Comments (17)
Output I get is:
2024-03-14 16:54:30,261 - cbc_syslog.cli - INFO - Carbon Black Cloud Syslog 2.0
2024-03-14 16:54:30,359 - cbc_syslog.core - INFO - Sending 0 alerts for NXZA5P5L
2024-03-14 16:54:30,437 - cbc_syslog.core - INFO - Sending 0 audit_logs for NXZA5P5L
sometimes with 1 or more audit_logs but no alerts...
from cbc-syslog.
I noticed that the first time after an API account is generated or a new key is assigned the alarms are being sent once when the poll mode is used.
When the history mode is used retrieving alerts does seem to work.
I'm now trying to use the poll mode without the retrieve audit_logs being enabled to see if that changes the behaviour with regards to the retrieving alerts...
from cbc-syslog.
@RobboRob We have a fix in 2.0.3 for a UTC datetime issue which could be related to your issue.
For context, the poll mechanism will fetch alerts from the last time the poll command was fetched so if there are no alerts then nothing will be forwarded. The first time the poll is used it will set a start time of 90s prior call being made. If you want to confirm the most recent checkpoint you can find the timestamp in the backup directory inside cbc_syslog_state.json
. If you are able to fetch alerts with the history command then you're configuration is correct and it is likely there is no alerts to be fetched assuming you aren't experiencing the UTC datetime issue
How many alerts does your organization receive per day?
Did you make a support issue as well as I want to ensure I associate any investigation to in progress tickets?
from cbc-syslog.
@avanbrunt-cb : thanks for responding. I noticed the history option is a more reliable but I also noticed that the script seem to run running ok from the command prompt (CLI) but not from crontab when scheduled for alerts (however it works for retrieving audit logs).
When calling it from crontab (using the same user as used at the CLI) I tried to also set and export the needed path in crontab but that didn't change the behaviour (0 alerts retrieved). No errors or warnings are generated.
from cbc-syslog.
Can you run the poll command with --verbose
then provide the log file? Can you also provide the cron job that you have configured?
from cbc-syslog.
I'm always running it with the -v option.
Still some new findings:
When I create a service and the call a script with an endless loop calling the cbc_syslog_forwarder script with the history option enabled retrieving only the alerts I get it all working...
from cbc-syslog.
BTW Could it be that when I use the cbc_syslog forwarder with the poll option and have both the audit_log and alerts set on true in the used config file that polling the audit logs is creating a new json file in the backup directory and when subsequently the alerts are retrieved the start time is not correct because it uses the end time of the poll action of the audit events as start time?
from cbc-syslog.
@RobboRob the script should have no issue with both Audit Logs and Alerts enabled at the same time
from cbc-syslog.
I need the verbose logs from a poll command to try to better understand what is going on.
Additionally how many alerts per minute does your org generate
from cbc-syslog.
$ cbc_syslog_forwarder --verbose poll cbc.conf
2024-03-27 16:10:17,810 - cbc_syslog.cli - INFO - Carbon Black Cloud Syslog 2.0
2024-03-27 16:10:17,964 - cbc_syslog.core - INFO - Sending 0 alerts for NXZA5P5L
2024-03-27 16:10:18,041 - cbc_syslog.core - INFO - Sending 0 audit_logs for NXZA5P5L
$ cat /tmp/cbc_syslog_state.json
{
"failed_orgs": {},
"end_time": "2024-03-27T16:09:47.821508Z"
}[
from cbc-syslog.
How many alerts does your organization generate? Are there any new alerts in the last few minutes?
from cbc-syslog.
app 1 till 3 per day...
from cbc-syslog.
If you are only going to get 1 to 3 alerts per day then you won't see much between each poll depending on how frequently you poll. The poll command will take the last end time and use the current time - 30s to fetch the most recent alerts. If you want to confirm the poll command is working then modify the end_time
in the cbc_syslog_state.json
file to a few days back then run the poll command so that if fetches a few days.
I'd recommend a poll cycle of 10 or 15min given the low volume unless you want alerts to come in as soon as they happen but you will see a lot of 0 alert polls.
If you need to load any historical data then the history command is recommend to fetch a few days or weeks back.
I don't see any issues here as the tool appears to be working as expected with the low data volume.
from cbc-syslog.
but why is it working on the CLI but not via crontab (I ensured the path was set in the crontab)...
from cbc-syslog.
What do you have configured for your crontab
from cbc-syslog.
-
-
-
-
- export PATH=$PATH:[path to cbc_syslog_collector];cbc_system_collector -l cbc_syslog.log poll cbc.conf
-
-
-
from cbc-syslog.
@RobboRob The command is not called cbc_syslog_collector
instead it is called cbc_syslog_forwarder
.
I'm also not sure why you have an environmental variable command in the crontab export PATH=$PATH:[path to cbc_syslog_collector];
is not necessary as the cbc_syslog_forwarder
command has been added to the bin directory.
You will need absolute paths for cbc_syslog.log
and cbc.conf
as the crontab won't execute it from the directory you expect
from cbc-syslog.
Related Issues (20)
- Feature Request: Differentiate between Monitored events vs Threat events
- Feature Request: Notification Name to differentiate type of event
- Feature Request: Add Proxy Support
- severity is missing for policy_action
- String Encoding Problems
- Feature: Add support for setting request lib CA BUNDLE in config HOT 1
- Error building docker container HOT 1
- Get error when no alerts are available HOT 2
- [ERROR] LEEF output format HOT 1
- JSON.loads only accepts double quoted strings HOT 1
- How to re retrieve notifications? HOT 1
- output_format handling for 'leef' seems incorrect HOT 1
- Some tweeks needed to run cbc-syslog 1.0.2 with Python 3.6 (CentOS) HOT 1
- Unable to install with included instructions
- No such file or directory HOT 1
- Error in Running cbc_syslog
- Error building docker container HOT 1
- OSError: [Errno 22] Invalid argument HOT 1
- Add informative message when 401 received
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cbc-syslog.