• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Untangle Plugin


New Life Form

I am having problems trying to get the Untangle
plugin to give better results, so I can create directives or cross correlation

It appears the way the logs come in from
Untangle have two “class:” event within the same syslog message which I think
is confusing OSSIM to think everything is event_id 9 when it should be event_id
4 for example.

The other issue is the syslog coming in from
Untangle uses the same event_id for a block or a allow, so event_id 4 for
example is used for both allow and block but with a statement of “true” or “false”
within the message.

Also it

Here is an example of the message coming in
from Untangle;


Sep  9
20:24:07 INFO
  uvm[0]:  {"timeStamp":"2018-09-09








As you can see it states “com.untangle.app.application_control.ApplicationControlLogEvent”
as the event but then also states “com.untangle.uvm.app.SessionEvent” in the
same event which I think is confusing the OSSIM plugin for untangle.

Plugin translation rules;

# Rule 1
class com.untangle.node.firewall.FirewallEvent = 1
class com.untangle.node.virus_blocker.VirusHttpEvent = 2
class com.untangle.node.web_filter.WebFilterEvent = 3
class com.untangle.uvm.logging.InterfaceStatEvent = 4
class com.untangle.uvm.node.SessionEvent = 5
class com.untangle.uvm.node.SessionMinuteEvent = 6
class com.untangle.uvm.node.SessionNatEvent = 7
class com.untangle.uvm.node.SessionStatsEvent = 8
class com.untangle.uvm.app.SessionEvent = 9
class com.untangle.uvm.app.SessionStatsEvent = 12
class com.untangle.app.firewall.FirewallEvent = 13
class com.untangle.uvm.app.SessionMinuteEvent = 14
class com.untangle.app.application_control.ApplicationControlLogEvent = 15
class com.untangle.app.virus_blocker.VirusSmtpEvent = 16
class com.untangle.app.application_control.ApplicationControlLogEvent = 17
class com.untangle.app.virus_blocker.VirusHttpEvent = 19
class com.untangle.uvm.SettingsChangesEvent = 23
#   Default
_DEFAULT_ = 20000000


So, the event should come in as event_id 15 but
is coming in as event_id 9 which also means all the useful information is lost.

Event if the event_id came in as 15 the plugin/rules
would still have to work out if is states “blocked:false” or “blocked:true”

I have posted the question on the untangle forum
as well, it would make it very easy if event_id 15 was blocked and event_id 16
was allowed.

Does the plugin require an update ?





Share post:

Sign In or Register to comment.