Troubleshooting on SGBox – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu Next Generation SIEM & SOAR Mon, 30 Sep 2024 10:41:06 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 https://www.sgbox.eu/wp-content/uploads/2020/09/cropped-Logo-SGBox-Trasparente-NO-SCRITTA-150x150.webp Troubleshooting on SGBox – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu 32 32 TCPDump and SGTop https://www.sgbox.eu/en/knowledge-base/tcpdump-and-sgtop/ Mon, 20 Jun 2022 07:57:51 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=7536 SGBox Troubleshoot

There are some tools you can use via CLI  in order to check if there are some problems to receive or visualize data.
Connect via ssh (using a program like Putty) to SGBox specifying the user cli.
If you haven’t changed them through the wizard, the default credentials are:

user: cli
pass: CL1changePW

Choose Appliance statistics
TCPDump and SGTop

Dump network traffic

This option allows you to run a tcpdump directly on SGBox in order to check if the platform is correctly receiving logs from the data source, using the right port or protocol.
From
TCPDump and SGTop
it’s possible choose three different way:

  1. Filter by IP: simple filter on data source IP all ports and protocols
  2. Filter SGBox ports: simple filter on ports 514 and 443 from all the data source
  3. Expert: you can enter all the tcpdump parameters.

In our example we choose Expert and we filter on host 192.168.2.9.
TCPDump and SGTop
TCPDump and SGTop
TCPDump and SGTop

SGTop

This tool is designed to focus on SGBox processes. If you receive the packets from the data source but you can’t see the logs in SGBox, maybe they are still in the queues. When SGBox has no problems: the queues should contain few objects and you can see your logs in SGBox.
TCPDump and SGTop

TCPDump and SGTop

*Queues: is a portion of disk or memory where the logs is temporary stored before to be write to the database.

]]>