u IPv4 15121 0t0 TCP X.X.X.X:34557->X.X.X.X:4505 (ESTABLISHED)
syslog-ng 1183 root 9u IPv4 9582 0t0 TCP *:514 (LISTEN)
syslog-ng 1183 root 10u IPv4 9583 0t0 UDP *:514
searchd 1185 sphinxsearch 7u IPv4 9641 0t0 TCP *:9306 (LISTEN)
searchd 1185 sphinxsearch 8u IPv4 9642 0t0 TCP *:9312 (LISTEN)
mysqld 1253 mysql 10u IPv4 10100 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 1253 mysql 21u IPv4 26648 0t0 TCP X.X.X.X:3306->X.X.X.X:49812 (ESTABLISHED)
mysqld 1253 mysql 24u IPv4 26742 0t0 TCP X.X.X.X:3306->X.X.X.X:49821 (ESTABLISHED)
mysqld 1253 mysql 439u IPv4 25563 0t0 TCP X.X.X.X:3306->X.X.X.X:49802 (ESTABLISHED)
salt-mast 1450 root 12u IPv4 11681 0t0 TCP *:4505 (LISTEN)
salt-mast 1450 root 14u IPv4 13725 0t0 TCP X.X.X.X:4505->X.X.X.X:47907 (ESTABLISHED)
salt-mast 1450 root 15u IPv4 14507 0t0 TCP X.X.X.X:4505->X.X.X.X:40059 (ESTABLISHED)
salt-mast 1450 root 16u IPv4 14518 0t0 TCP X.X.X.X:4505->X.X.X.X:50901 (ESTABLISHED)
salt-mast 1450 root 17u IPv4 15055 0t0 TCP X.X.X.X:4505->X.X.X.X:55275 (ESTABLISHED)
salt-mast 1450 root 18u IPv4 15122 0t0 TCP X.X.X.X:4505->X.X.X.X:34557 (ESTABLISHED)
salt-mast 1466 root 20u IPv4 11690 0t0 TCP *:4506 (LISTEN)
salt-mast 1466 root 22u IPv4 15664 0t0 TCP X.X.X.X:4506->X.X.X.X:39789 (ESTABLISHED)
sshd 2052 root 3u IPv4 14045 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:32960 (ESTABLISHED)
sshd 2090 root 3u IPv4 14055 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:50954 (ESTABLISHED)
sshd 2094 root 3u IPv4 14064 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:53685 (ESTABLISHED)
sshd 2096 root 3u IPv4 14074 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41762 (ESTABLISHED)
sshd 2097 root 3u IPv4 14078 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:58950 (ESTABLISHED)
sshd 2098 root 3u IPv4 14085 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:56841 (ESTABLISHED)
ntpd 2233 ntp 16u IPv4 14152 0t0 UDP *:123
ntpd 2233 ntp 17u IPv6 14153 0t0 UDP *:123
ntpd 2233 ntp 18u IPv4 14159 0t0 UDP X.X.X.X:123
ntpd 2233 ntp 19u IPv4 14160 0t0 UDP X.X.X.X:123
ntpd 2233 ntp 20u IPv6 14161 0t0 UDP [X.X.X.X]:123
ntpd 2233 ntp 21u IPv6 14162 0t0 UDP [X.X.X.X]:123
sshd 2995 SO-user 3u IPv4 14078 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:58950 (ESTABLISHED)
sshd 2995 SO-user 8u IPv6 14824 0t0 TCP [X.X.X.X]:50003 (LISTEN)
sshd 2995 SO-user 9u IPv4 14825 0t0 TCP X.X.X.X:50003 (LISTEN)
sshd 2995 SO-user 10u IPv4 26647 0t0 TCP X.X.X.X:49812->X.X.X.X:3306 (ESTABLISHED)
sshd 3011 SO-user 3u IPv4 14074 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41762 (ESTABLISHED)
sshd 3011 SO-user 8u IPv6 15527 0t0 TCP [X.X.X.X]:50001 (LISTEN)
sshd 3011 SO-user 9u IPv4 15528 0t0 TCP X.X.X.X:50001 (LISTEN)
sshd 3019 SO-user 3u IPv4 14064 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:53685 (ESTABLISHED)
sshd 3019 SO-user 8u IPv6 15534 0t0 TCP [X.X.X.X]:50002 (LISTEN)
sshd 3019 SO-user 9u IPv4 15535 0t0 TCP X.X.X.X:50002 (LISTEN)
sshd 3025 SO-user 3u IPv4 14055 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:50954 (ESTABLISHED)
sshd 3025 SO-user 8u IPv6 15542 0t0 TCP [X.X.X.X]:50005 (LISTEN)
sshd 3025 SO-user 9u IPv4 15543 0t0 TCP X.X.X.X:50005 (LISTEN)
sshd 3025 SO-user 10u IPv4 26741 0t0 TCP X.X.X.X:49821->X.X.X.X:3306 (ESTABLISHED)
sshd 3031 SO-user 3u IPv4 14085 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:56841 (ESTABLISHED)
sshd 3031 SO-user 8u IPv6 14842 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 3031 SO-user 9u IPv4 14843 0t0 TCP X.X.X.X:50000 (LISTEN)
sshd 3191 SO-user 3u IPv4 14045 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:32960 (ESTABLISHED)
sshd 3191 SO-user 8u IPv6 14995 0t0 TCP [X.X.X.X]:50004 (LISTEN)
sshd 3191 SO-user 9u IPv4 14996 0t0 TCP X.X.X.X:50004 (LISTEN)
sshd 3191 SO-user 10u IPv4 25562 0t0 TCP X.X.X.X:49802->X.X.X.X:3306 (ESTABLISHED)
/usr/sbin 3804 root 4u IPv4 17268 0t0 TCP *:443 (LISTEN)
/usr/sbin 3804 root 5u IPv4 17271 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3804 root 6u IPv4 17273 0t0 TCP *:3154 (LISTEN)
/usr/sbin 3804 root 7u IPv4 17277 0t0 TCP *:444 (LISTEN)
sshd 7613 root 3u IPv4 26743 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:56754 (ESTABLISHED)
sshd 7776 SO-user 3u IPv4 26743 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:56754 (ESTABLISHED)
sshd 7776 SO-user 8u IPv6 26966 0t0 TCP [X.X.X.X]:6010 (LISTEN)
sshd 7776 SO-user 9u IPv4 26967 0t0 TCP X.X.X.X:6010 (LISTEN)
tclsh 8285 SO-user 13u IPv4 28040 0t0 TCP *:7734 (LISTEN)
tclsh 8285 SO-user 14u IPv4 28041 0t0 TCP *:7736 (LISTEN)
tclsh 8285 SO-user 15u IPv4 28753 0t0 TCP X.X.X.X:7736->X.X.X.X:45313 (ESTABLISHED)
tclsh 8285 SO-user 16u IPv4 28754 0t0 TCP X.X.X.X:7736->X.X.X.X:45312 (ESTABLISHED)
tclsh 8285 SO-user 17u IPv4 28755 0t0 TCP X.X.X.X:7736->X.X.X.X:60214 (ESTABLISHED)
tclsh 8285 SO-user 18u IPv4 28756 0t0 TCP X.X.X.X:7736->X.X.X.X:40467 (ESTABLISHED)
tclsh 8285 SO-user 19u IPv4 28757 0t0 TCP X.X.X.X:7736->X.X.X.X:40468 (ESTABLISHED)
tclsh 8285 SO-user 20u IPv4 28758 0t0 TCP X.X.X.X:7736->X.X.X.X:40469 (ESTABLISHED)
tclsh 8285 SO-user 21u IPv4 28759 0t0 TCP X.X.X.X:7736->X.X.X.X:40470 (ESTABLISHED)
tclsh 8285 SO-user 22u IPv4 28760 0t0 TCP X.X.X.X:7736->X.X.X.X:40471 (ESTABLISHED)
tclsh 8285 SO-user 23u IPv4 28761 0t0 TCP X.X.X.X:7736->X.X.X.X:40472 (ESTABLISHED)
tclsh 8285 SO-user 24u IPv4 28762 0t0 TCP X.X.X.X:7736->X.X.X.X:60215 (ESTABLISHED)
tclsh 8285 SO-user 25u IPv4 28763 0t0 TCP X.X.X.X:7736->X.X.X.X:60216 (ESTABLISHED)
tclsh 8285 SO-user 26u IPv4 28134 0t0 TCP X.X.X.X:7736->X.X.X.X:60217 (ESTABLISHED)
tclsh 8285 SO-user 27u IPv4 28764 0t0 TCP X.X.X.X:7736->X.X.X.X:45315 (ESTABLISHED)
tclsh 8285 SO-user 28u IPv4 28765 0t0 TCP X.X.X.X:7736->X.X.X.X:37427 (ESTABLISHED)
tclsh 8285 SO-user 29u IPv4 28766 0t0 TCP X.X.X.X:7736->X.X.X.X:37428 (ESTABLISHED)
tclsh 8285 SO-user 30u IPv4 28135 0t0 TCP X.X.X.X:7736->X.X.X.X:37429 (ESTABLISHED)
tclsh 8285 SO-user 31u IPv4 28767 0t0 TCP X.X.X.X:7736->X.X.X.X:37430 (ESTABLISHED)
tclsh 8285 SO-user 32u IPv4 28768 0t0 TCP X.X.X.X:7736->X.X.X.X:42654 (ESTABLISHED)
tclsh 8285 SO-user 33u IPv4 28769 0t0 TCP X.X.X.X:7736->X.X.X.X:42653 (ESTABLISHED)
tclsh 8285 SO-user 34u IPv4 28770 0t0 TCP X.X.X.X:7736->X.X.X.X:40474 (ESTABLISHED)
tclsh 8285 SO-user 35u IPv4 28771 0t0 TCP X.X.X.X:7736->X.X.X.X:40473 (ESTABLISHED)
tclsh 8285 SO-user 36u IPv4 28772 0t0 TCP X.X.X.X:7736->X.X.X.X:40475 (ESTABLISHED)
tclsh 8285 SO-user 37u IPv4 28773 0t0 TCP X.X.X.X:7736->X.X.X.X:40476 (ESTABLISHED)
tclsh 8285 SO-user 38u IPv4 28774 0t0 TCP X.X.X.X:7736->X.X.X.X:48980 (ESTABLISHED)
tclsh 8285 SO-user 39u IPv4 28775 0t0 TCP X.X.X.X:7736->X.X.X.X:48981 (ESTABLISHED)
tclsh 8285 SO-user 40u IPv4 28136 0t0 TCP X.X.X.X:7736->X.X.X.X:48982 (ESTABLISHED)
/usr/sbin 9124 www-data 4u IPv4 17268 0t0 TCP *:443 (LISTEN)
/usr/sbin 9124 www-data 5u IPv4 17271 0t0 TCP *:9876 (LISTEN)
/usr/sbin 9124 www-data 6u IPv4 17273 0t0 TCP *:3154 (LISTEN)
/usr/sbin 9124 www-data 7u IPv4 17277 0t0 TCP *:444 (LISTEN)
/usr/sbin 10391 www-data 4u IPv4 17268 0t0 TCP *:443 (LISTEN)
/usr/sbin 10391 www-data 5u IPv4 17271 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10391 www-data 6u IPv4 17273 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10391 www-data 7u IPv4 17277 0t0 TCP *:444 (LISTEN)
/usr/sbin 10521 www-data 4u IPv4 17268 0t0 TCP *:443 (LISTEN)
/usr/sbin 10521 www-data 5u IPv4 17271 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10521 www-data 6u IPv4 17273 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10521 www-data 7u IPv4 17277 0t0 TCP *:444 (LISTEN)
/usr/sbin 10690 www-data 4u IPv4 17268 0t0 TCP *:443 (LISTEN)
/usr/sbin 10690 www-data 5u IPv4 17271 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10690 www-data 6u IPv4 17273 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10690 www-data 7u IPv4 17277 0t0 TCP *:444 (LISTEN)
/usr/sbin 10837 www-data 4u IPv4 17268 0t0 TCP *:443 (LISTEN)
/usr/sbin 10837 www-data 5u IPv4 17271 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10837 www-data 6u IPv4 17273 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10837 www-data 7u IPv4 17277 0t0 TCP *:444 (LISTEN)
/usr/sbin 11010 www-data 4u IPv4 17268 0t0 TCP *:443 (LISTEN)
/usr/sbin 11010 www-data 5u IPv4 17271 0t0 TCP *:9876 (LISTEN)
/usr/sbin 11010 www-data 6u IPv4 17273 0t0 TCP *:3154 (LISTEN)
/usr/sbin 11010 www-data 7u IPv4 17277 0t0 TCP *:444 (LISTEN)

=========================================================================
IDS Rules Update
=========================================================================

=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
0.34 0.67 0.55
Processing units: 2
If load average is higher than processing units,
then tune until load average is lower than processing units.

top - 12:35:42 up 14 min, 1 user, load average: 0.34, 0.67, 0.55
Tasks: 279 total, 1 running, 278 sleeping, 0 stopped, 0 zombie
Cpu(s): 19.5%us, 4.3%sy, 0.0%ni, 64.5%id, 11.5%wa, 0.0%hi, 0.1%si, 0.0%st
Mem: 4041212k total, 3323632k used, 717580k free, 74076k buffers
Swap: 4190204k total, 0k used, 4190204k free, 2001824k cached

%CPU %MEM COMMAND
19.5 5.6 /usr/sbin/mysqld
1.7 2.5 delayed_job
0.7 9.8 /usr/bin/searchd --nodetach
0.6 1.4 /usr/bin/python /usr/bin/salt-master
0.4 1.1 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.3 1.2 /usr/bin/python /usr/bin/salt-master
0.3 1.2 /usr/bin/python /usr/bin/salt-master
0.3 1.3 /usr/bin/python /usr/bin/salt-master
0.3 0.2 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.2 2.7 /usr/sbin/apache2 -k start
0.2 1.2 /usr/bin/python /usr/bin/salt-master
0.2 1.1 /usr/bin/python /usr/bin/salt-master
0.2 1.0 /usr/bin/python /usr/bin/salt-minion
0.1 0.0 sshd: SO-user
0.1 0.0 /sbin/init
0.0 0.0 sshd: SO-user
0.0 0.2 -bash
0.0 0.0 [jbd2/dm-0-8]
0.0 0.6 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [rcu_sched]
0.0 0.0 [rcuos/0]
0.0 0.0 [rcuos/1]
0.0 0.0 [kworker/u128:1]
0.0 0.0 [kworker/u128:2]
0.0 0.0 [kworker/0:2]
0.0 0.0 sshd: SO-user@pts/0
0.0 0.1 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 2.7 /usr/sbin/apache2 -k start
0.0 0.0 [khugepaged]
0.0 2.7 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/1:2]
0.0 2.7 /usr/sbin/apache2 -k start
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.2 Passenger spawn server
0.0 0.0 [kworker/u129:1]
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 107:114
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:1]
0.0 0.0 sshd: SO-user [priv]
0.0 0.5 /usr/bin/python /usr/bin/salt-master
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 [migration/0]
0.0 0.0 [migration/1]
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 PassengerHelperAgent
0.0 0.1 PassengerLoggingAgent
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 cron
0.0 0.1 whoopsie
0.0 0.5 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcuos/2]
0.0 0.0 [rcuos/3]
0.0 0.0 [rcuos/4]
0.0 0.0 [rcuos/5]
0.0 0.0 [rcuos/6]
0.0 0.0 [rcuos/7]
0.0 0.0 [rcuos/8]
0.0 0.0 [rcuos/9]
0.0 0.0 [rcuos/10]
0.0 0.0 [rcuos/11]
0.0 0.0 [rcuos/12]
0.0 0.0 [rcuos/13]
0.0 0.0 [rcuos/14]
0.0 0.0 [rcuos/15]
0.0 0.0 [rcuos/16]
0.0 0.0 [rcuos/17]
0.0 0.0 [rcuos/18]
0.0 0.0 [rcuos/19]
0.0 0.0 [rcuos/20]
0.0 0.0 [rcuos/21]
0.0 0.0 [rcuos/22]
0.0 0.0 [rcuos/23]
0.0 0.0 [rcuos/24]
0.0 0.0 [rcuos/25]
0.0 0.0 [rcuos/26]
0.0 0.0 [rcuos/27]
0.0 0.0 [rcuos/28]
0.0 0.0 [rcuos/29]
0.0 0.0 [rcuos/30]
0.0 0.0 [rcuos/31]
0.0 0.0 [rcuos/32]
0.0 0.0 [rcuos/33]
0.0 0.0 [rcuos/34]
0.0 0.0 [rcuos/35]
0.0 0.0 [rcuos/36]
0.0 0.0 [rcuos/37]
0.0 0.0 [rcuos/38]
0.0 0.0 [rcuos/39]
0.0 0.0 [rcuos/40]
0.0 0.0 [rcuos/41]
0.0 0.0 [rcuos/42]
0.0 0.0 [rcuos/43]
0.0 0.0 [rcuos/44]
0.0 0.0 [rcuos/45]
0.0 0.0 [rcuos/46]
0.0 0.0 [rcuos/47]
0.0 0.0 [rcuos/48]
0.0 0.0 [rcuos/49]
0.0 0.0 [rcuos/50]
0.0 0.0 [rcuos/51]
0.0 0.0 [rcuos/52]
0.0 0.0 [rcuos/53]
0.0 0.0 [rcuos/54]
0.0 0.0 [rcuos/55]
0.0 0.0 [rcuos/56]
0.0 0.0 [rcuos/57]
0.0 0.0 [rcuos/58]
0.0 0.0 [rcuos/59]
0.0 0.0 [rcuos/60]
0.0 0.0 [rcuos/61]
0.0 0.0 [rcuos/62]
0.0 0.0 [rcuos/63]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuob/0]
0.0 0.0 [rcuob/1]
0.0 0.0 [rcuob/2]
0.0 0.0 [rcuob/3]
0.0 0.0 [rcuob/4]
0.0 0.0 [rcuob/5]
0.0 0.0 [rcuob/6]
0.0 0.0 [rcuob/7]
0.0 0.0 [rcuob/8]
0.0 0.0 [rcuob/9]
0.0 0.0 [rcuob/10]
0.0 0.0 [rcuob/11]
0.0 0.0 [rcuob/12]
0.0 0.0 [rcuob/13]
0.0 0.0 [rcuob/14]
0.0 0.0 [rcuob/15]
0.0 0.0 [rcuob/16]
0.0 0.0 [rcuob/17]
0.0 0.0 [rcuob/18]
0.0 0.0 [rcuob/19]
0.0 0.0 [rcuob/20]
0.0 0.0 [rcuob/21]
0.0 0.0 [rcuob/22]
0.0 0.0 [rcuob/23]
0.0 0.0 [rcuob/24]
0.0 0.0 [rcuob/25]
0.0 0.0 [rcuob/26]
0.0 0.0 [rcuob/27]
0.0 0.0 [rcuob/28]
0.0 0.0 [rcuob/29]
0.0 0.0 [rcuob/30]
0.0 0.0 [rcuob/31]
0.0 0.0 [rcuob/32]
0.0 0.0 [rcuob/33]
0.0 0.0 [rcuob/34]
0.0 0.0 [rcuob/35]
0.0 0.0 [rcuob/36]
0.0 0.0 [rcuob/37]
0.0 0.0 [rcuob/38]
0.0 0.0 [rcuob/39]
0.0 0.0 [rcuob/40]
0.0 0.0 [rcuob/41]
0.0 0.0 [rcuob/42]
0.0 0.0 [rcuob/43]
0.0 0.0 [rcuob/44]
0.0 0.0 [rcuob/45]
0.0 0.0 [rcuob/46]
0.0 0.0 [rcuob/47]
0.0 0.0 [rcuob/48]
0.0 0.0 [rcuob/49]
0.0 0.0 [rcuob/50]
0.0 0.0 [rcuob/51]
0.0 0.0 [rcuob/52]
0.0 0.0 [rcuob/53]
0.0 0.0 [rcuob/54]
0.0 0.0 [rcuob/55]
0.0 0.0 [rcuob/56]
0.0 0.0 [rcuob/57]
0.0 0.0 [rcuob/58]
0.0 0.0 [rcuob/59]
0.0 0.0 [rcuob/60]
0.0 0.0 [rcuob/61]
0.0 0.0 [rcuob/62]
0.0 0.0 [rcuob/63]
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [writeback]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kworker/u129:0]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [khungtaskd]
0.0 0.0 [kswapd0]
0.0 0.0 [ksmd]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [hv_vmbus_con]
0.0 0.0 [hv_vmbus_ctl]
0.0 0.0 [hv_vmbus_ctl]
0.0 0.0 [hv_vmbus_ctl]
0.0 0.0 [hv_vmbus_ctl]
0.0 0.0 [hv_vmbus_ctl]
0.0 0.0 [hv_vmbus_ctl]
0.0 0.0 [hv_vmbus_ctl]
0.0 0.0 [hv_vmbus_ctl]
0.0 0.0 [hv_vmbus_ctl]
0.0 0.0 [hv_vmbus_ctl]
0.0 0.0 [hv_vmbus_ctl]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [hv_vmbus_ctl]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [kpsmoused]
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 atd
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 supervising syslog-ng
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.5 /usr/bin/python /usr/bin/salt-master
0.0 0.5 /usr/bin/python /usr/bin/salt-master
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 PassengerWatchdog
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 2.6 /usr/sbin/apache2 -k start
0.0 2.6 /usr/sbin/apache2 -k start
0.0 2.6 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/u128:0]
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu

=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
108

=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0

=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
2913240 1:2101411 GPL SNMP public access udp
248401 1:2008118 ET TFTP Outbound TFTP ACK
25844 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
11990 1:2000328 ET POLICY Outbound Multiple Non-SMTP Server Emails
10371 1:2008120 ET TFTP Outbound TFTP Read Request
10278 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
6343 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
2406 1:2100366 GPL ICMP_INFO PING *NIX
2403 1:2100368 GPL ICMP_INFO PING BSDtype
2054 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
1293 1:2100651 GPL SHELLCODE x86 stealth NOOP
1093 1:2012843 ET POLICY Cleartext WordPress Login
946 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
695 1:2009702 ET POLICY DNS Update From External net
398 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
249 1:2000419 ET POLICY PE EXE or DLL Windows file download
65 1:2102314 GPL SHELLCODE x86 0x90 NOOP unicode
65 1:2001330 ET POLICY RDP connection confirm
55 1:2001329 ET POLICY RDP connection request
25 1:2001581 ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection
21 1:2019490 ET EXPLOIT Possible Malicious NAT-PMP Response to External Network
16 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
12 1:2002911 ET SCAN Potential VNC Scan 5900-5920
10 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
8 1:2101892 GPL SNMP null community string attempt
8 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
8 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
8 1:2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
4 1:2014169 ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related
4 1:2013479 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Outbound)
4 1:2001972 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)
4 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
4 1:2001582 ET SCAN Behavioral Unusual Port 1434 traffic, Potential Scan or Infection
3 1:2003310 ET P2P Edonkey Publicize File
3 1:2002910 ET SCAN Potential VNC Scan 5800-5820
3 1:2009970 ET P2P eMule Kademlia Hello Request
3 1:2101424 GPL SHELLCODE x86 0xEB0C NOOP
3 1:2016778 ET INFO DNS Query to a *.pw domain - Likely Hostile
3 1:2011540 ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
2 1:2404180 ET CNC Zeus Tracker Reported CnC Server TCP group 16
1 1:2013028 ET POLICY curl User-Agent Outbound
1 1:2404045 ET CNC Shadowserver Reported CnC Server UDP group 23
1 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
1 1:2404030 ET CNC Shadowserver Reported CnC Server TCP group 16
1 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
1 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
1 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
1 1:2001219 ET SCAN Potential SSH Scan
Total
3238354

=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Total
0

=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
4277032 1:2101411 GPL SNMP public access udp
352519 1:2000328 ET POLICY Outbound Multiple Non-SMTP Server Emails
331739 1:2008118 ET TFTP Outbound TFTP ACK
49153 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
26451 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
14586 1:2008120 ET TFTP Outbound TFTP Read Request
10038 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
3128 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
2703 1:2100651 GPL SHELLCODE x86 stealth NOOP
2491 1:2100366 GPL ICMP_INFO PING *NIX
2486 1:2100368 GPL ICMP_INFO PING BSDtype
2174 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1864 1:2009702 ET POLICY DNS Update From External net
1613 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
1102 1:2012843 ET POLICY Cleartext WordPress Login
578 1:2000419 ET POLICY PE EXE or DLL Windows file download
398 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
122 1:2001330 ET POLICY RDP connection confirm
108 1:2102314 GPL SHELLCODE x86 0x90 NOOP unicode
102 1:2001329 ET POLICY RDP connection request
54 1:2021243 ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 backdoor
50 1:2101759 GPL EXPLOIT xp_cmdshell program execution 445
40 1:2000032 ET NETBIOS LSA exploit
30 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
28 1:2019490 ET EXPLOIT Possible Malicious NAT-PMP Response to External Network
26 1:2101424 GPL SHELLCODE x86 0xEB0C NOOP
25 1:2001581 ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection
21 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
17 1:2016778 ET INFO DNS Query to a *.pw domain - Likely Hostile
12 1:2002911 ET SCAN Potential VNC Scan 5900-5920
10 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
8 1:2101892 GPL SNMP null community string attempt
8 1:2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
8 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
8 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
7 1:2014939 ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR
5 1:2013479 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Outbound)
5 1:2001972 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)
4 1:2011540 ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
4 1:2014169 ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related
4 1:2001582 ET SCAN Behavioral Unusual Port 1434 traffic, Potential Scan or Infection
3 1:2003310 ET P2P Edonkey Publicize File
3 1:2009970 ET P2P eMule Kademlia Hello Request
3 1:2002910 ET SCAN Potential VNC Scan 5800-5820
2 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
2 1:2020417 ET POLICY Middle Earth Illegal Marketplace Tor Hidden Service DNS Query
1 1:2000418 ET POLICY Executable and linking format (ELF) file download
1 1:2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1 1:2001219 ET SCAN Potential SSH Scan
1 1:2013028 ET POLICY curl User-Agent Outbound
Total
5080792

=========================================================================
Last update
=========================================================================

Start-Date: 2015-08-11 12:16:40
Commandline: apt-get -y dist-upgrade
Install: linux-headers-3.13.0-61:amd64 (3.13.0-61.100~precise1, automatic), linux-image-3.13.0-61-generic:amd64 (3.13.0-61.100~precise1, automatic), linux-headers-3.13.0-61-generic:amd64 (3.13.0-61.100~precise1, automatic)
Upgrade: apt-transport-https:amd64 (0.8.16~exp12ubuntu10.24, 0.8.16~exp12ubuntu10.25), securityonion-setup:amd64 (20120912-0ubuntu0securityonion155, 20120912-0ubuntu0securityonion156), bind9-host:amd64 (9.8.1.dfsg.P1-4ubuntu0.11, 9.8.1.dfsg.P1-4ubuntu0.12), dnsutils:amd64 (9.8.1.dfsg.P1-4ubuntu0.11, 9.8.1.dfsg.P1-4ubuntu0.12), libdns81:amd64 (9.8.1.dfsg.P1-4ubuntu0.11, 9.8.1.dfsg.P1-4ubuntu0.12), libpcre3:amd64 (8.12-4, 8.12-4ubuntu0.1), libgs9-common:amd64 (9.05~dfsg-0ubuntu4.2, 9.05~dfsg-0ubuntu4.3), libapt-inst1.4:amd64 (0.8.16~exp12ubuntu10.24, 0.8.16~exp12ubuntu10.25), apache2-mpm-prefork:amd64 (2.2.22-1ubuntu1.9, 2.2.22-1ubuntu1.10), securityonion-libcapture-tiny-perl:amd64 (0.22-0ubuntu0securityonion0, 0.22-0ubuntu0securityonion1), linux-generic-lts-trusty:amd64 (X.X.X.X.50, X.X.X.X.52), libisccc80:amd64 (9.8.1.dfsg.P1-4ubuntu0.11, 9.8.1.dfsg.P1-4ubuntu0.12), apache2-utils:amd64 (2.2.22-1ubuntu1.9, 2.2.22-1ubuntu1.10), apt-utils:amd64 (0.8.16~exp12ubuntu10.24, 0.8.16~exp12ubuntu10.25), apache2:amd64 (2.2.22-1ubuntu1.9, 2.2.22-1ubuntu1.10), securityonion-rule-update:amd64 (20120726-0ubuntu0securityonion28, 20120726-0ubuntu0securityonion29), apache2.2-common:amd64 (2.2.22-1ubuntu1.9, 2.2.22-1ubuntu1.10), apt:amd64 (0.8.16~exp12ubuntu10.24, 0.8.16~exp12ubuntu10.25), liblwres80:amd64 (9.8.1.dfsg.P1-4ubuntu0.11, 9.8.1.dfsg.P1-4ubuntu0.12), securityonion-snort:amd64 (X.X.X.X-0ubuntu0securityonion3, X.X.X.X-0ubuntu0securityonion1), apache2.2-bin:amd64 (2.2.22-1ubuntu1.9, 2.2.22-1ubuntu1.10), libbind9-80:amd64 (9.8.1.dfsg.P1-4ubuntu0.11, 9.8.1.dfsg.P1-4ubuntu0.12), securityonion-snorby:amd64 (20150704-0ubuntu0securityonion1, 20150704-0ubuntu0securityonion5), libapt-pkg4.12:amd64 (0.8.16~exp12ubuntu10.24, 0.8.16~exp12ubuntu10.25), linux-image-generic-lts-trusty:amd64 (X.X.X.X.50, X.X.X.X.52), libgs9:amd64 (9.05~dfsg-0ubuntu4.2, 9.05~dfsg-0ubuntu4.3), libisccfg82:amd64 (9.8.1.dfsg.P1-4ubuntu0.11, 9.8.1.dfsg.P1-4ubuntu0.12), ghostscript:amd64 (9.05~dfsg-0ubuntu4.2, 9.05~dfsg-0ubuntu4.3), linux-headers-generic-lts-trusty:amd64 (X.X.X.X.50, X.X.X.X.52), sqlite3:amd64 (3.7.9-2ubuntu1.1, 3.7.9-2ubuntu1.2), securityonion-daq:amd64 (2.0.5-0ubuntu0securityonion1, 2.0.6-0ubuntu0securityonion1), libisc83:amd64 (9.8.1.dfsg.P1-4ubuntu0.11, 9.8.1.dfsg.P1-4ubuntu0.12), securityonion-bro:amd64 (2.4-0ubuntu0securityonion1, 2.4-0ubuntu0securityonion2), libsqlite3-0:amd64 (3.7.9-2ubuntu1.1, 3.7.9-2ubuntu1.2), securityonion-capme:amd64 (20121213-0ubuntu0securityonion21, 20121213-0ubuntu0securityonion23)
End-Date: 2015-08-11 12:19:51

=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1182 supervising syslog-ng
1183 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:
1253 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
1173 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:
3
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue

ELSA Directory Sizes:
831M /nsm/elsa/data
27M /var/lib/mysql/syslog
32K /var/lib/mysql/syslog_data

ELSA Index Date Range:
MIN(start) MAX(end)
2015-06-12 15:32:28 2015-08-11 12:35:11

ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 SO-node X.X.X.X
50001 SO-node X.X.X.X
50002 SO-node X.X.X.X
50003 SO-node X.X.X.X
50004 SO-node X.X.X.X
50005 SO-node X.X.X.X

[Kevin Branch]

Try running /var/ossec/bin/ossec-logtest to check if OSSEC is having trouble parsing any of the decoder or rule files.  OSSEC logs don't indicate very clearly when there is a rule parsing failure.  Just maybe the update somehow broke something in local.rules.

Kevin

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Wes]

Output of test (fake rule):
-----------------

2015/08/11 14:28:16 ossec-testrule: INFO: Reading local decoder file.
2015/08/11 14:28:16 ossec-testrule: INFO: Started (pid: 15409).
ossec-testrule: Type one log per line.

WinEvtLog: Security: AUDIT_SUCCESS(538): Security: lac: OSSEC-HM: OSSEC-HM: User Logoff: User Name: lac Domain: OSSEC-HM Logon ID: (0×0,0xF784D5) Logon Type: 2


**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_SUCCESS(538): Security: lac: OSSEC-HM: OSSEC-HM: User Logoff: User Name: lac Domain: OSSEC-HM Logon ID: (0×0,0xF784D5) Logon Type: 2'
hostname: 'xxxxxxx'
program_name: '(null)'
log: 'WinEvtLog: Security: AUDIT_SUCCESS(538): Security: lac: OSSEC-HM: OSSEC-HM: User Logoff: User Name: lac Domain: OSSEC-HM Logon ID: (0×0,0xF784D5) Logon Type: 2'

**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '538'
extra_data: 'Security'
dstuser: 'lac'
system_name: 'OSSEC-HM'

**Phase 3: Completed filtering (rules).
Rule id: '18149'
Level: '3'
Description: 'Windows User Logoff.'
**Alert to be generated.

[Wes]

Output of /var/ossec/bin/ossec-control status:
---------------------------------------------
ossec-monitord not running...
ossec-logcollector: Process 8204 not used by ossec, removing ..
ossec-logcollector not running...
ossec-remoted not running...
ossec-syscheckd not running...
ossec-analysisd not running...
ossec-maild not running...
ossec-execd is running...
ossec-csyslogd not running...

[Kevin Branch]

Wes,

It looks like your rules are OK then.  Have you checked /var/ossec/logs/ossec.log for hints about the problem?

If that doesn't get you to the bottom of it, then stop the ossec-hids-server service and then run the following to start the likely missing component in the forground in debug mode.

/var/ossec/bin/ossec-analysisd -d -f

This will likely provide good insight.

See:

http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html#what-does-1210-queue-not-accessible-mean

Kevin

[Wes]

Kevin,

Ossec.log does show much else other than what I received from the output of the previous commands. I can see where analysisd is reading the rules file(s) fine, and then when syscheckd and rootcheckd come up, they are unable to access "/var/ossec/queue/ossec/queue" and get a "connection refused" (Error code 1210). Logcollector also cannot access the same queue and eventually states "Giving up..."

Excerpt below :
--------------

2015/08/11 13:06:27 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml'
2015/08/11 13:06:27 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml'
2015/08/11 13:06:27 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml'
2015/08/11 13:06:27 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml'
2015/08/11 13:06:27 ossec-analysisd: INFO: Reading rules file: 'securityonion_rules.xml'
2015/08/11 13:06:27 ossec-analysisd: INFO: Total rules enabled: '1261'
2015/08/11 13:06:27 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2015/08/11 13:06:27 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2015/08/11 13:06:27 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics'
2015/08/11 13:06:27 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2015/08/11 13:06:27 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2015/08/11 13:06:27 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'

2015/08/11 13:06:30 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2015/08/11 13:06:30 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.

2015/08/11 13:06:36 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2015/08/11 13:06:36 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..

2015/08/11 13:06:38 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2015/08/11 13:06:38 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2015/08/11 13:06:51 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2015/08/11 13:06:51 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..

2015/08/11 14:25:44 ossec-testrule: INFO: Reading local decoder file.
2015/08/11 14:25:44 ossec-testrule: INFO: Started (pid: 15289).

2015/08/11 14:28:16 ossec-testrule: INFO: Reading local decoder file.
2015/08/11 14:28:16 ossec-testrule: INFO: Started (pid: 15409).

2015/08/11 15:56:35 ossec-execd(1314): INFO: Shutdown received. Deleting responses.
2015/08/11 15:56:35 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning...

-------------

After running "/var/ossec/bin/ossec-analysisd -d -f", I get:

-----------------------------------------------------------
....
2015/08/11 16:52:50 ossec-analysisd: INFO: Total rules enabled: '1261'
2015/08/11 16:52:50 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2015/08/11 16:52:50 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2015/08/11 16:52:50 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics'
2015/08/11 16:52:50 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2015/08/11 16:52:50 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2015/08/11 16:52:50 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2015/08/11 16:52:50 ossec-analysisd: INFO: Chrooted to directory: /var/ossec, using user: ossec
2015/08/11 16:52:50 ossec-analysisd(1212): ERROR: Unable to create PID file.

I had a look at the link you provided earlier before posting tried the options provided, with no success (such as checking fts-queue, stopping/restarting, checking for/removing pre-existing PIDS).

I'm guessing analysis-d cannot create a PID?

[Kevin Branch]

Yeah, you should have seen something like this

2015/08/11 17:17:42 ossec-analysisd: INFO: Started (pid: 20904).

instead of the PID error.  Maybe the "ossec" user does not have permission to write to /var/ossec/var/run ?

My permissions for your comparison:  

ro...@nsm.wycliffe.org:~# ll /var/ossec/var

total 12

dr-xr-x---  3 root ossec 4096 Aug 11 17:18 ./

dr-xr-x--- 13 root ossec 4096 Aug 11 15:49 ../

drwxrwx---  2 root ossec 4096 Aug 11 17:18 run/

ro...@nsm.wycliffe.org:~# ll /var/ossec/var/run

total 40

drwxrwx--- 2 root   ossec 4096 Aug 11 17:18 ./

dr-xr-x--- 3 root   ossec 4096 Aug 11 17:18 ../

-rw-r----- 1 ossec  ossec    6 Aug 11 17:18 ossec-analysisd-24209.pid

-rw-r----- 1 ossecm ossec    6 Aug 11 17:18 ossec-csyslogd-24172.pid

-rw-r----- 1 root   ossec    6 Aug 11 17:18 ossec-execd-24201.pid

-rw-r----- 1 root   root     6 Aug 11 17:18 ossec-logcollector-24218.pid

-rw-r----- 1 ossecm ossec    6 Aug 11 17:18 ossec-maild-24182.pid

-rw-r----- 1 ossec  ossec    6 Aug 11 17:18 ossec-monitord-24294.pid

-rw-r----- 1 ossecr ossec    6 Aug 11 17:18 ossec-remoted-24234.pid

-rw-r----- 1 root   root     6 Aug 11 17:18 ossec-syscheckd-24289.pid

You wouldn't be out of disk space would you?  That would also prevent creation of that file.

Kevin

[Wes]

Thanks, Kevin.

My output as follows:

var/ossec/var
dr-xr-x--- 4 root ossec 4096 Aug 11 16:58 ./
drw-r----- 14 root ossec 4096 Jul 29 11:16 ../ <Different
(Changed it to match, with no luck)

drwxrwx--- 2 root ossec 4096 Aug 11 16:58 run/

var/ossec/var/run
total 16
drwxrwx--- 2 root ossec 4096 Aug 11 16:58 ./
dr-xr-x--- 4 root ossec 4096 Aug 11 16:58 ../
-rw-r----- 1 root ossec 6 Aug 11 16:58 ossec-execd-32461.pid
-rw-r----- 1 root root 6 Aug 11 16:58 ossec-logcollector-32468.pid

Looks like the disk space is at 81%.

[Kevin Branch]

Wes,

Check the permissions all the way to the top. 

#ll /var | grep ossec

dr-xr-x--- 13 root     ossec     4096 Aug 11 15:49 ossec/

#ll /var/ossec/ | grep var

dr-xr-x---  3 root  ossec  4096 Aug 11 17:18 var/

#ll /var/ossec/var | grep run

drwxrwx---  2 root ossec 4096 Aug 11 17:18 run/

You might also confirm that the "ossec" user is able to create a file in the pid directory

sudo -u ossec touch /var/ossec/var/run/pidtest

I'd also be interested in the output of

dmesg | grep ossec

Kevin

[Wes]

Kevin, please see below:

Output of permissions
---------------------
ll /var | grep ossec
dr-xr-x--- 14 root ossec 4096 Jul 29 11:16 ossec/

ll/var/ossec | grep var
dr-xr-x--- 4 root ossec 4096 Aug 11 17:35 var/

ll /var/ossec/var | grep run
drwxrwx--- 2 root ossec 4096 Aug 11 17:35 run/

_______________________

I am able to create a PID with the ossec user manually.

"dmesg | grep ossec" returns nothing.

Thanks again for your help!

Wes

[Kevin Branch]

This is certainly an interesting one.  

This problem will happen if your inode table is full, even when there is disk space free.  Check the output of:

df -i

Also, if by any chance you are symlinking /var/ossec to somewhere else, that will tangle with the way that OSSEC uses chroot and cause it to fail to start like this.  I got burned on that a long time ago.

If none of that helps, I'd personally want to reinstall the OSSEC package

sudo apt-get install --reinstall ossec-hids-server

Kevin

[Wes]

Kevin,

Strangely enough, this morning upon issuing "sudo service nsm status" , I received the following output:

ossec_agent (sguil) [ OK ]

However, ossec.log shows the following at the end of the file:

2015/08/11 17:35:29 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2015/08/11 17:35:29 ossec-analysisd: INFO: White listing IP: '127.0.0.1'
2015/08/11 17:35:29 ossec-analysisd: INFO: 1 IPs in the white list for active response.
2015/08/11 17:35:29 ossec-analysisd: INFO: No Hostname in the white list for active reponse.
2015/08/11 17:35:29 ossec-analysisd: INFO: Started (pid: 35318).
2015/08/11 17:35:29 ossec-analysisd(1103): ERROR: Unable to open file '/etc/internal_options.conf'.
2015/08/11 17:35:29 ossec-analysisd(2301): ERROR: Definition not found for: 'analysisd.fts_list_size'.
2015/08/11 17:35:32 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'.
2015/08/11 17:35:32 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up..
2015/08/11 17:35:32 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2015/08/11 17:35:32 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2015/08/11 17:35:38 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2015/08/11 17:35:38 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..

Result of "/var/ossec/bin/ossec-control status":

ossec-monitord not running...

ossec-logcollector not running...
ossec-remoted not running...
ossec-syscheckd not running...
ossec-analysisd not running...

ossec-maild is running...
ossec-execd is running...
ossec-csyslogd is running...

"df -i" did not produce any abnormal output

I think I will, as you mentioned, reinstall the package.

Thanks!

Wes

[Kevin Branch]

Wes,

The ossec agent is a tcl script that tails the OSSEC event log and then inserts the parsed into the sguil database.  It might well show [OK] while the OSSEC daemon itself is not running.  I hope the package reinstall cleans this mystery up for you.

Kevin

Wes

[Wes]

So, I reinstalled the ossec-hids-server package and all seems to be okay, except for one thing:

2015/08/12 15:53:01 ossec-logcollector: INFO: Started (pid: 39120).
2015/08/12 15:53:01 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Connection refused'.
2015/08/12 15:53:01 ossec-analysisd(1301): ERROR: Unable to connect to active response queue.
2015/08/12 15:53:01 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue)
2015/08/12 15:54:02 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2015/08/12 15:54:02 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).

I guess the only thing I am worried about is the "/queue/alerts/ar" queue. Is this normal behavior? it looks like it can connect to the "/queue/alerts/execq" queue fine.

Thanks again for your patience and persistence.

Wes

[Kevin Branch]

Yes, that is normal.  It says that when ossec-remoted is not running, and ossec-remoted only runs when you have provisioned one or more OSSEC agents with the /var/ossec/bin/manage_agents tool.  I presume that queue has to to with active-response related communication between OSSEC server and OSSEC agents.

Kevin

Wes