• Support
  • Forums
  • Blogs

OSSIM agent plugins stop parsing logs

ol.batardol.batard

Space invader
+12
Hi,

We have an issue (ossim 5.3.7) when some plugins dont't success to parse a log. If a regex for any reason try to parse a wrong log, the plugin stops to process the log file. The only way is to restart ossim-agent.

Regards,

Share post:

Comments

  • Hi,

    The exact issue is when a plugin parse a log and get a string sid instead of an integer, the plugin crashed and stop working.
    It's a major issue !  
  • @ol.batard Which plugin is causing the trouble? Also could you paste some log lines that you've detected are causing the issue as well as some valid log lines?


  • Hi, 

    Example with the netscreen-firewall.cfg.

    #   Generic rule
    [9999 - netscreen-firewall - Generic Rule]
    regexp="^(?P<date>\S+\s+\d+\s+\d+:\d+:\d+)\s+(?P<sensor>\S+).*?-(?P<sid>\w+-\d+)"
    event_type=event
    plugin_sid={translate($sid)}
    device={$sensor}
    date={normalize_date($date)}

    If $sid contains a string, the translation cannot be done. The plugin logs an erreur with the message "
  • @ol.batard That's highly unlikely, the translation function makes a lookup of strings into the translate sections, if no match is found, it goes for:


    # Default
    _DEFAULT_ = 20000000
    ol.batard
  • Indeed. 

    Your mark the point ! 

    This option is very very important. Without, plugins stop parsing any logs if it cannot translate. 

    Thanks.
  • Hum, unfortunately, my issue persists. 
    I didn't see any error in agent.log and server.log. 

    I have no idea anymore to troubleshoot.
Sign In or Register to comment.