Help
Having problems? Try the suggestions below.
Are you running the latest version of Security Onion?
Check the FAQ.
Search the Security Onion Mailing List.
Search the documentation and mailing lists of the tools contained within Security Onion: Tools
Run
sostatfor some diagnostics:sudo sostat | less
If any of the NSM processes show up as failed, try restarting them:
sudo service nsm restart
Check log files in
/var/log/nsm/or other locations for any errors or possible clues:Setup
/var/log/nsm/sosetup.logDaily Log / PCAPs
/nsm/sensor_data/{ HOSTNAME-INTERFACE }/dailylogssguil
/var/log/nsm/securityonion/sguild.logSuricata
/var/log/nsm/{ HOSTNAME-INTERFACE }/suricata.logbarnyard2
/var/log/nsm/ { HOSTNAME-INTERFACE }/barnyard2.lognetsniff-ng
/var/log/nsm/{ HOSTNAME-INTERFACE }/netsniff-ng.logBro
/nsm/bro/logs/currentsnort_agent
/var/log/nsm/{ HOSTNAME-INTERFACE }/snort_agent.logargus
/var/log/nsm/{ HOSTNAME-INTERFACE }/argus.loghttp_agent
/var/log/nsm/{ HOSTNAME-INTERFACE }/http_agent.logpads_agent
/var/log/nsm/{ HOSTNAME-INTERFACE }/pads_agent.logprads_agent
/var/log/nsm/{ HOSTNAME-INTERFACE }/prads.logsancp_agent
/var/log/nsm/{ HOSTNAME-INTERFACE }/sancp_agent.logElasticsearch
/var/log/elasticsearch/<hostname>.logKibana
/var/log/kibana/kibana.logLogstash
/var/log/logstash/logstash.logElastalert
/var/log/elastalert/elastalert_stderr.log
If this is a sensor sending alerts to master server, is autossh running?
pgrep -lf autossh
Having trouble with MySQL? Check all databases to see if any tables are are marked as crashed or corrupt.
sudo mysqlcheck -A
Check specific MySQL databases by running something similar to the following:
sudo mysqlcheck -c securityonion_db
Are you able to duplicate the problem on a fresh Security Onion installation?
Check the Known Issues to see if this is a known issue that we are working on.
If all else fails, please send an email to our security-onion mailing list.
Need training or commercial support? https://www.securityonionsolutions.com