If you haven't noticed, my attention span jumps around a bit, it's currently focused on SecurityOnion 2.3, but I fall down a lot of rabbit holes, today it looks like sostat is what I was curious about. With that, sostat is one of the scripts that I currently miss from moving from 16.04 is sostat. It was widely used by the remote teams for troubleshooting. With a copy of sostat and maybe a few other choice logs it was easy to diagnose what was wrong with a remote system.
I know that there is a task in the backlogs to re-add sostat which would be great. Till then I had some time and started to try and re-create the magic. (It's not very good), but it gets the job done. Still struggling with trying to get Stenographer stats via the log file (Need some learning on cat/awk).
Most of it was just taking the 16.04 sostat and replaying it on my 2.3, locating file locations, changing a few things.
A few things I noticed so far based on 16.04 sostat: (Most of the ones here I asked on the Github Discussion to validate in the last day or so)
- No sensortab file
- No securityonion.conf
- No interfaces folder breakouts (Per PCAP/Suricata)
- I see mysql, but there is no mysql command (Do Uncategorized events exist?)
- so-status
- Link Statistics
- Disk Space
- CPU Usage
- Version Info - Changed to: cat /etc/soversion
- Zeek Packet - Changed to so-zeek-status (Might not be 100% the same)
- Suricata Packet Drops - Changed LATEST_STATS to grep /opt/so/log/suricata.stats.log (Seems to work)
- Stenographer - Tried to compare to the Netsniff (need to remind myself about sed/awk I think)
- Network Sockets - No Lsof on SecurityOnion 2.3
- Top 20 Alerts/Uncategorized
- Log Archive - Doesn't look like it breaks out daily logs.
No comments:
Post a Comment