BLOG     |     FORUM
Welcome, Guest
Username: Password: Remember me
Forgot your password? Forgot your username? Create an account
Issues related to installation, running, bugs, and features.
  • Page:
  • 1
  • 2

TOPIC: Trisul service issues

Trisul service issues 11 years 5 months ago #837

Hi,

I am having issues with the Trisul service stopping after a few seconds of starting it. I am running Trisol v2.4.1100. I am running Snort in the same box and I wanted to have both services running.
I have followed this instructions: trisul.org/docs/install/doinstall.html


Log info:

From /usr/local/share/webtrisul/log/nginx.error.log

2012/10/29 16:49:52 [error] 30404#0: *1 no live upstreams while connecting to upstream, client: 10.99.99.9, server: localhost, request: "POST /sys_$
2012/10/29 16:49:53 [crit] 30404#0: *1 connect() to unix:/tmp/thin.webtrisul.4.sock failed (2: No such file or directory) while connecting to upstr$
2012/10/29 16:49:53 [crit] 30404#0: *1 connect() to unix:/tmp/thin.webtrisul.0.sock failed (2: No such file or directory) while connecting to upstr$
2012/10/29 16:49:53 [crit] 30404#0: *1 connect() to unix:/tmp/thin.webtrisul.1.sock failed (2: No such file or directory) while connecting to upstr$
2012/10/29 16:49:53 [crit] 30404#0: *1 connect() to unix:/tmp/thin.webtrisul.2.sock failed (2: No such file or directory) while connecting to upstr$
2012/10/29 16:49:53 [crit] 30404#0: *1 connect() to unix:/tmp/thin.webtrisul.3.sock failed (2: No such file or directory) while connecting to upstr$
2012/10/29 16:49:54 [error] 30404#0: *1 no live upstreams while connecting to upstream, client: 10.99.99.9, server: localhost, request: "POST /axup$
2012/10/29 17:06:24 [crit] 32202#0: *1 connect() to unix:/tmp/thin.webtrisul.4.sock failed (2: No such file or directory) while connecting to upstr$
2012/10/29 17:06:24 [crit] 32202#0: *1 connect() to unix:/tmp/thin.webtrisul.0.sock failed (2: No such file or directory) while connecting to upstr$
2012/10/29 17:06:24 [crit] 32202#0: *1 connect() to unix:/tmp/thin.webtrisul.1.sock failed (2: No such file or directory) while connecting to upstr$
2012/10/29 17:06:24 [crit] 32202#0: *1 connect() to unix:/tmp/thin.webtrisul.2.sock failed (2: No such file or directory) while connecting to upstr$
2012/10/29 17:06:24 [crit] 32202#0: *1 connect() to unix:/tmp/thin.webtrisul.3.sock failed (2: No such file or directory) while connecting to upstr$




/usr/local/var/log/trisul/ns-001.log


[32mMon Oct 29 16:24:13 2012.198275 DEBUG Transfer ownership : Already transferred /usr/local/var/lib/trisul/CONTEXT0/run/system.stats [m
[34mMon Oct 29 16:24:13 2012.198408 INFO Drop Privilege : Dropped down to user : sguil [m
[34mMon Oct 29 16:24:13 2012.199415 INFO Now running as user = sguil group = sguil [m
[34mMon Oct 29 16:24:13 2012.199445 INFO Trisul Server process id (pid) = 28896 [m
[34mMon Oct 29 16:24:13 2012.199467 INFO Checking Redis unixsock /nsm/sensor_data/Snort-machine-eth2/barnyard2_alert [m
[34mMon Oct 29 16:24:13 2012.199533 INFO Redis isnt reachable on/nsm/sensor_data/Snort-machine-eth2/barnyard2_alert [m
[34mMon Oct 29 16:24:13 2012.199554 INFO Starting redis with config file /usr/local/etc/trisul/redis.conf [m
[34mMon Oct 29 16:24:15 2012.200038 INFO Started redis, retrying connect 1 [m
[34mMon Oct 29 16:24:15 2012.200136 INFO Checking Redis unixsock /nsm/sensor_data/Snort-machine-eth2/barnyard2_alert [m
[34mMon Oct 29 16:24:15 2012.200225 INFO Redis isnt reachable on/nsm/sensor_data/Snort-machine-eth2/barnyard2_alert [m
[34mMon Oct 29 16:24:15 2012.200247 INFO Starting redis with config file /usr/local/etc/trisul/redis.conf [m
[34mMon Oct 29 16:24:17 2012.200734 INFO Started redis, retrying connect 2 [m
[1;31mMon Oct 29 16:24:17 2012.200844 FATAL Unable to bring up redis after 2 attempts [m
[34mMon Oct 29 16:24:17 2012.200874 INFO Disable Redis in trisulConfig.xml and restart [m
[1;31mMon Oct 29 16:24:17 2012.200904 FATAL Redis support requested (<Redis><Enabled> param in config) but cant start [m
[34mMon Oct 29 16:24:17 2012.201042 INFO GLOBALFLUSH : at 12-31-1969 23:59:59--00001 [m
[34mMon Oct 29 16:24:17 2012.202265 INFO Reusing newly inited slice - via cleanenv [m
[32mMon Oct 29 16:24:17 2012.202386 DEBUG Launching 2 flusher threads


This is what I get when I start Webtrisuld:

/etc/init.d/webtrisuld start
Starting webtrisul Daemon (webtrisuld): Starting Thin Daemon (thin): Starting server on /tmp/thin.webtrisul.0.sock ...
Starting server on /tmp/thin.webtrisul.1.sock ...
Starting server on /tmp/thin.webtrisul.2.sock ...
Starting server on /tmp/thin.webtrisul.3.sock ...
Starting server on /tmp/thin.webtrisul.4.sock ...
Starting Trisul Web Sockets Server no port 3003
Starting nginx Daemon (nginx): daemon /usr/local/share/webtrisul/sbin/nginx/sbin/nginx -c /usr/local/share/webtrisul/build/nginx.conf -p /usr/local/share/webtrisul/sbin/nginx/

Start Trisul:
/usr/local/share/trisul# /etc/init.d/trisul start
Starting trisul daemon:

I will keep looking in the Docs to see if I can find anything.

Thank you.
The administrator has disabled public write access.

Trisul service issues 11 years 5 months ago #839

<?xml version="1.0" encoding="ISO-8859-1"?>
<!-- ***************************************************************************** -->
<!-- Trisul Configuration File -->
<!-- Edit only if you have to, all properties must exist and contain a value -->
<!-- -->
<!-- (c) 2011-12 Unleash Networks, All rights reserved -->
<!-- ***************************************************************************** -->
<USNFPulseConfig>

<App>
<Setuid>sguil.sguil</Setuid>
<IdeallyUseThisSetuid>trisul.trisul</IdeallyUseThisSetuid>
<TempFolder>/tmp</TempFolder>
<DBRoot>/usr/local/var/lib/trisul/CONTEXT0</DBRoot>
<ConfigDB>/usr/local/var/lib/trisul/CONTEXT0/config/TRISULCONFIG.SQDB</ConfigDB>
<TrafficDBRoot>/usr/local/var/lib/trisul/CONTEXT0/meters</TrafficDBRoot>
<DBSkeletons>/usr/local/share/trisul/skeletons</DBSkeletons>
<PluginsLibDirectory>/usr/local/lib/trisul/plugins</PluginsLibDirectory>
<PluginsConfDirectory>/usr/local/etc/trisul</PluginsConfDirectory>
<PluginsDataDirectory>/usr/local/share/trisul/plugins</PluginsDataDirectory>
<ProbeID>SE-LINK</ProbeID>
<ProbeDesc>This Trisul Probe monitors the S-E link traffic only</ProbeDesc>
<PidFile>/usr/local/var/run/trisul.pid</PidFile>
<LiveStatsDumpFile>/tmp/pulse.lst</LiveStatsDumpFile>
<ThisPath>/usr/local/share/trisul</ThisPath>
<TrisulMode>TAP</TrisulMode>
<ValidTrisulModes>TAP,NETFLOW_TAP</ValidTrisulModes>
<LicenseFile>/usr/local/etc/trisul/LicenseKey.txt</LicenseFile>
<LibpcapMode>select</LibpcapMode>
<Compatibility>2.4</Compatibility>
</App>

<Logging>
<Logdir>/usr/local/var/log/trisul</Logdir>
<Logfile>ns-???.log</Logfile>
<Loglevel>DEBUG</Loglevel>
<LogRotateSize>5000000</LogRotateSize>
<LogRotateCount>5</LogRotateCount>

<EnableAccessLog>TRUE</EnableAccessLog>
<AccessLogfile>as-???.log</AccessLogfile>
<AccessLogRotateSize>5000000</AccessLogRotateSize>
<AccessLogRotateCount>5</AccessLogRotateCount>
</Logging>


<Syslog>
<Enabled>True</Enabled>
<Program>trisul</Program>
<Alerts>
<Alert name="ThresholdCrossing" guid="{03AC6B72-FDB7-44c0-9B8C-7A1975C1C5BA}">INFO</Alert>
<Alert name="FlowTracker" guid="{18CE5961-38FF-4aea-BAF8-2019F3A09063}">INFO</Alert>
<Alert name="Badfellas" guid="{5E97C3A3-41DB-4e34-92C3-87C904FAB83E}">INFO</Alert>
<Alert name="IDS" guid="{9AFD8C08-07EB-47E0-BF05-28B4A7AE8DC9}"></Alert>
</Alerts>
</Syslog>


<StatsEngine>
<HiWaterPolicy>FLEXIBLE</HiWaterPolicy>
<SQLInsertThresholdMSecs>60000</SQLInsertThresholdMSecs>
<SQLBusyTimeoutMsecs>2</SQLBusyTimeoutMsecs>
<SQLTRPBusyTimeoutMsecs>8000</SQLTRPBusyTimeoutMsecs>
<SQLSynchronousMode>0</SQLSynchronousMode>
<SQLFlushThreads>2</SQLFlushThreads>
<SQLJournalMode>default</SQLJournalMode>
<SQLCacheSize>0</SQLCacheSize>
<SQLPageSize>0</SQLPageSize>
<OverlayExistingSlices>FALSE</OverlayExistingSlices>

<SlicePolicy>
<SliceWindow>DAILY</SliceWindow>

<Operational>
<SliceCount>32</SliceCount>
<SlideAt>00:30</SlideAt>
</Operational>

<Reference>
<SliceCount>32</SliceCount>
<SlideAt>01:30</SlideAt>
</Reference>

<Archive>
<SliceCount>32</SliceCount>
<SlideAt>02:30</SlideAt>
</Archive>
</SlicePolicy>

</StatsEngine>

<Security>
<Protocol>TLS</Protocol>
<ClientAuth>true</ClientAuth>
<ServerCertificate>/usr/local/etc/trisul/certs/trisuls/Demo_TrisulServer.crt</ServerCertificate>
<ServerKey>/usr/local/etc/trisul/certs/trisuls/Demo_TrisulServer.key</ServerKey>
<CACertChain>/usr/local/etc/trisul/certs/Demo_CACerts.pem</CACertChain>
<ClientCertificateBaseDir>/usr/local/etc/trisul/certs/unsniffs</ClientCertificateBaseDir>
<DiffieHellmanParameters>/usr/local/etc/trisul/certs/TrisulDH1024.pem</DiffieHellmanParameters>
<CipherPrefs>AES256-SHA</CipherPrefs>
</Security>

<Redis>
<Enabled>True</Enabled>
<UnixSocket>/nsm/sensor_data/cfd-sosensor1-eth2/barnyard2_alert</UnixSocket>
<ConfigFile>/usr/local/etc/trisul/redis.conf</ConfigFile>
<ServerImage>/usr/local/bin/redis-server</ServerImage>
</Redis>

<Server>
<Port>12001</Port>
<DebugComms>true</DebugComms>
<DebugCommsFile>/tmp/pulse_comms.dbg</DebugCommsFile>
<ZipThreshold>100000</ZipThreshold>
<ZipProtocol>DEFLATE</ZipProtocol>
<ACL>
<ACLItem Address="127.0.0.1" Mask="255.255.255.255"/>
<ACLItem Address="192.168.2.0" Mask="255.255.255.0"/>
<ACLItem Address="192.168.1.0" Mask="255.255.255.0"/>
<ACLItem Address="10.1.1.0" Mask="255.255.255.0"/>
</ACL>
</Server>

<Ring>
<Enabled>True</Enabled>
<BaseDir>/usr/local/var/lib/trisul/CONTEXT0/caps</BaseDir>
<PassphraseFile>/usr/local/etc/trisul/certs/ringpass.txt</PassphraseFile>
<FilePrefix>RCF_</FilePrefix>
<FileSizeMB>1000</FileSizeMB>

<ProcSampleSecs>30</ProcSampleSecs>
<SysStatsUpdateSecs>10</SysStatsUpdateSecs>
<RunStatsUpdateSecs>30</RunStatsUpdateSecs>
<LiveStatsFlipSecs>100</LiveStatsFlipSecs>

<DefaultMode>FULL</DefaultMode>
<RuleChain>
<Rule mode="FULL"></Rule>
<Rule mode="FLOWCAP10M"></Rule>
<Rule mode="FLOWCAP1M"></Rule>
<Rule mode="FLOWCAP100K"></Rule>
<Rule mode="FLOWCAP10K"></Rule>
<Rule mode="HEADERS"></Rule>
<Rule mode="IGNORE"></Rule>
</RuleChain>

<SlicePolicy>
<Operational>
<SliceCount>8</SliceCount>
</Operational>
<Reference>
<SliceCount>8</SliceCount>
</Reference>
<Archive>
<SliceCount>0</SliceCount>
</Archive>
</SlicePolicy>

</Ring>

<Reassembly>
<IPDefrag>
<Enabled>True</Enabled>
</IPDefrag>
<TCPFlowTrack>
<Enabled>False</Enabled>
<HiWater>8000</HiWater>
<LoWater>6000</LoWater>
</TCPFlowTrack>
<TCPReassembly>
<Enabled>False</Enabled>
<MaxBytes>0</MaxBytes>
<KickoffBytes>5000</KickoffBytes>
<Ports>3000,80,443,22,21</Ports>

<Direction>INOUT</Direction>

<Applications>
<EnableXFFDeproxy>True</EnableXFFDeproxy>
<EnableURILog>True</EnableURILog>
<EnableHostMeter>True</EnableHostMeter>
<EnableContentTypeMeter>True</EnableContentTypeMeter>
</Applications>
</TCPReassembly>
</Reassembly>


<IDSAlerts>
<Enabled>True</Enabled>
<UnixSocket>/nsm/sensor_data/cfd-sosensor1-eth2/barnyard2_alert</UnixSocket>
<SnortVersion>2.9+</SnortVersion>
</IDSAlerts>


<OfflineImport>
<LoopCount>1</LoopCount>
<AppendMode>FALSE</AppendMode>
<InterfileGapSecs>60</InterfileGapSecs>
<AutoSortByCaptime>TRUE</AutoSortByCaptime>
<ResumeStalledImport>FALSE</ResumeStalledImport>
<AddEthernetFCS>FALSE</AddEthernetFCS>
</OfflineImport>

<TimerJump>
<MaxJumpForwardSecs>86400</MaxJumpForwardSecs>
<IgnoreJumpOnStartup>True</IgnoreJumpOnStartup>
</TimerJump>

<Tuning>
<QueueCapacity>200000</QueueCapacity>
<GrainSize>64</GrainSize>
<SpongeWindow>1</SpongeWindow>
<InflightTokens>8</InflightTokens>
<RxRingBlockCountExponent>13</RxRingBlockCountExponent>
</Tuning>

</USNFPulseConfig>
The administrator has disabled public write access.

Exactly how Wonderful Are generally michael kors watches 11 years 5 months ago #842

  • carpinteyrofuu
  • carpinteyrofuu's Avatar
mm
Last Edit: 11 years 5 months ago by vivek [unleash].
The administrator has disabled public write access.

Trisul service issues 11 years 5 months ago #893

Hi,

Sorry for the late response.

You have the redis socket pointing to snort_alert.

Change this
<Redis>
<UnixSocket>/nsm/sensor_data/cfd-sosensor1-eth2/barnyard2_alert</UnixSocket>

to this
<Redis>
<UnixSocket>/usr/local/var/lib/trisul/CONTEXT0/run/redis_socket</UnixSocket>


Basically there are two unix sockets used by Trisul

1. inside /nsm/.. = for accepting alerts from snort directly

2. inside /run/.. = for the real time features of Trisul

--- Restart webtrisul too

1. Stop webtrisul
As root : /etc/init.d/webtrisuld stop

2. Then kill all the thin processes manually ?
ps -ef | grep thin
then kill all the PIDs listed.

3. Start it (once again as root)
/etc/init.d/webtrisuld start
Vivek R
Unleash Networks
Support : www.unleashnetworks.com/forums
The administrator has disabled public write access.

Trisul service issues 11 years 5 months ago #908

Hi Vivek,

I made the changes but the Trisul service is not starting. I have tried to start it from the webtrisul, I check Top and after a few seconds it stops. I also tried to run it as root /etc/init.d/trisul start but when I check Top it goes away after a few seconds.

I have a clean Ubuntu server that I installed it for testing purposes and Trisul is running with no issues. I just need it to work in the same box that Security onion is in.

I will try to uninstall everything and see if starting from scratch will help.

I appreciate your help.
The administrator has disabled public write access.

Trisul service issues 11 years 5 months ago #909

  • Anonymous
  • Anonymous's Avatar
Quick question.

Are you running the new Security Onion based on Ubuntu 12.04 ?
If yes, you should run the new Trisul 2.6 version.
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Moderators: vivek [unleash]
Time to create page: 0.063 seconds

Sitemap | Privacy

Copyright © 2011-14 Unleash Networks