dougburks
commented
5 years ago Hi @workandresearchgithub ,
It looks like you only have 8GB RAM and that you've installed Splunk. Please note that 8GB is the minimum amount of RAM for Security Onion and adding Splunk will increase those memory requirements.
Please perform a fresh installation without installing Splunk. If you have further questions or problems, please use the mailing list (http://securityonion.net/docs/mailing-lists) instead of this Issue Tracker.
Thanks!
This issue tracker is primarily used to track issues that need to be fixed and are added to our Roadmap: https://github.com/Security-Onion-Solutions/security-onion/wiki/Roadmap
If you are creating an issue just to ask a question, you will likely get faster and better responses by posting to our mailing list instead: https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists
If you have found a bug in Security Onion, you can continue with creating an issue here, but please make sure you have done the following:
provide information about your system and how you installed Security Onion
Elasticsearch crashes shortly after fresh installation and won't start. Installed on bare metal Dell M4800, with 8gig of RAM.
This shows up in Kibana:
root@secOnion-Precision-M4800:/opt/splunk/bin# sostat-redacted /usr/sbin/sostat: line 493: / : syntax error: operand expected (error token is "/ ")
Service Status
Status: securityonion
========================================================================= Interface Status
br-8332f27ade74 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X inet6 addr: X.X.X.X/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3712794 errors:0 dropped:0 overruns:0 frame:0 TX packets:30 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:997849935 (997.8 MB) TX bytes:2396 (2.3 KB)
docker0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X inet6 addr: X.X.X.X/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:245662 errors:0 dropped:0 overruns:0 frame:0 TX packets:269171 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:91839302 (91.8 MB) TX bytes:325283868 (325.2 MB)
eno1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X inet6 addr: X.X.X.X/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:266309 errors:0 dropped:0 overruns:0 frame:0 TX packets:136798 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:171183582 (171.1 MB) TX bytes:89626330 (89.6 MB) Interrupt:20 Memory:f7800000-f7820000
enx8cae4cf457aa Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1 RX packets:41730373 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:44549538403 (44.5 GB) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback inet addr:X.X.X.X Mask:X.X.X.X inet6 addr: X.X.X.X/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:1505682 errors:0 dropped:0 overruns:0 frame:0 TX packets:1505682 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1229352203 (1.2 GB) TX bytes:1229352203 (1.2 GB)
wlp3s0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
so-curator
(eth0) veth1ce3814 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM inet6 addr: X.X.X.X/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:265 errors:0 dropped:0 overruns:0 frame:0 TX packets:281 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:19154 (19.1 KB) TX bytes:20346 (20.3 KB)
(eth1) veth8369603 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM inet6 addr: X.X.X.X/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:382 errors:0 dropped:0 overruns:0 frame:0 TX packets:610 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:51312 (51.3 KB) TX bytes:2183058 (2.1 MB)
so-elastalert
(eth0) veth53d0bfd Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM inet6 addr: X.X.X.X/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:652 errors:0 dropped:0 overruns:0 frame:0 TX packets:669 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:47988 (47.9 KB) TX bytes:49297 (49.2 KB)
(eth1) vethcded935 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM inet6 addr: X.X.X.X/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:914 errors:0 dropped:0 overruns:0 frame:0 TX packets:605 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:181074 (181.0 KB) TX bytes:130513 (130.5 KB)
so-logstash
(eth0) veth9f08f70 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM inet6 addr: X.X.X.X/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:7454 errors:0 dropped:0 overruns:0 frame:0 TX packets:9235 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1075503 (1.0 MB) TX bytes:12820831 (12.8 MB)
(eth1) vethae6a240 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM inet6 addr: X.X.X.X/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:9443 errors:0 dropped:0 overruns:0 frame:0 TX packets:8249 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:20622819 (20.6 MB) TX bytes:1871919 (1.8 MB)
so-kibana
(eth0) veth9f14d3e Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM inet6 addr: X.X.X.X/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3534 errors:0 dropped:0 overruns:0 frame:0 TX packets:3663 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:17014034 (17.0 MB) TX bytes:9956202 (9.9 MB)
(eth1) vethbc636a9 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM inet6 addr: X.X.X.X/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4355 errors:0 dropped:0 overruns:0 frame:0 TX packets:3557 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:10074780 (10.0 MB) TX bytes:2187636 (2.1 MB)
========================================================================= Link Statistics
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM RX: bytes packets errors dropped overrun mcast 1229464636 1505912 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 1229464636 1505912 0 0 0 0 TX errors: aborted fifo window heartbeat transns 0 0 0 0 0 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM RX: bytes packets errors dropped overrun mcast 171184190 266317 0 0 0 2563 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 89626874 136805 0 0 0 0 TX errors: aborted fifo window heartbeat transns 0 0 0 0 2 3: wlp3s0: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000 link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 TX errors: aborted fifo window heartbeat transns 0 0 0 0 1 4: enx8cae4cf457aa: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM RX: bytes packets errors dropped overrun mcast 44563853242 41743106 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 TX errors: aborted fifo window heartbeat transns 0 0 0 0 1 5: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM RX: bytes packets errors dropped overrun mcast 91839702 245669 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 325284366 269178 0 0 0 0 TX errors: aborted fifo window heartbeat transns 0 0 0 0 16 6: br-8332f27ade74: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM RX: bytes packets errors dropped overrun mcast 997849935 3712794 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 2396 30 0 0 0 0 TX errors: aborted fifo window heartbeat transns 0 0 0 0 24 136: veth9f14d3e@if135: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 1 RX: bytes packets errors dropped overrun mcast 17014034 3534 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 9956202 3663 0 0 0 0 TX errors: aborted fifo window heartbeat transns 0 0 0 0 2 138: vethbc636a9@if137: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-8332f27ade74 state UP mode DEFAULT group default link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 1 RX: bytes packets errors dropped overrun mcast 10074780 4355 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 2187636 3557 0 0 0 0 TX errors: aborted fifo window heartbeat transns 0 0 0 0 2 140: veth9f08f70@if139: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 2 RX: bytes packets errors dropped overrun mcast 1075503 7454 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 12820831 9235 0 0 0 0 TX errors: aborted fifo window heartbeat transns 0 0 0 0 2 142: vethae6a240@if141: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-8332f27ade74 state UP mode DEFAULT group default link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 2 RX: bytes packets errors dropped overrun mcast 20622819 9443 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 1871919 8249 0 0 0 0 TX errors: aborted fifo window heartbeat transns 0 0 0 0 2 144: veth53d0bfd@if143: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 3 RX: bytes packets errors dropped overrun mcast 48292 656 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 49601 673 0 0 0 0 TX errors: aborted fifo window heartbeat transns 0 0 0 0 2 146: vethcded935@if145: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-8332f27ade74 state UP mode DEFAULT group default link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 3 RX: bytes packets errors dropped overrun mcast 181074 914 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 130513 605 0 0 0 0 TX errors: aborted fifo window heartbeat transns 0 0 0 0 2 148: veth1ce3814@if147: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 4 RX: bytes packets errors dropped overrun mcast 19154 265 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 20346 281 0 0 0 0 TX errors: aborted fifo window heartbeat transns 0 0 0 0 2 150: veth8369603@if149: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-8332f27ade74 state UP mode DEFAULT group default link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 4 RX: bytes packets errors dropped overrun mcast 51312 382 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 2183058 610 0 0 0 0 TX errors: aborted fifo window heartbeat transns 0 0 0 0 2
========================================================================= Disk Usage
Filesystem Size Used Avail Use% Mounted on udev 3.9G 0 3.9G 0% /dev tmpfs 789M 18M 771M 3% /run /dev/sda2 228G 20G 197G 10% / tmpfs 3.9G 120K 3.9G 1% /dev/shm tmpfs 5.0M 4.0K 5.0M 1% /run/lock tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup /dev/sda1 511M 3.6M 508M 1% /boot/efi tmpfs 789M 4.0K 789M 1% /run/user/114 tmpfs 789M 16K 789M 1% /run/user/1000 overlay 228G 20G 197G 10% /var/lib/docker/overlay2/571b357e8bbd2adee6e5f805a32a223508f559f9d93331daee7180362aa9af9b/merged shm 64M 0 64M 0% /var/lib/docker/containers/4e6a1f1f5128826cfa1a769b64d0e4c8837688d52ff4113d2c880194731a738b/mounts/shm overlay 228G 20G 197G 10% /var/lib/docker/overlay2/3f96b72d6cd9bfe22ceb7480f46028618d066ee7a47bdfb4bbe68d78fc2d50b2/merged shm 64M 0 64M 0% /var/lib/docker/containers/abb9ace1096c6c5eb17e9f23c45bb3c167c13c315908a67618ca4efd189cddd1/mounts/shm overlay 228G 20G 197G 10% /var/lib/docker/overlay2/1234c313b502c98644899233eac74753ce5b4f239c793324d90171d649ce85a9/merged shm 64M 0 64M 0% /var/lib/docker/containers/7c9f2a702147f19018816a22111fc8232c75651346c49453a4a9daceaf7028c7/mounts/shm overlay 228G 20G 197G 10% /var/lib/docker/overlay2/07d4ad9062460751e11c08182f84bcb46a29ed9f43e94d589786c79fd8059c8e/merged shm 64M 0 64M 0% /var/lib/docker/containers/a108d9c17b88d38d0c933d2ca99f6f0f95b669b72db25fd9d440816a1625caee/mounts/shm tmpfs 789M 0 789M 0% /run/user/1001
========================================================================= Network Sockets
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME splunkd 1657 root 4u IPv4 30115 0t0 TCP :8089 (LISTEN) splunkd 1657 root 52u IPv4 36091 0t0 UDP :514 splunkd 1657 root 86u IPv4 44163 0t0 TCP :8000 (LISTEN) splunkd 1657 root 91u IPv4 2637096 0t0 TCP X.X.X.X:45262->X.X.X.X:8191 (ESTABLISHED) splunkd 1657 root 96u IPv4 2637097 0t0 TCP X.X.X.X:45264->X.X.X.X:8191 (ESTABLISHED) splunkd 1657 root 108u IPv4 1905922 0t0 TCP X.X.X.X:8000->X.X.X.X:55939 (ESTABLISHED) splunkd 1657 root 110u IPv4 2621883 0t0 TCP X.X.X.X:45272->X.X.X.X:8191 (ESTABLISHED) splunkd 1657 root 112u IPv4 35609 0t0 TCP X.X.X.X:37050->X.X.X.X:8191 (ESTABLISHED) splunkd 1657 root 118u IPv4 2693676 0t0 TCP X.X.X.X:8089->X.X.X.X:63496 (ESTABLISHED) splunkd 1657 root 132u IPv4 2637100 0t0 TCP X.X.X.X:45274->X.X.X.X:8191 (ESTABLISHED) splunkd 1657 root 143u IPv4 1904962 0t0 TCP X.X.X.X:8000->X.X.X.X:55942 (ESTABLISHED) splunkd 1657 root 158u IPv4 1913154 0t0 TCP X.X.X.X:58954->X.X.X.X:8065 (ESTABLISHED) sshd 1742 root 3u IPv4 35133 0t0 TCP :ssh_port (LISTEN) sshd 1742 root 4u IPv6 35135 0t0 TCP :ssh_port (LISTEN) xrdp 2122 xrdp 6u IPv4 31790 0t0 TCP :3389 (LISTEN) xrdp 2122 xrdp 25u IPv4 727683 0t0 TCP X.X.X.X:3389->X.X.X.X:53538 (ESTABLISHED) xrdp 2122 xrdp 31u IPv4 722712 0t0 TCP X.X.X.X:58260->X.X.X.X:5910 (ESTABLISHED) xrdp-sesm 2177 root 6u IPv4 29527 0t0 TCP X.X.X.X:3350 (LISTEN) mongod 3135 root 10u IPv4 34130 0t0 TCP :8191 (LISTEN) mongod 3135 root 48u IPv4 2622904 0t0 TCP X.X.X.X:8191->X.X.X.X:45260 (ESTABLISHED) mongod 3135 root 49u IPv4 2638134 0t0 TCP X.X.X.X:8191->X.X.X.X:45272 (ESTABLISHED) mongod 3135 root 50u IPv4 2637034 0t0 TCP X.X.X.X:8191->X.X.X.X:45250 (ESTABLISHED) mongod 3135 root 51u IPv4 37453 0t0 TCP X.X.X.X:8191->X.X.X.X:37050 (ESTABLISHED) mongod 3135 root 52u IPv4 2637037 0t0 TCP X.X.X.X:8191->X.X.X.X:45252 (ESTABLISHED) mongod 3135 root 53u IPv4 2638105 0t0 TCP X.X.X.X:8191->X.X.X.X:45262 (ESTABLISHED) mongod 3135 root 54u IPv4 2638107 0t0 TCP X.X.X.X:8191->X.X.X.X:45264 (ESTABLISHED) mongod 3135 root 55u IPv4 614739 0t0 TCP X.X.X.X:8191->X.X.X.X:44718 (ESTABLISHED) mongod 3135 root 56u IPv4 2622912 0t0 TCP X.X.X.X:8191->X.X.X.X:45274 (ESTABLISHED) mongod 3135 root 57u IPv4 2622918 0t0 TCP X.X.X.X:8191->X.X.X.X:45276 (ESTABLISHED) python 3535 root 9u IPv4 43305 0t0 TCP X.X.X.X:8065 (LISTEN) python 3535 root 14u IPv4 1918008 0t0 TCP X.X.X.X:8065->X.X.X.X:58954 (ESTABLISHED) streamfwd 4212 root 13u IPv4 38106 0t0 TCP X.X.X.X:8889 (LISTEN) splunkd 4379 root 7u IPv4 2637033 0t0 TCP X.X.X.X:45250->X.X.X.X:8191 (ESTABLISHED) splunkd 4379 root 8u IPv4 2636211 0t0 TCP X.X.X.X:45276->X.X.X.X:8191 (ESTABLISHED) splunkd 4379 root 9u IPv4 595742 0t0 TCP X.X.X.X:44718->X.X.X.X:8191 (ESTABLISHED) splunkd 4379 root 10u IPv4 2634130 0t0 TCP X.X.X.X:45260->X.X.X.X:8191 (ESTABLISHED) splunkd 4379 root 11u IPv4 2637036 0t0 TCP X.X.X.X:45252->X.X.X.X:8191 (ESTABLISHED) ntpd 4533 ntp 16u IPv6 34521 0t0 UDP :123 ntpd 4533 ntp 17u IPv4 34524 0t0 UDP :123 ntpd 4533 ntp 18u IPv4 34529 0t0 UDP X.X.X.X:123 ntpd 4533 ntp 19u IPv4 34531 0t0 UDP X.X.X.X:123 ntpd 4533 ntp 20u IPv6 34533 0t0 UDP [X.X.X.X]:123 ntpd 4533 ntp 21u IPv6 34535 0t0 UDP [X.X.X.X]:123 ntpd 4533 ntp 23u IPv4 2101643 0t0 UDP X.X.X.X:123 ntpd 4533 ntp 24u IPv4 2101646 0t0 UDP X.X.X.X:123 ntpd 4533 ntp 25u IPv6 2101650 0t0 UDP [X.X.X.X]:123 ntpd 4533 ntp 26u IPv6 2101652 0t0 UDP [X.X.X.X]:123 ntpd 4533 ntp 29u IPv6 2229493 0t0 UDP [X.X.X.X]:123 ntpd 4533 ntp 30u IPv6 2229553 0t0 UDP [X.X.X.X]:123 ntpd 4533 ntp 31u IPv6 2228204 0t0 UDP [X.X.X.X]:123 ntpd 4533 ntp 32u IPv6 2228207 0t0 UDP [X.X.X.X]:123 ntpd 4533 ntp 33u IPv6 2228209 0t0 UDP [X.X.X.X]:123 ntpd 4533 ntp 34u IPv6 2228211 0t0 UDP [X.X.X.X]:123 ntpd 4533 ntp 35u IPv6 2228213 0t0 UDP [X.X.X.X]:123 ntpd 4533 ntp 36u IPv6 2228215 0t0 UDP [X.X.X.X]:123 bro 7879 SO-user 4u IPv4 1108285 0t0 UDP X.X.X.X:56064->X.X.X.X:53 bro 7879 SO-user 20u IPv6 1109203 0t0 TCP :47760 (LISTEN) tclsh 10168 SO-user 13u IPv4 2683143 0t0 TCP :7734 (LISTEN) tclsh 10168 SO-user 14u IPv6 2683144 0t0 TCP :7734 (LISTEN) tclsh 10168 SO-user 15u IPv4 2683147 0t0 TCP :7736 (LISTEN) tclsh 10168 SO-user 16u IPv6 2683148 0t0 TCP :7736 (LISTEN) tclsh 10168 SO-user 17u IPv4 2683153 0t0 TCP X.X.X.X:7736->X.X.X.X:33319 (ESTABLISHED) tclsh 10168 SO-user 18u IPv4 2683154 0t0 TCP X.X.X.X:7736->X.X.X.X:40359 (ESTABLISHED) tclsh 10168 SO-user 19u IPv4 2687269 0t0 TCP X.X.X.X:7736->X.X.X.X:40363 (ESTABLISHED) ossec-aut 13606 root 3u IPv4 2003605 0t0 TCP :1515 (LISTEN) ossec-rem 13646 ossecr 4u IPv4 2004284 0t0 UDP :1514 sshd 18161 root 3u IPv4 280537 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52949 (ESTABLISHED) sshd 18228 SO-user 3u IPv4 280537 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52949 (ESTABLISHED) mysqld 19671 mysql 22u IPv4 2069809 0t0 TCP X.X.X.X:3306 (LISTEN) xrdp-sess 21888 root 6u IPv4 29527 0t0 TCP X.X.X.X:3350 (LISTEN) startwm.s 21889 SO-user 6u IPv4 29527 0t0 TCP X.X.X.X:3350 (LISTEN) Xvnc 21890 SO-user 1u IPv4 303815 0t0 TCP X.X.X.X:5910 (LISTEN) Xvnc 21890 SO-user 6u IPv4 29527 0t0 TCP X.X.X.X:3350 (LISTEN) Xvnc 21890 SO-user 32u IPv4 730346 0t0 TCP X.X.X.X:5910->X.X.X.X:58260 (ESTABLISHED) mate-sess 21891 SO-user 6u IPv4 29527 0t0 TCP X.X.X.X:3350 (LISTEN) xrdp-chan 21892 root 6u IPv4 29527 0t0 TCP X.X.X.X:3350 (LISTEN) dbus-laun 21896 SO-user 6u IPv4 29527 0t0 TCP X.X.X.X:3350 (LISTEN) dbus-daem 21897 SO-user 6u IPv4 29527 0t0 TCP X.X.X.X:3350 (LISTEN) salt-mast 22521 root 14u IPv4 2080873 0t0 TCP :4505 (LISTEN) salt-mast 22521 root 16u IPv4 2085943 0t0 TCP X.X.X.X:4505->X.X.X.X:32956 (ESTABLISHED) salt-mast 22530 root 22u IPv4 2077325 0t0 TCP :4506 (LISTEN) salt-mini 22830 root 26u IPv4 2087041 0t0 TCP X.X.X.X:32956->X.X.X.X:4505 (ESTABLISHED) tclsh 23474 SO-user 3u IPv4 2692668 0t0 TCP X.X.X.X:40363->X.X.X.X:7736 (ESTABLISHED) bro 23633 SO-user 4u IPv4 2083582 0t0 UDP X.X.X.X:43586->X.X.X.X:53 bro 23633 SO-user 19u IPv6 2084382 0t0 TCP :47761 (LISTEN) bro 23633 SO-user 22u IPv6 2088114 0t0 TCP X.X.X.X:47761->X.X.X.X:35802 (ESTABLISHED) bro 23633 SO-user 24u IPv6 2088169 0t0 TCP X.X.X.X:47761->X.X.X.X:35816 (ESTABLISHED) bro 23633 SO-user 25u IPv6 2082773 0t0 TCP X.X.X.X:47761->X.X.X.X:35820 (ESTABLISHED) bro 23736 SO-user 4u IPv4 2085065 0t0 UDP X.X.X.X:50134->X.X.X.X:53 bro 23736 SO-user 18u IPv6 2077695 0t0 TCP :47762 (LISTEN) bro 23736 SO-user 19u IPv4 2077696 0t0 TCP X.X.X.X:35802->X.X.X.X:47761 (ESTABLISHED) bro 23736 SO-user 20u IPv6 2084498 0t0 TCP X.X.X.X:47762->X.X.X.X:39210 (ESTABLISHED) bro 23736 SO-user 21u IPv6 2085122 0t0 TCP X.X.X.X:47762->X.X.X.X:39216 (ESTABLISHED) bro 23826 SO-user 4u IPv4 2085088 0t0 UDP X.X.X.X:36519->X.X.X.X:53 bro 23826 SO-user 18u IPv6 2082348 0t0 TCP :47763 (LISTEN) bro 23826 SO-user 19u IPv4 2082349 0t0 TCP X.X.X.X:35816->X.X.X.X:47761 (ESTABLISHED) bro 23826 SO-user 20u IPv4 2082350 0t0 TCP X.X.X.X:39210->X.X.X.X:47762 (ESTABLISHED) bro 23826 SO-user 21u IPv6 2087361 0t0 TCP X.X.X.X:47763->X.X.X.X:47128 (ESTABLISHED) bro 23919 SO-user 4u IPv4 2087348 0t0 UDP X.X.X.X:33868->X.X.X.X:53 bro 23919 SO-user 18u IPv6 2085118 0t0 TCP :47764 (LISTEN) bro 23919 SO-user 19u IPv4 2085119 0t0 TCP X.X.X.X:35820->X.X.X.X:47761 (ESTABLISHED) bro 23919 SO-user 20u IPv4 2085120 0t0 TCP X.X.X.X:47128->X.X.X.X:47763 (ESTABLISHED) bro 23919 SO-user 21u IPv4 2085121 0t0 TCP X.X.X.X:39216->X.X.X.X:47762 (ESTABLISHED) tclsh 24226 SO-user 3u IPv4 2680653 0t0 TCP X.X.X.X:40359->X.X.X.X:7736 (ESTABLISHED) tclsh 24273 SO-user 3u IPv4 2659178 0t0 TCP X.X.X.X:33319->X.X.X.X:7736 (ESTABLISHED) tclsh 24273 SO-user 4u IPv4 2090319 0t0 TCP X.X.X.X:8100 (LISTEN) tclsh 24273 SO-user 6u IPv4 2090973 0t0 TCP X.X.X.X:8100->X.X.X.X:51970 (ESTABLISHED) barnyard2 24383 SO-user 3u IPv4 2084771 0t0 TCP X.X.X.X:51970->X.X.X.X:8100 (ESTABLISHED) docker-pr 26635 root 4u IPv4 2139630 0t0 TCP X.X.X.X:5601 (LISTEN) docker-pr 27552 root 4u IPv6 2139883 0t0 TCP :9600 (LISTEN) docker-pr 27565 root 4u IPv6 2091952 0t0 TCP :6053 (LISTEN) docker-pr 27579 root 4u IPv6 2228736 0t0 TCP :6052 (LISTEN) docker-pr 27593 root 4u IPv6 2091967 0t0 TCP :6051 (LISTEN) docker-pr 27607 root 3u IPv6 2271945 0t0 TCP X.X.X.X:6050->X.X.X.X:44017 (ESTABLISHED) docker-pr 27607 root 4u IPv6 2162661 0t0 TCP :6050 (LISTEN) docker-pr 27607 root 6u IPv4 2256726 0t0 TCP X.X.X.X:49664->X.X.X.X:6050 (ESTABLISHED) docker-pr 27621 root 4u IPv6 2234947 0t0 TCP :5044 (LISTEN) apache2 28707 root 4u IPv6 2227092 0t0 TCP :443 (LISTEN) apache2 28712 www-data 4u IPv6 2227092 0t0 TCP :443 (LISTEN) apache2 28713 www-data 4u IPv6 2227092 0t0 TCP :443 (LISTEN) apache2 28716 www-data 4u IPv6 2227092 0t0 TCP :443 (LISTEN) syslog-ng 28755 root 19u IPv4 2227104 0t0 TCP :514 (LISTEN) syslog-ng 28755 root 20u IPv4 2227105 0t0 UDP :514 syslog-ng 28755 root 35u IPv4 2273437 0t0 TCP X.X.X.X:44017->X.X.X.X:6050 (ESTABLISHED) apache2 31496 www-data 4u IPv6 2227092 0t0 TCP :443 (LISTEN) apache2 31503 www-data 4u IPv6 2227092 0t0 TCP :443 (LISTEN) apache2 31504 www-data 4u IPv6 2227092 0t0 TCP :443 (LISTEN) apache2 31505 www-data 4u IPv6 2227092 0t0 TCP :443 (LISTEN) apache2 31506 www-data 4u IPv6 2227092 0t0 TCP :443 (LISTEN) apache2 31507 www-data 4u IPv6 2227092 0t0 TCP :443 (LISTEN) apache2 32408 www-data 4u IPv6 2227092 0t0 TCP *:443 (LISTEN)
========================================================================= IDS Rules Update
Sat Apr 6 04:36:18 UTC 2019 Backing up current local_rules.xml file. Backing up current local_rules.xml file. Cleaning up local_rules.xml backup files older than 30 days. Cleaning up local_rules.xml backup files older than 30 days. Backing up current downloaded.rules file before it gets overwritten. Backing up current downloaded.rules file before it gets overwritten. Cleaning up downloaded.rules backup files older than 30 days. Cleaning up downloaded.rules backup files older than 30 days. Backing up current local.rules file before it gets overwritten. Backing up current local.rules file before it gets overwritten. Cleaning up local.rules backup files older than 30 days. Cleaning up local.rules backup files older than 30 days. ENGINE=suricata, so we'll execute PulledPork with -T -S suricata-4.1.3. ENGINE=suricata, so we'll execute PulledPork with -T -S suricata-4.1.3. Running PulledPork. Running PulledPork.
@/ / 66_ cummingsj@gmail.com | \ \ (") \ /-| ||'--' Rules give me wings! _\ _\
Checking latest MD5 for emerging.rules.tar.gz.... No Match Done Rules tarball download of emerging.rules.tar.gz.... They Match Done! Prepping rules from emerging.rules.tar.gz for work.... Done! Reading rules... Reading rules... Modifying Sids.... Done! Processing /etc/nsm/pulledpork/enablesid.conf.... Modified 0 rules Skipped 0 rules (already disabled) Done Processing /etc/nsm/pulledpork/dropsid.conf.... Modified 0 rules Skipped 0 rules (already disabled) Done Processing /etc/nsm/pulledpork/disablesid.conf.... Modified 63 rules Skipped 63 rules (already disabled) Done Setting Flowbit State.... Enabled 187 flowbits Enabled 1 flowbits Done Writing /etc/nsm/rules/downloaded.rules.... Done Generating sid-msg.map.... Done Writing v1 /etc/nsm/rules/sid-msg.map.... Done Writing /var/log/nsm/sid_changes.log.... Done Rule Stats... New:-------42 Deleted:---388 Enabled Rules:----19778 Dropped Rules:----0 Disabled Rules:---7418 Total Rules:------27196 No IP Blacklist Changes Done Please review /var/log/nsm/sid_changes.log for additional details Fly Piggy Fly!
========================================================================= CPU Usage
Load average for the last 1, 5, and 15 minutes: 2.85 3.42 4.36 Processing units: 8 If load average is higher than processing units, then tune until load average is lower than processing units.
top - 05:04:56 up 5:44, 1 user, load average: 2.85, 3.42, 4.36 Tasks: 310 total, 1 running, 229 sleeping, 0 stopped, 1 zombie %Cpu(s): 19.6 us, 3.3 sy, 0.0 ni, 75.9 id, 0.8 wa, 0.0 hi, 0.3 si, 0.0 st KiB Mem : 8070412 total, 1567916 free, 4993992 used, 1508504 buff/cache KiB Swap: 1000444 total, 3832 free, 996612 used. 2557964 avail Mem
%CPU %MEM COMMAND 107 30.7 /bin/java -Xms2000m -Xmx2000m -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djruby.compile.invokedynamic=true -Djruby.jit.threshold=0 -XX:+HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -cp /usr/share/logstash/logstash-core/lib/jars/animal-sniffer-annotations-1.14.jar:/usr/share/logstash/logstash-core/lib/jars/commons-codec-1.11.jar:/usr/share/logstash/logstash-core/lib/jars/commons-compiler-3.0.8.jar:/usr/share/logstash/logstash-core/lib/jars/error_prone_annotations-2.0.18.jar:/usr/share/logstash/logstash-core/lib/jars/google-java-format-1.1.jar:/usr/share/logstash/logstash-core/lib/jars/gradle-license-report-0.7.1.jar:/usr/share/logstash/logstash-core/lib/jars/guava-22.0.jar:/usr/share/logstash/logstash-core/lib/jars/j2objc-annotations-1.1.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-annotations-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-core-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-databind-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-dataformat-cbor-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/janino-3.0.8.jar:/usr/share/logstash/logstash-core/lib/jars/jruby-complete-X.X.X.X.jar:/usr/share/logstash/logstash-core/lib/jars/jsr305-1.3.9.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-api-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-slf4j-impl-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/logstash-core.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.commands-3.6.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.contenttype-3.4.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.expressions-3.4.300.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.filesystem-1.3.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.jobs-3.5.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.resources-3.7.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.runtime-3.7.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.app-1.3.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.common-3.6.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.preferences-3.4.1.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.registry-3.5.101.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.jdt.core-3.10.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.osgi-3.7.1.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.text-3.5.101.jar:/usr/share/logstash/logstash-core/lib/jars/slf4j-api-1.7.25.jar org.logstash.Logstash 27.2 3.6 /opt/bro/bin/bro -i enx8cae4cf457aa -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto 18.2 4.0 /opt/bro/bin/bro -i af_packetX.X.X.Xenx8cae4cf457aa -U .status -p broctl -p broctl-live -p local -p seconion-precision-m4800-enx8cae4cf457aa-1 local.bro broctl base/frameworks/cluster broctl/auto 12.4 5.4 suricata --user SO-user --group SO-user -c /etc/nsm/seconion-precision-m4800-enx8cae4cf457aa/suricata.yaml --af-packet=enx8cae4cf457aa -l /nsm/sensor_data/seconion-precision-m4800-enx8cae4cf457aa 5.9 4.8 /opt/splunk/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd 4.0 0.7 splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd 2.4 1.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p logger local.bro broctl base/frameworks/cluster broctl/auto 2.3 0.4 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster broctl/auto 2.0 0.9 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster broctl/auto 1.4 0.0 /var/ossec/bin/ossec-syscheckd 0.9 1.6 /usr/share/kibana/bin/../node/bin/node --no-warnings /usr/share/kibana/bin/../src/cli --cpu.cgroup.path.override=/ --cpuacct.cgroup.path.override=/ --kibana.defaultAppId=dashboard/94b52620-342a-11e7-9d52-4f090484f59e 0.8 1.6 /usr/sbin/mysqld 0.7 0.0 [kswapd0] 0.7 1.6 netsniff-ng -i enx8cae4cf457aa -o /nsm/sensor_data/seconion-precision-m4800-enx8cae4cf457aa/dailylogs/2019-04-06/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64MiB --interval 150MiB --mmap 0.7 0.1 barnyard2 -c /etc/nsm/seconion-precision-m4800-enx8cae4cf457aa/barnyard2.conf -u SO-user -g SO-user -d /nsm/sensor_data/seconion-precision-m4800-enx8cae4cf457aa -f snort.unified2 -w /etc/nsm/seconion-precision-m4800-enx8cae4cf457aa/barnyard2.waldo -i seconion-precision-m4800-enx8cae4cf457aa -U 0.4 0.3 /opt/splunk/bin/python -O /opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=X.X.X.X,8065,8000 0.4 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs 0.3 0.1 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --storageEngine=mmapv1 --port=8191 --timeStampFormat=iso8601-utc --smallfiles --oplogSize=200 --keyFile=/opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key --setParameter=enableLocalhostAuthBypass=0 --setParameter=oplogFetcherSteadyStateMaxFetcherRestarts=0 --replSet=21537AFD-2476-44AF-956C-6A4E4875A9F1 --bind_ip=X.X.X.X --sslMode=requireSSL --sslAllowInvalidHostnames --sslPEMKeyFile=/opt/splunk/etc/auth/server.pem --sslPEMKeyPassword=xxxxxxxx --sslDisabledProtocols=noTLS1_0,noTLS1_1 --sslCipherConfig=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256 --nounixsocket --noscripting 0.2 0.2 /usr/bin/python /usr/bin/salt-master 0.2 0.1 /usr/bin/python /usr/bin/salt-minion 0.2 0.0 /usr/bin/python /usr/bin/supervisord -c /etc/elastalert/conf/elastalert_supervisord.conf -n 0.2 0.2 /usr/sbin/syslog-ng -F 0.1 0.4 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock 0.1 0.0 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089 --with-kvstore 0.1 0.0 /var/ossec/bin/wazuh-db 0.1 0.0 /var/ossec/bin/ossec-analysisd 0.1 0.0 /var/ossec/bin/ossec-remoted 0.1 0.0 /var/ossec/bin/ossec-logcollector 0.1 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 5601 -container-ip X.X.X.X -container-port 5601 0.1 0.1 python -m elastalert.elastalert --config /etc/elastalert/conf/elastalert_config.yaml --verbose 0.0 0.0 /sbin/init splash 0.0 0.0 [kthreadd] 0.0 0.0 [kworker/0:0H] 0.0 0.0 [mm_percpu_wq] 0.0 0.0 [ksoftirqd/0] 0.0 0.0 [rcu_sched] 0.0 0.0 [rcu_bh] 0.0 0.0 [migration/0] 0.0 0.0 [watchdog/0] 0.0 0.0 [cpuhp/0] 0.0 0.0 [cpuhp/1] 0.0 0.0 [watchdog/1] 0.0 0.0 [migration/1] 0.0 0.0 [ksoftirqd/1] 0.0 0.0 [kworker/1:0H] 0.0 0.0 [cpuhp/2] 0.0 0.0 [watchdog/2] 0.0 0.0 [migration/2] 0.0 0.0 [ksoftirqd/2] 0.0 0.0 [kworker/2:0H] 0.0 0.0 [cpuhp/3] 0.0 0.0 [watchdog/3] 0.0 0.0 [migration/3] 0.0 0.0 [ksoftirqd/3] 0.0 0.0 [kworker/3:0H] 0.0 0.0 [cpuhp/4] 0.0 0.0 [watchdog/4] 0.0 0.0 [migration/4] 0.0 0.0 [ksoftirqd/4] 0.0 0.0 [kworker/4:0H] 0.0 0.0 [cpuhp/5] 0.0 0.0 [watchdog/5] 0.0 0.0 [migration/5] 0.0 0.0 [ksoftirqd/5] 0.0 0.0 [kworker/5:0H] 0.0 0.0 [cpuhp/6] 0.0 0.0 [watchdog/6] 0.0 0.0 [migration/6] 0.0 0.0 [ksoftirqd/6] 0.0 0.0 [kworker/6:0H] 0.0 0.0 [cpuhp/7] 0.0 0.0 [watchdog/7] 0.0 0.0 [migration/7] 0.0 0.0 [ksoftirqd/7] 0.0 0.0 [kworker/7:0H] 0.0 0.0 [kdevtmpfs] 0.0 0.0 [netns] 0.0 0.0 [rcu_tasks_kthre] 0.0 0.0 [kauditd] 0.0 0.0 [khungtaskd] 0.0 0.0 [oom_reaper] 0.0 0.0 [writeback] 0.0 0.0 [kcompactd0] 0.0 0.0 [ksmd] 0.0 0.0 [khugepaged] 0.0 0.0 [crypto] 0.0 0.0 [kintegrityd] 0.0 0.0 [kblockd] 0.0 0.0 [ata_sff] 0.0 0.0 [md] 0.0 0.0 [edac-poller] 0.0 0.0 [devfreq_wq] 0.0 0.0 [watchdogd] 0.0 0.0 [kworker/u17:0] 0.0 0.0 [ecryptfs-kthrea] 0.0 0.0 [kthrotld] 0.0 0.0 [acpi_thermal_pm] 0.0 0.0 [ipv6_addrconf] 0.0 0.0 [kstrp] 0.0 0.0 [charger_manager] 0.0 0.0 [irq/19-mmc0] 0.0 0.0 [nvkm-disp] 0.0 0.0 [scsi_eh_0] 0.0 0.0 [scsi_tmf_0] 0.0 0.0 [scsi_eh_1] 0.0 0.0 [scsi_tmf_1] 0.0 0.0 [scsi_eh_2] 0.0 0.0 [scsi_tmf_2] 0.0 0.0 [scsi_eh_3] 0.0 0.0 [scsi_tmf_3] 0.0 0.0 [scsi_eh_4] 0.0 0.0 [scsi_tmf_4] 0.0 0.0 [i915/signal:0] 0.0 0.0 [i915/signal:1] 0.0 0.0 [i915/signal:2] 0.0 0.0 [i915/signal:4] 0.0 0.0 [ttm_swap] 0.0 0.0 [kworker/4:1H] 0.0 0.0 [raid5wq] 0.0 0.0 [jbd2/sda2-8] 0.0 0.0 [ext4-rsv-conver] 0.0 0.0 /lib/systemd/systemd-journald 0.0 0.0 [kworker/0:1H] 0.0 0.0 [kworker/6:1H] 0.0 0.0 [kworker/3:1H] 0.0 0.0 /sbin/lvmetad -f 0.0 0.0 /lib/systemd/systemd-udevd 0.0 0.0 [iscsi_eh] 0.0 0.0 [ib-comp-wq] 0.0 0.0 [ib_mcast] 0.0 0.0 [ib_nl_sa_wq] 0.0 0.0 [rdma_cm] 0.0 0.0 [irq/23-smo8800] 0.0 0.0 [cfg80211] 0.0 0.0 [kworker/1:1H] 0.0 0.0 [irq/31-mei_me] 0.0 0.0 [kworker/2:1H] 0.0 0.0 [irq/32-iwlwifi] 0.0 0.0 [kworker/2:0] 0.0 0.0 [kworker/7:1H] 0.0 0.0 [kworker/u17:1] 0.0 0.0 [kworker/5:1H] 0.0 0.0 [kworker/3:0] 0.0 0.0 [kworker/6:0] 0.0 0.0 /usr/lib/bluetooth/bluetoothd 0.0 0.0 /usr/lib/accountsservice/accounts-daemon 0.0 0.0 /usr/sbin/cron -f 0.0 0.0 /usr/sbin/acpid 0.0 0.0 /lib/systemd/systemd-logind 0.0 0.0 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation 0.0 0.0 /usr/sbin/NetworkManager --no-daemon 0.0 0.0 /usr/sbin/atd -f 0.0 0.0 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog 0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug 0.0 0.0 /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant 0.0 0.1 /usr/bin/containerd 0.0 0.0 /usr/sbin/sshd -D 0.0 0.0 /sbin/iscsid 0.0 0.0 /sbin/iscsid 0.0 0.0 /usr/sbin/lightdm 0.0 0.0 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid 0.0 0.0 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf) 0.0 0.0 php-fpm: pool www 0.0 0.0 php-fpm: pool www 0.0 0.0 /usr/sbin/xrdp 0.0 0.4 /usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch 0.0 0.0 /usr/sbin/xrdp-sesman 0.0 0.0 /sbin/agetty --noclear tty1 linux 0.0 0.0 lightdm --session-child 16 19 0.0 0.0 /lib/systemd/systemd --user 0.0 0.0 (sd-pam) 0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter 0.0 0.0 [kworker/3:1] 0.0 0.0 [kworker/6:2] 0.0 0.0 [kworker/0:2] 0.0 0.0 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session 0.0 0.0 [kworker/0:0] 0.0 0.3 /usr/sbin/lightdm-gtk-greeter 0.0 0.0 /usr/lib/gvfs/gvfsd 0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher 0.0 0.0 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3 0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session 0.0 0.0 [kworker/1:0] 0.0 0.0 [systemctl]
0.0 0.0 [splunkd pid=1657] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner]
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 [kworker/7:2]
0.0 0.0 [kworker/u16:0]
0.0 0.0 [kworker/2:2]
0.0 0.0 /bin/sh -c /opt/splunk/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 111:118
0.0 0.0 [kworker/u16:1]
0.0 0.0 [kworker/5:0]
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i enx8cae4cf457aa -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/7:1]
0.0 0.0 [kworker/4:0]
0.0 0.0 [kworker/3:2]
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/0:1]
0.0 0.0 [kworker/u16:2]
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 /lib/systemd/systemd --user
0.0 0.0 (sd-pam)
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 [kworker/0:3]
0.0 0.0 [kworker/6:1]
0.0 0.0 /bin/bash /usr/sbin/sostat-redacted
0.0 0.0 /bin/bash /usr/sbin/sostat
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 /var/ossec/bin/ossec-authd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 /var/ossec/bin/wazuh-modulesd
0.0 0.0 [kworker/7:0]
0.0 0.0 [kworker/5:1]
0.0 0.0 [kworker/u16:4]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /lib/systemd/systemd --user
0.0 0.0 (sd-pam)
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 -bash
0.0 0.0 sudo bash
0.0 0.0 bash
0.0 0.0 /usr/sbin/xrdp-sessvc 21890 21889
0.0 0.0 /bin/sh /etc/xrdp/startwm.sh
0.0 0.2 Xvnc :10 -geometry 1400x1050 -depth 24 -rfbauth /home/SO-user/.vnc/sesman_SO-user_passwd -bs -ac -nolisten tcp -localhost -dpi 96
0.0 0.0 mate-session
0.0 0.0 xrdp-chansrv
0.0 0.0 dbus-launch --exit-with-session mate-session
0.0 0.0 /usr/bin/dbus-daemon --fork --print-pid 10 --print-address 12 --session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/dconf/dconf-service
0.0 0.0 gnome-keyring-daemon --start
0.0 0.0 /usr/bin/mate-settings-daemon
0.0 0.0 marco
0.0 0.0 mate-panel
0.0 0.0 caja
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.0 mate-volume-control-applet
0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher --launch-immediately
0.0 0.0 /usr/lib/mate-panel/wnck-applet
0.0 0.0 /usr/lib/mate-applets/trashapplet
0.0 0.0 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
0.0 0.0 nm-applet
0.0 0.0 /usr/lib/x86_64-linux-gnu/polkit-mate/polkit-mate-authentication-agent-1
0.0 0.0 mate-screensaver
0.0 0.0 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.0 /usr/lib/udisks2/udisksd --no-debug
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.1 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/gvfs/gvfs-goa-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/mate-panel/notification-area-applet
0.0 0.0 /usr/lib/mate-panel/clock-applet
0.0 0.0 /usr/lib/gvfs/gvfsd-metadata
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.2 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p logger local.bro broctl base/frameworks/cluster broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster broctl/auto
0.0 0.0 [kworker/4:2]
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i af_packetX.X.X.Xenx8cae4cf457aa -U .status -p broctl -p broctl-live -p local -p seconion-precision-m4800-enx8cae4cf457aa-1 local.bro broctl base/frameworks/cluster broctl/auto
0.0 0.0 [kworker/u16:3]
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/seconion-precision-m4800-enx8cae4cf457aa/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/seconion-precision-m4800-enx8cae4cf457aa/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/seconion-precision-m4800-enx8cae4cf457aa/snort_agent.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/seconion-precision-m4800-enx8cae4cf457aa/snort_agent.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/seconion-precision-m4800-enx8cae4cf457aa/snort.stats
0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/4e6a1f1f5128826cfa1a769b64d0e4c8837688d52ff4113d2c880194731a738b -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 9600 -container-ip X.X.X.X -container-port 9600
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6053 -container-ip X.X.X.X -container-port 6053
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6052 -container-ip X.X.X.X -container-port 6052
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6051 -container-ip X.X.X.X -container-port 6051
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6050 -container-ip X.X.X.X -container-port 6050
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 5044 -container-ip X.X.X.X -container-port 5044
0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/abb9ace1096c6c5eb17e9f23c45bb3c167c13c315908a67618ca4efd189cddd1 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/7c9f2a702147f19018816a22111fc8232c75651346c49453a4a9daceaf7028c7 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/a108d9c17b88d38d0c933d2ca99f6f0f95b669b72db25fd9d440816a1625caee -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 /bin/bash
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/1:2]
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
========================================================================= Packets received during last monitoring interval (600 seconds)
enx8cae4cf457aa: 1688945
========================================================================= Packet Loss Stats
NIC:
enx8cae4cf457aa:
RX packets:41744580 dropped:0 TX packets:0 dropped:0
pf_ring:
IDS Engine (suricata) packet drops:
/nsm/sensor_data/seconion-precision-m4800-enx8cae4cf457aa/stats.log
No packet drops reported.
Bro:
Average packet loss as percent across all Bro workers: 0.000000
seconion-precision-m4800-enx8cae4cf457aa-1: 1554527096.871692 recvd=5675931 dropped=0 link=5675953
No capture loss reported.
Netsniff-NG:
0 Loss
========================================================================= PF_RING
PF_RING Version : 6.6.0 (unknown) Total rings : 0
Standard (non ZC) Options Ring slots : 4096 Slot version : 16 Capture TX : Yes [RX+TX] IP Defragment : No Socket Mode : Standard Cluster Fragment Queue : 0 Cluster Fragment Discard : 0
========================================================================= Log Archive
/nsm/sensor_data/seconion-precision-m4800-eno1/dailylogs/ - 0 days 4.0K .
/nsm/sensor_data/seconion-precision-m4800-enx8cae4cf457aa/dailylogs/ - 1 days 5.9G . 5.9G ./2019-04-06
/nsm/sensor_data/seconion-precision-m4800-wlp3s0/dailylogs/ - 0 days 4.0K .
/nsm/bro/logs/ - 1 days 6.2M . 6.2M ./2019-04-06 36K ./stats
========================================================================= Sguil Uncategorized Events
COUNT(*) 4235
========================================================================= Sguil events summary for yesterday
Total 0
========================================================================= Top 50 All time Sguil Events
Totals GenID:SigID Signature 1976 1:2016141 ET INFO Executable Download from dotted-quad Host 1627 1:2221010 SURICATA HTTP unable to match response to request 392 1:2025275 ET INFO Windows OS Submitting USB Metadata to Microsoft 108 1:2001330 ET POLICY RDP connection confirm 40 1:2001219 ET SCAN Potential SSH Scan 19 1:2021076 ET INFO SUSPICIOUS Dotted Quad Host MZ Response 19 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP 15 1:2101411 GPL SNMP public access udp 15 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use 5 1:2012711 ET POLICY MS Remote Desktop POS User Login Request 5 1:2200076 SURICATA ICMPv4 invalid checksum 5 1:2012709 ET POLICY MS Remote Desktop Administrator Login Request 3 1:2402000 ET DROP Dshield Block Listed Source group 1 2 1:2017162 ET SCAN SipCLI VOIP Scan 1 1:2403380 ET CINS Active Threat Intelligence Poor Reputation IP group 81 1 1:2001972 ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound) 1 1:2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt 1 1:2500034 ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 1 1:2500048 ET COMPROMISED Known Compromised or Hostile Host Traffic group 25 1 1:2008578 ET SCAN Sipvicious Scan Total 4241
========================================================================= Last update
Commandline: apt install lynx Requested-By: SO-user (1000) Install: lynx-common:amd64 (2.8.9dev8-4ubuntu1, automatic), lynx:amd64 (2.8.9dev8-4ubuntu1) End-Date: 2019-04-05 23:57:23
Start-Date: 2019-04-06 00:03:15 Commandline: apt install iotop Requested-By: SO-user (1000) Install: iotop:amd64 (0.6-1) End-Date: 2019-04-06 00:03:16
========================================================================= Elasticsearch
Elasticsearch is not running.
Try starting it with:
'sudo so-elastic-start' OR 'sudo docker start so-elasticsearch'
If that does not work, try checking /var/log/elasticsearch/seconion-precision-m4800.log for clues.
========================================================================= Logstash
Logstash is running.
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS abb9ace1096c so-logstash 115.52% 2.382GiB / 7.697GiB 30.95% 14.7MB / 22.5MB 2.61GB / 30.7MB 158
Logstash Queue Stats:
Queue Type: memory Queue settings can be modified in /etc/logstash/logstash.yml.
Event Summary (since restart):
Events In: 11085 Events Out: 10007
========================================================================= Kibana
Kibana is running.
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS 4e6a1f1f5128 so-kibana 0.38% 124.7MiB / 7.697GiB 1.58% 12.1MB / 27.1MB 1.52GB / 4.06MB 10
========================================================================= ElastAlert
ElastAlert is running.
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS 7c9f2a702147 so-elastalert 0.01% 18.89MiB / 7.697GiB 0.24% 180kB / 230kB 340MB / 2.69MB 2
========================================================================= Curator
Curator is running.
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS a108d9c17b88 so-curator 0.12% 43.21MiB / 7.697GiB 0.55% 2.2MB / 71.4kB 604MB / 9.58MB 3
========================================================================= Version Information
Ubuntu 16.04.6 LTS securityonion-sostat 20120722-0ubuntu0securityonion123