jinverar
commented
7 years ago When I load the security onion dashboard I get these two errors
Unable to find tag noise on eventtype The specified search will not match any events
and the bro notice dashboard loads a blue circle with some info.
The squild dashboard and the ossec dashboard display this
No results found. Inspect ...
In the bottom part of the overview webpage inside the Events of Interest the following dashboards work, and look really usefull!
Connection Byte Counts SSL Certificates Software Top Level Domains Anomalous Domains
and the following dashboards do not work and display the errror "No results found. Inspect...."
Sguil Events (Snort/Suricata/PADS) HTTP Files CIF Correlation
Thank you for the work you have done on the security onion app iteslf. I need a nudge in the correct direction to get this fixed.
J
Hello brad
I've been having an issue with the security onion 2.0 for splunk. Everything is working great except the dashboards with Sguild or OSSEC. I've been working at it for over 48 hours and gotta ask some questions.
Are there any logs specific to the app? I'm tailing the regular security onion logs but I don't see an output specific to security onion app.
logs to monitor for splunk https://answers.splunk.com/answers/114273/lists-of-error-logs-to-monitor.html
When I do a regular search for sguild then events come into splunk however when I do a search for the information in the sguild dashboard nothing displays. example is below.
search (sourcetype="sguild" classification!="{}")
With that search query nothing is displayed.
My sguil is not auto classifying alerts in mysql, would that be an issue?
I have looked through the data inputs on splunk and there is not data inputs specific to squild from what I can tell however I'm positive that I setup the security onion app correctly and everything is working perfectly with bro logs. I had to turn on the data inputs to get the snort rules added to the dashboard.
The GEO IP is working AMAZING and this looks like a great APP however I want to get the correct SQUILD information to display. Can we work together to figure this out?
Thank you
J