Zero events in Squert when accessed remotely

[Daniel Raddcliff]

Hey all,

I just deployed a new Security Onion in my test environment (checking out the 14.04 changes) and ran into a strange issue. If I'm physically at the server and access Squert, I can see all of my events. However, if I connect remotely to Squert (e.g. https://mysecurityonion.local/Squert), there are zero events.

I'm using the same username\password, and I am getting access, it's just a blank page.

I found a similar issue here: https://groups.google.com/forum/#!searchin/security-onion/squert$20no$20data$20remote/security-onion/3Fu2y7VxG5I/MtexFJHhUYAJ
But there's no resolution.

I'm assuming there's a configuration change that I need to make, but I'm not sure where. Any help would be appreciated. Attached sostats output

Thanks,
-Daniel

[Wes]

Daniel,

Could you please attach the full output of sostat? The attached output seems to be truncated.

Thanks,
Wes

[Daniel Raddcliff]

Hi Wes,

As soon I get back to my lab tonight, I can grab a new output.

By any chance, does this have to do with where rules are? We were look at another sensor where we have one rule in local.rules that shows up in Sguil, but not Squert. All of my rules are in downloaded.rules. (Second box is production. I can't share it's output)

Thanks,
-Daniel

[Daniel Raddcliff]

Hi Wes,

I just looked at the output and it doesn't appear to be truncated (though it is redacted). Please let me know what information is missing and I can run those commands myself.

Thanks,
-Daniel

[Wes]

Daniel,

After the "Last Update" section, there should be several more sections in the sostat output, such as ELSA, MySQL, Sphinx, ELSA Buffers in Queue, ELSA Directory Sizes, ELSA Log Node SSH Tunnels, etc.

Are you able to use the Sguil client on a separate machine, connecting to your master server to view events?

Thanks,
Wes

[Daniel Raddcliff]

Hi Wes,

I'm not using ELSA on this system (though I'm probably going to change that).

I'll try that next and report back.

Thanks,
-Daniel

[Wes]

I apologize, I'm so used to seeing it in the output for myself, and others :).

Thanks,
Wes

[livethedarkness913]

Hi Wes,

I can connect with the Windows Sguil client remotely and I do see all of the events.

That will work as a temporary work-around, but do you have any ideas about Squert failing remotely?

Thanks,

-Daniel

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/z-2WGHDi0v4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Wes]

Daniel,

I was asking to see if you could connect with the Sguil client to see if it was an issue with database connectivity. What kind of browser are you using when accessing Squert remotely? Is it Chromium-based?

Thanks,
Wes

[livethedarkness913]

Installed chrome and everything started working.

Thanks for your help!

-Daniel

[Omar Armenteros]

Has anyone figured this out? Same thing here.

[Wes Lambert]

Omar,

Have you tried using Chrome or a Chromium-based browser?

Thanks,
Wes

You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.