No alerts about cbc-syslog HOT 17 CLOSED

Output I get is:
2024-03-14 16:54:30,261 - cbc_syslog.cli - INFO - Carbon Black Cloud Syslog 2.0
2024-03-14 16:54:30,359 - cbc_syslog.core - INFO - Sending 0 alerts for NXZA5P5L
2024-03-14 16:54:30,437 - cbc_syslog.core - INFO - Sending 0 audit_logs for NXZA5P5L

sometimes with 1 or more audit_logs but no alerts...

from cbc-syslog.

I noticed that the first time after an API account is generated or a new key is assigned the alarms are being sent once when the poll mode is used.

When the history mode is used retrieving alerts does seem to work.

I'm now trying to use the poll mode without the retrieve audit_logs being enabled to see if that changes the behaviour with regards to the retrieving alerts...

from cbc-syslog.

@RobboRob We have a fix in 2.0.3 for a UTC datetime issue which could be related to your issue.

For context, the poll mechanism will fetch alerts from the last time the poll command was fetched so if there are no alerts then nothing will be forwarded. The first time the poll is used it will set a start time of 90s prior call being made. If you want to confirm the most recent checkpoint you can find the timestamp in the backup directory inside cbc_syslog_state.json. If you are able to fetch alerts with the history command then you're configuration is correct and it is likely there is no alerts to be fetched assuming you aren't experiencing the UTC datetime issue

How many alerts does your organization receive per day?

Did you make a support issue as well as I want to ensure I associate any investigation to in progress tickets?

from cbc-syslog.

@avanbrunt-cb : thanks for responding. I noticed the history option is a more reliable but I also noticed that the script seem to run running ok from the command prompt (CLI) but not from crontab when scheduled for alerts (however it works for retrieving audit logs).

When calling it from crontab (using the same user as used at the CLI) I tried to also set and export the needed path in crontab but that didn't change the behaviour (0 alerts retrieved). No errors or warnings are generated.

from cbc-syslog.

Can you run the poll command with --verbose then provide the log file? Can you also provide the cron job that you have configured?

from cbc-syslog.

I'm always running it with the -v option.

Still some new findings:
When I create a service and the call a script with an endless loop calling the cbc_syslog_forwarder script with the history option enabled retrieving only the alerts I get it all working...

from cbc-syslog.

BTW Could it be that when I use the cbc_syslog forwarder with the poll option and have both the audit_log and alerts set on true in the used config file that polling the audit logs is creating a new json file in the backup directory and when subsequently the alerts are retrieved the start time is not correct because it uses the end time of the poll action of the audit events as start time?

from cbc-syslog.

@RobboRob the script should have no issue with both Audit Logs and Alerts enabled at the same time

from cbc-syslog.

I need the verbose logs from a poll command to try to better understand what is going on.

Additionally how many alerts per minute does your org generate

from cbc-syslog.

$ cbc_syslog_forwarder --verbose poll cbc.conf
2024-03-27 16:10:17,810 - cbc_syslog.cli - INFO - Carbon Black Cloud Syslog 2.0
2024-03-27 16:10:17,964 - cbc_syslog.core - INFO - Sending 0 alerts for NXZA5P5L
2024-03-27 16:10:18,041 - cbc_syslog.core - INFO - Sending 0 audit_logs for NXZA5P5L

$ cat /tmp/cbc_syslog_state.json
{
"failed_orgs": {},
"end_time": "2024-03-27T16:09:47.821508Z"
}[

from cbc-syslog.

How many alerts does your organization generate? Are there any new alerts in the last few minutes?

from cbc-syslog.

app 1 till 3 per day...

from cbc-syslog.

If you are only going to get 1 to 3 alerts per day then you won't see much between each poll depending on how frequently you poll. The poll command will take the last end time and use the current time - 30s to fetch the most recent alerts. If you want to confirm the poll command is working then modify the end_time in the cbc_syslog_state.json file to a few days back then run the poll command so that if fetches a few days.

I'd recommend a poll cycle of 10 or 15min given the low volume unless you want alerts to come in as soon as they happen but you will see a lot of 0 alert polls.

If you need to load any historical data then the history command is recommend to fetch a few days or weeks back.

I don't see any issues here as the tool appears to be working as expected with the low data volume.

from cbc-syslog.

but why is it working on the CLI but not via crontab (I ensured the path was set in the crontab)...

from cbc-syslog.

What do you have configured for your crontab

from cbc-syslog.

• • • • • export PATH=$PATH:[path to cbc_syslog_collector];cbc_system_collector -l cbc_syslog.log poll cbc.conf

from cbc-syslog.

@RobboRob The command is not called cbc_syslog_collector instead it is called cbc_syslog_forwarder.

I'm also not sure why you have an environmental variable command in the crontab export PATH=$PATH:[path to cbc_syslog_collector]; is not necessary as the cbc_syslog_forwarder command has been added to the bin directory.

You will need absolute paths for cbc_syslog.log and cbc.conf as the crontab won't execute it from the directory you expect

from cbc-syslog.