• Support
  • Forums
  • Blogs

Custom Plugins not showing up in GUI SIEM Data Source (one does one doesnt and they're identical)

tobrientobrien

New Life Form
These are both MSSQL queries

In one Custom plugin - it works.   In the second custom plugin (copying word for word, character for character - but with the required change to the name and Plugin ID #) id doesn't work.

I checked and double checked the event source table the GUI  (Confg->Threat Int->Data Source->mycustomplugin#2
I checked and double checked the SQL query strings both in the plugin and in MS SQL Server Studio (to make sure they are accurate)
I dont see any errors in the /var/log/alienvault/agent/agent.log   both plugins seam to be running)


I reviewed the forums and saw that headers are very important, so I made sure they were both accurate and the same. (less name and PID#)


I am at a complete loss on where to look.       

Thanks for the help
Tim

Share post:

Best Answer

  • Answer ✓
    Hi tobrien,

    since the agent says that the plugin is "correct" ( enabled != correct ) couple things might be happening here:

    1. Assuming the querys are correct which you said they are, do you have an SQL file associated with your second custom plugin? If you change the ID of the plugin you can't use the same SQL (for obvious reasons). 

    On this note, you can have 2 plugins ( .cfg files ) with the same plugin ID, that only means they will reach for the same SQL file.

    2. If the SQL file is right, enabled and everything else, try to access the DB, you can do so by typing "ossim-db"

    VirtualUSMAllInOne:~# ossim-db
    Welcome to the MySQL monitor.  Commands end with ; or \g.
    Your MySQL connection id is 82698
    Server version: 5.6.25-73.1 Percona Server (GPL), Release 73.1, Revision 07b797f

    Copyright (c) 2009-2015 Percona LLC and/or its affiliates
    Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

    Oracle is a registered trademark of Oracle Corporation and/or its
    affiliates. Other names may be trademarks of their respective
    owners.

    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

    mysql>

    From there a query like this will show you if you have the plugin in the DB (change the ID for yours):

    mysql> select * from plugin where id=1750;
    +------------------+------+------+----------------+----------------+--------------+------------+
    | ctx              | id   | type | name           | description    | product_type | vendor     |
    +------------------+------+------+----------------+----------------+--------------+------------+
    |                  | 1750 |    1 | sourcefire-ids | Sourcefire IDS |           13 | Sourcefire |
    +------------------+------+------+----------------+----------------+--------------+------------+
    1 row in set (0.00 sec)

    mysql>

    3. Maybe the plugin is enabled BUT the rule is incorrect (might happen.. really!), so reach out to your ossim agent configuration file and enable debug mode:

    /etc/ossim/agent/config.cfg

    [log]
    verbose=debug

    Then tail again your agent.log file, see what you get there.

Answers

  • Is there a simple way to query the OSSIM DB outside of the SIEM, where I can see what if any events are being captured?
  • tobrien,

    The datasource shows on the siem page if there are any events within the time perios psecified on the page. If the datasource is not showing in the dropdown, then there are no events within that period.

    You could tail the log /var/log/alienvault/agent/agent.log to see if there are any errors being generated by the plugin.
  • Thanks KCOE for the reply.      I have been tailing the /var/log/alienvault/agent/agent.log and I'm seeing no errors.    The two plugins both say:

    Oct 21 15:33:46 alienvault ossim-agent: Alienvault-Agent[INFO]: WatchDog[4801]  plugin (edtdom) has an unknown state
    Oct 21 15:33:46 alienvault ossim-agent: Alienvault-Agent[INFO]: WatchDog[4801]  plugin (edtdom) is enabled
    Oct 21 15:33:46 alienvault ossim-agent: Alienvault-Agent[INFO]: WatchDog[4801] Checking process  for plugin edttemplog
    Oct 21 15:33:46 alienvault ossim-agent: Alienvault-Agent[INFO]: WatchDog[4801]  plugin (edttemplog) has an unknown state
    Oct 21 15:33:46 alienvault ossim-agent: Alienvault-Agent[INFO]: WatchDog[4801]  plugin (edttemplog) is enabled

    in short both say 
    1) checking process
    2) has an unknown state
    3) is enabled.

    Again one works, the other does not.

  • hello,
    please i have the same problem :
    Watchdog [DEBUG]: Checking process rsyslog for plugin bind.
    Watchdog [DEBUG]: plugin (bind) is not running
    [DEBUG]: plugin (bind) is enabled

    Thank you

  • Thanks for the good comments on the suggestions. I know a lot more.:ta
Sign In or Register to comment.