5.2 Checking System Services With sostat

00:00

All right. So the first thing I'm going to show you is how to check on your system. Service's with s O stat.

00:07

Right here. I have Ah, honey. Session open. This allows me to S S H into the

00:13

virtual machine that we have set up.

00:16

We'll do. Sudo has so stepped pipefitter.

00:20

Unless if we don't pipe, it'll less than everything will just fly by and probably missed something.

00:29

All right, so we look through here, It's top part is our service status. We can check on Squeal server. We can check on our elastic stack. Somewhat

00:39

of the underlying

00:42

service is running.

00:43

We have our interface status. Here

00:47

we look, we have some internal stuff. We have our

00:53

management interface here. That's our management. I p address.

00:57

Here we have our sniffing

01:00

interface that's running in promiscuous mode, meaning that it gathers all traffic coming in Instead of

01:06

passing on things that aren't meant for

01:07

us,

01:10

we have more to face information.

01:12

We can either scroll through with our arrows or hit space. Barto

01:17

bounce farther down.

01:19

We have our disk usage. Right now. Nothing is too heavily used. But

01:26

if this were a production deployment or if we were throwing a lot more data at its than

01:33

this should fill up

01:36

whether they're some of these percentages should be higher

01:41

of our network sockets.

01:42

Yeah,

01:46

they were getting into our I. D. S rules.

01:49

You can see we have our nice ask e r to the flying pig

01:53

information about our snort rules.

01:57

Right here we have our rules. Stats

02:00

so enabled. Rules 20,255

02:05

then disabled rules 7300 and 59 making over 27,000 rules. Total.

02:16

Go a little bit farther down. We have our CPU usage

02:21

for the last 15 and 15 minutes.

02:23

Uh huh.

02:24

I only have one see peel applied right now. I should probably boost that up next time I reboot

02:30

and then our load averages any time. This is Any of these numbers are higher than our processing units. Then

02:38

either me to tune or give it more cp use.

02:42

Since this is just one, we should probably give it more. See, fuse

02:46

starts face. Barring through these,

02:50

we get into our packet monitoring information.

02:54

So if

02:57

if you're on the fairly busy network and your server has quite a few cores on it.

03:02

Then,

03:04

looking through here, you'll be able to see all of our bro and snort instances and the percentage of dropped packets.

03:12

Right now, since we only have the one interface and we are not gathering anything, we don't have any dropped.

03:19

Apparently, we have one that we gathered.

03:23

So right now everything looks

03:24

about how it should be.

03:27

Space bar down a little bit,

03:30

shows how,

03:31

but our data retention is in our log archive. Right now. It's one day because

03:38

we've only really had this up for one day.

03:43

We have

03:45

this shows our own categorized events.

03:47

When we're working and squeal, we want to put

03:51

auto cat rules in to categorize our events for us.

03:57

We

03:58

don't have anything set up right now, and all these 400 events are working. Michael just osx alerts,

04:06

then

04:09

top events for yesterday and all time

04:12

Again, we don't have any data coming in right now, so

04:15

nothing too exciting there scrub by all that.

04:23

Then we have more granular details about our elastic stack.

04:28

So everything's running.

04:30

It's like our cluster status is currently yellow. So could be something toe take a look at typically you want this to be green? It? If it's

04:40

bread, then

04:41

something is more than likely broken. But

04:45

scroll through here.

04:47

Well, right.

04:48

So that is everything that is in S o stat, If you ever run into an issue that you can't resolve

04:57

than eso, stats can definitely help.

05:00

And if you do s o stat redacted

05:03

that will

05:05

I run the same command, except it'll

05:08

remove any sensitive data. And that's something that you can share on the security onion forums. And

05:14

the people there can take a look and

05:16

see if they can offer you some help.

05:19

That is