3 hours 10 minutes
All right. So the first thing I'm going to show you is how to check on your system. Service's with s O stat.
Right here. I have Ah, honey. Session open. This allows me to S S H into the
virtual machine that we have set up.
We'll do. Sudo has so stepped pipefitter.
Unless if we don't pipe, it'll less than everything will just fly by and probably missed something.
All right, so we look through here, It's top part is our service status. We can check on Squeal server. We can check on our elastic stack. Somewhat
of the underlying
service is running.
We have our interface status. Here
we look, we have some internal stuff. We have our
management interface here. That's our management. I p address.
Here we have our sniffing
interface that's running in promiscuous mode, meaning that it gathers all traffic coming in Instead of
passing on things that aren't meant for
we have more to face information.
We can either scroll through with our arrows or hit space. Barto
bounce farther down.
We have our disk usage. Right now. Nothing is too heavily used. But
if this were a production deployment or if we were throwing a lot more data at its than
this should fill up
whether they're some of these percentages should be higher
of our network sockets.
they were getting into our I. D. S rules.
You can see we have our nice ask e r to the flying pig
information about our snort rules.
Right here we have our rules. Stats
so enabled. Rules 20,255
then disabled rules 7300 and 59 making over 27,000 rules. Total.
Go a little bit farther down. We have our CPU usage
for the last 15 and 15 minutes.
I only have one see peel applied right now. I should probably boost that up next time I reboot
and then our load averages any time. This is Any of these numbers are higher than our processing units. Then
either me to tune or give it more cp use.
Since this is just one, we should probably give it more. See, fuse
starts face. Barring through these,
we get into our packet monitoring information.
if you're on the fairly busy network and your server has quite a few cores on it.
looking through here, you'll be able to see all of our bro and snort instances and the percentage of dropped packets.
Right now, since we only have the one interface and we are not gathering anything, we don't have any dropped.
Apparently, we have one that we gathered.
So right now everything looks
about how it should be.
Space bar down a little bit,
but our data retention is in our log archive. Right now. It's one day because
we've only really had this up for one day.
this shows our own categorized events.
When we're working and squeal, we want to put
auto cat rules in to categorize our events for us.
don't have anything set up right now, and all these 400 events are working. Michael just osx alerts,
top events for yesterday and all time
Again, we don't have any data coming in right now, so
nothing too exciting there scrub by all that.
Then we have more granular details about our elastic stack.
So everything's running.
It's like our cluster status is currently yellow. So could be something toe take a look at typically you want this to be green? It? If it's
something is more than likely broken. But
scroll through here.
So that is everything that is in S o stat, If you ever run into an issue that you can't resolve
than eso, stats can definitely help.
And if you do s o stat redacted
I run the same command, except it'll
remove any sensitive data. And that's something that you can share on the security onion forums. And
the people there can take a look and
see if they can offer you some help.
ah, high level overview of the S O stat.