• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

I Can't get arpwatch working

pegasepegase

Entry Level
edited December 2012 in AlienVault USM Appliance > Sensor
I've many sensors and one server. Everything seems to work pretty well but arpwatch.
I used ossim-setup to activate the plugin, and I'm using the latest release.

When starting it manually, I can see events (most of them are flip flop).
Sensor-Clients:/var/log/ossim# /usr/sbin/arpwatch_eth0 -d -d -i eth0 -f /var/lib/arpwatch/arp-eth0.dat
arpwatch_eth0: flip flop 10.0.2.1 07:00:27:30:31:86 (00:0c:21:83:b2:d5) eth0
arpwatch_eth0: flip flop 10.0.2.1 00:0c:21:83:b2:d5 (07:00:27:30:31:86) eth0
these events are written in the file /var/log/ossim/arpwatch-eth0.log

the regex in /etc/ossim/agent/plugins/arpwatch_eth0.cfg seems to be good :
regexp="arpwatch.*?: flip flop (\IPV4) (\MAC) \((\MAC)\) (\S+)"

In the agent.log file, only :
2012-11-12 17:13:51,390 Output [INFO]: idm-event ip="10.0.3.1" mac="07:00:27:30:31:86" inventory_source="13"
2012-11-12 17:13:57,258 Output [INFO]: idm-event ip="10.0.3.1" mac="00:0c:21:83:b2:d5" inventory_source="13"

Nothing seems to happen on the server.

What can I check next ? ossec rules ? I can't see the link between the plugin file regex and the ossec rules...
I don't know if the plugin works or not at all. Any help woud be appreciated !

Thanks
Tagged:

Share post:

This discussion has been closed.