• Support
  • Forums
  • Blogs

remote-log connection via ssh

ismael_mcismael_mc

Big Time
+11
Hi there!

I have had some troubles with two custom plugins which are configured like "source=remote-log" when the remote machine is rebooted. that connection is via ssh (port 22) and I guess that the plugins open the connection (user & pass) at the beginning, but when this connection breaks It's not trying with user and password again, so I had to restart the ossim-agent.

It Could be a possible bug?

Share post:

Answers

  • Did you try to do an authencation by key instead of Login/Password?

    debian-administration.org/article/530/SSH_with_authentication_key_instead_of_password
  • It's a possibility... but, You mean to remove user and password from the plugin, making a key (rsa) without password between two machines, copy them into the proper folder on both machines, isn't it?

    I will, and then tell you.

    Thanks.
  • Yes, that's what I mean.

    So when you connect to the remote machine it will not ask you for a password.
  • edited June 2014
    ssh-copy-id is your friend.
  • edited June 2014
    Yeah, I know... I should try to explain better the situation, I can watch events in SIEM, also I can follow the communication via netstat, anyway if the connection is down for a few seconds (on remote machine) and come back to up, the Plugin does not retry connect, at least till now.
  • Hi!

    another odd thing, when the plugins find any character that doesn't like it, immediately the connection status is down, because in the log line appears this character 'ñ'. :\

    ossim-agent started in debug mode:
    2014-06-26 18:25:58,645 InventoryTask_OCS [INFO]: End ocs inventory job
    Exception in thread Thread-3:
    Traceback (most recent call last):
    File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner
    self.run()
    File "/usr/share/alienvault/ossim-agent/Detector.py", line 400, in run
    self.process()
    File "/usr/share/alienvault/ossim-agent/ParserRemote.py", line 167, in process
    if rule.match():
    File "/usr/share/alienvault/ossim-agent/ParserLog.py", line 155, in match
    self.group()
    File "/usr/share/alienvault/ossim-agent/ParserLog.py", line 175, in group
    value = str(group.encode('utf-8'))
    UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 35: ordinal not in range(128)

    ^C2014-06-26 18:26:03,342 Agent [INFO]: WARNING! Ctrl+C received! shutting down
    2014-06-26 18:26:03,343 Agent [INFO]: Shutdown in process...
    2014-06-26 18:26:03,344 Agent [INFO]: Waiting for check thread..
    netstat at the same time:
    tcp 0 0 10.10.4.75:41302 10.10.4.70:22 ESTABLISHED 2021/python off (0.00/0/0)
    tcp 0 0 10.10.4.75:41302 10.10.4.70:22 ESTABLISHED 2021/python off (0.00/0/0)
    tcp 0 0 10.10.4.75:41302 10.10.4.70:22 ESTABLISHED 2021/python off (0.00/0/0)
    tcp 0 0 10.10.4.75:41302 10.10.4.70:22 ESTABLISHED 2021/python off (0.00/0/0)
    tcp 0 0 10.10.4.75:41302 10.10.4.70:22 TIME_WAIT - timewait (59.53/0/0)
    tcp 0 0 10.10.4.75:41302 10.10.4.70:22 TIME_WAIT - timewait (58.50/0/0)
    tcp 0 0 10.10.4.75:41302 10.10.4.70:22 TIME_WAIT - timewait (57.46/0/0)
    tcp 0 0 10.10.4.75:41302 10.10.4.70:22 TIME_WAIT - timewait (56.41/0/0)
    I'm shocked about this. I don't know why do this kind of weird actions when other plugins just only discard event and that's all.

    I've tried with rsa keys, and do the same too.
  • FYI, I was also having problems with remote-log not working. It simply wasn't connecting at all or even attempting to SSH to the remote system. I tested on 4.7 - 4.9, none worked. I opened a case with AlienVault and did receive a response that this is a defect and has been assigned to engineeering. I'll let you know what I hear from them.

    In the interim, you could write your own script that remotely logs into the system and tails a logfile, writing into a local logfile or piping through the logger command.
  • FYI, I was also having problems with remote-log not working. It simply wasn't connecting at all or even attempting to SSH to the remote system. I tested on 4.7 - 4.9, none worked. I opened a case with AlienVault and did receive a response that this is a defect and has been assigned to engineeering. I'll let you know what I hear from them.

    In the interim, you could write your own script that remotely logs into the system and tails a logfile, writing into a local logfile or piping through the logger command.
    I did that, writing my own pluging, but how the connection's way is via ssh, I had the same problems.
This discussion has been closed.