for starters, please excuse me if I am not posting the correct details or in the correct format. If there is anything I need to post, please let me know.
History:
I was running security onion and upgraded to their Alpha using ELK. Everything was running fine, after I had to delete the queue. Then new data came through and it was great.
I then upgraded to their recently released beta, and well... Here I am.
Issues:
For starters, the docker containers so-kibana, logstash and elasticsearch wouldn't run because they didn't have permission to access their own logs (weird). But that's now changed, and they run fine.
Now in Kibana, there is no data (unless I backdate the filter to pre-update). However, there is recent data on the "Squert" page.
I've run:
curl -XGET http://localhost:9200/_cat/indices
@security-sbc-ihsw:/var/log/nsm⟫ curl -XGET http://localhost:9200/_cat/indices
green open logstash-ids-2017.10.30 lT0QX-__QVmGXpyUdjqdHw 1 0 32609 0 10.7mb 10.7mb
green open logstash-syslog-2017.10.30 fXUlBC_hSOm9K7rw0P_1dA 1 0 81955 0 32.3mb 32.3mb
green open logstash-ids-2017.11.04 NySacsHZTuKVcDYo6tMXiA 1 0 557 0 466.6kb 466.6kb
green open logstash-ids-2017.10.25 KId7M7kPQ-6663-FsMqTTg 1 0 24 0 62.2kb 62.2kb
green open logstash-ids-2017.11.02 EH-fKMbPQHaxeVD8ej03Vw 1 0 28021 0 9.1mb 9.1mb
green open logstash-ids-2017.11.03 Bl4VVIFTQmCgFEvJlqxlqw 1 0 10416 0 3.5mb 3.5mb
green open logstash-syslog-2017.11.02 xNrVCywKQrCQc2dTIQhACw 1 0 74159 0 26.7mb 26.7mb
green open logstash-bro-2017.10.29 JanqpgL9QbiU3vskgMQX9Q 1 0 525036 0 448.2mb 448.2mb
[plus heaps more]
so-status - gave me all [ OK ]'s.
so-elastic-status
The following file paths are populated:
/nsm/sensor_data/security-sbc-ihsw-eth1/dailylogs/2017-11-13 -
Filled with snort logs
/nsm/sensor_data/security-sbc-ihsw-eth1/ -
Argus
dailylogs
portscans
sancp
snort-1
snort-1.stats
/nsm/bro/logs -
Filled with logs
/nsm/logstash/queue/main -
checkpoint.head
.lock
page.0
If anyone could help me troubleshoot this, it would be appreciated.
Update:
The issue was that for some reason, logstash wasn't processing the data. Turns out the security onion config script was adding duplicate lines to the syslog-ng config and crashing the service.
All good now. Thanks for the help.