Help

Having problems? Try the suggestions below.

• Are you running the latest version of Security Onion?
• Check the FAQ.
• Search the Security Onion Mailing Lists.
• Search the documentation and mailing lists of the tools contained within Security Onion: Tools
• Run sostat for some diagnostics:

sudo sostat | less

• If any of the NSM processes show up as failed, try restarting them:

sudo service nsm restart

• Check log files in /var/log/nsm/ or other locations for any errors or possible clues:

  • Setup /var/log/nsm/sosetup.log
  • Daily Log / PCAPs /nsm/sensor_data/{ HOSTNAME-INTERFACE }/dailylogs
  • sguil /var/log/nsm/securityonion/sguild.log
  • Suricata /var/log/nsm/{ HOSTNAME-INTERFACE }/suricata.log
  • barnyard2 /var/log/nsm/ { HOSTNAME-INTERFACE }/barnyard2.log
  • netsniff-ng /var/log/nsm/{ HOSTNAME-INTERFACE }/netsniff-ng.log
  • ELSA /nsm/elsa/data/elsa/log/node.log
  • Bro /nsm/bro/logs/current
  • snort_agent /var/log/nsm/{ HOSTNAME-INTERFACE }/snort_agent.log
  • argus /var/log/nsm/{ HOSTNAME-INTERFACE }/argus.log
  • http_agent /var/log/nsm/{ HOSTNAME-INTERFACE }/http_agent.log
  • pads_agent /var/log/nsm/{ HOSTNAME-INTERFACE }/pads_agent.log
  • prads_agent /var/log/nsm/{ HOSTNAME-INTERFACE }/prads.log
  • sancp_agent /var/log/nsm/{ HOSTNAME-INTERFACE }/sancp_agent.log

• If this is a sensor sending alerts to master server, is autossh running?

pgrep -lf autossh

• Please note: Snorby has been removed in the new Security Onion 14.04, but this note is left here for legacy documentation purposes.
  
  If you're having problems with Snorby, check the log files in /opt/snorby/log/ and /var/log/apache2/ and see if its processes are running:

pgrep -lf delayed_job

• Are you able to duplicate the problem on a fresh Security Onion installation?
• Check the Roadmap to see if this is a known issue that we are working on.
• If all else fails, please send an email to our security-onion mailing list.
• Need training or commercial support? http://www.securityonionsolutions.com