i tried to post it in the mailing group but for some reason it never posted my questions there so i will try my luck here..
i have some issues with the sguil every time i try to run it i get the following error:
"Unable to connect to localhost on port 7734"
i tried to run the sguil-db-purge command and get the following output:
Sun Aug 18 13:14:41 UTC 2019
Retention policy set to 1 days (deleting data prior to 20190817).
Repair policy set to 7 days (repairing tables back to 20190811).
Uncat policy set to 100000000 uncategorized events (categorizing events until we get down to 100000000).
Stopping: securityonion
stopping: sguil server [ OK ]
ERROR 130 (HY000) at line 1: Incorrect file format 'event_onion-virtualbox-enp0s3-1_20190818'
/usr/bin/sguil-db-purge: line 129: [: : integer expression expected
There are uncategorized events, which exceeds the max of 100000000.
Categorizing the oldest -100000000 events.
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-100000000' at line 1
data table exists, dropping old tables and repairing recent tables.
securityonion_db.data_onion-virtualbox-enp0s3-1_20190818 repair Error Incorrect file format 'data_onion-virtualbox-enp0s3-1_20190818'
securityonion_db.data_onion-virtualbox-enp0s3-1_20190818 repair error Corrupt
securityonion_db.data_onion-virtualbox-ossec_20190818 repair status OK
event table exists, dropping old tables and repairing recent tables.
securityonion_db.event_onion-virtualbox-enp0s3-1_20190818 repair Error Incorrect file format 'event_onion-virtualbox-enp0s3-1_20190818'
securityonion_db.event_onion-virtualbox-enp0s3-1_20190818 repair error Corrupt
securityonion_db.event_onion-virtualbox-ossec_20190818 repair status OK
icmphdr table exists, dropping old tables and repairing recent tables.
securityonion_db.icmphdr_onion-virtualbox-enp0s3-1_20190818 repair Error Incorrect file format 'icmphdr_onion-virtualbox-enp0s3-1_20190818'
securityonion_db.icmphdr_onion-virtualbox-enp0s3-1_20190818 repair error Corrupt
securityonion_db.icmphdr_onion-virtualbox-ossec_20190818 repair status OK
tcphdr table exists, dropping old tables and repairing recent tables.
securityonion_db.tcphdr_onion-virtualbox-enp0s3-1_20190818 repair Error Incorrect file format 'tcphdr_onion-virtualbox-enp0s3-1_20190818'
securityonion_db.tcphdr_onion-virtualbox-enp0s3-1_20190818 repair error Corrupt
securityonion_db.tcphdr_onion-virtualbox-ossec_20190818 repair status OK
udphdr table exists, dropping old tables and repairing recent tables.
securityonion_db.udphdr_onion-virtualbox-enp0s3-1_20190818 repair Error Incorrect file format 'udphdr_onion-virtualbox-enp0s3-1_20190818'
securityonion_db.udphdr_onion-virtualbox-enp0s3-1_20190818 repair error Corrupt
securityonion_db.udphdr_onion-virtualbox-ossec_20190818 repair status OK
Starting: securityonion
starting: sguil server [ OK ]
Sun Aug 18 13:14:53 UTC 2019
i also tried to run the sguil server with the following command :
sudo sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs and got the following error:
2019-08-18 13:07:02 pid(8761) Loading access list: /etc/nsm/securityonion/sguild.access
2019-08-18 13:07:02 pid(8761) Sensor access list set to ALLOW ANY.
2019-08-18 13:07:02 pid(8761) Client access list set to ALLOW ANY.
2019-08-18 13:07:02 pid(8761) Email Configuration:
2019-08-18 13:07:02 pid(8761) Config file: /etc/sguild/sguild.email
2019-08-18 13:07:02 pid(8761) Enabled: No
2019-08-18 13:07:02 pid(8761) Connecting to localhost on 3306 as sguil
2019-08-18 13:07:02 pid(8761) MySQL Version: version 5.7.27-0ubuntu0.16.04.1
2019-08-18 13:07:02 pid(8761) SguilDB Version: 0.14
2019-08-18 13:07:02
ERROR: You appear to be using an old version of the
sguil database schema that does not support the MERGE tables
Please use the migrate_event.tcl script and see the CHANGES
document for more information
. Table event returned status => event {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {Incorrect file format 'event_onion-virtualbox-enp0s3-1_20190818'}
SGUILD: Exiting...
please let me know if you need any further information or logs..
hi team,
i tried to post it in the mailing group but for some reason it never posted my questions there so i will try my luck here..
i have some issues with the sguil every time i try to run it i get the following error: "Unable to connect to localhost on port 7734" i tried to run the sguil-db-purge command and get the following output:
Sun Aug 18 13:14:41 UTC 2019 Retention policy set to 1 days (deleting data prior to 20190817). Repair policy set to 7 days (repairing tables back to 20190811). Uncat policy set to 100000000 uncategorized events (categorizing events until we get down to 100000000). Stopping: securityonion
i also tried to run the sguil server with the following command : sudo sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs and got the following error:
2019-08-18 13:07:02 pid(8761) Loading access list: /etc/nsm/securityonion/sguild.access 2019-08-18 13:07:02 pid(8761) Sensor access list set to ALLOW ANY. 2019-08-18 13:07:02 pid(8761) Client access list set to ALLOW ANY. 2019-08-18 13:07:02 pid(8761) Email Configuration: 2019-08-18 13:07:02 pid(8761) Config file: /etc/sguild/sguild.email 2019-08-18 13:07:02 pid(8761) Enabled: No 2019-08-18 13:07:02 pid(8761) Connecting to localhost on 3306 as sguil 2019-08-18 13:07:02 pid(8761) MySQL Version: version 5.7.27-0ubuntu0.16.04.1 2019-08-18 13:07:02 pid(8761) SguilDB Version: 0.14 2019-08-18 13:07:02
sguil database schema that does not support the MERGE tables Please use the migrate_event.tcl script and see the CHANGES document for more information
. Table event returned status => event {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {Incorrect file format 'event_onion-virtualbox-enp0s3-1_20190818'}
SGUILD: Exiting...
please let me know if you need any further information or logs..
Alex.