I opened support case #844744 and received the following response:
31 Jul 2015 07:21:00
Thank you for contacting SolarWinds Technical Support.
My name is Khaled and I will be working on this case with you.
Can you see the agent on LEM Console (Manage > Node) ?
Can you verify
- The LEM Agent service is running
- A firewall is not blocking the connection
37890-37892: Traffic from LEM Agents to the LEM appliance
37893-37896: Traffic from the LEM appliance to LEM Agents
- The LEM Agent is running the current version of the software
To check the version of a LEM Agent: Open the most recent copy of spoplog.txt
Can you send me this file "spoplog.txt" can be under
Please let me know if this helps or if you require further assistance.
SolarWinds Technical Support
This type of canned response always gets under my skin, so my reply was a little preachy and I will leave that piece out. Here is what I have found so far:
31 Jul 2015 01:57:00
The service is not running...
root@hostname:/var/tmp# ps ax | grep contego
26487 pts/0 S+ 0:00 grep contego
The service cannot be started...
root@hostname:/var/tmp# sudo /etc/init.d/swlem-agent start.
sudo: /etc/init.d/swlem-agent: command not found
And the spoplog.txt file is empty...
root@hostname:/usr/local/contego/ContegoSPOP# ls -l | grep spoplog.txt
-rwxrwxr-x 1 root root 0 Jul 31 12:58 spoplog.txt
root@hostname:/usr/local/contego/ContegoSPOP# more spoplog.txt
So, I poked around and found this...
root@hostname:/usr/local/contego/ContegoSPOP# more linuxServiceScript
# This script will setup up the spop to run on boot.
# First move the ContegoSpop executable to /etc/init.d.
cp /usr/local/contego/ContegoSPOP/swlem-agent /etc/init.d/swlem-agent
chmod -R 775 /usr/local/contego/ContegoSPOP/jre_1.6.0_26/bin
# Now move into /etc.
# Make links to the executable in run levels 2 through 5
ln -s ../init.d/swlem-agent ./rc2.d/S80AgentStart
ln -s ../init.d/swlem-agent ./rc3.d/S80AgentStart
ln -s ../init.d/swlem-agent ./rc4.d/S80AgentStart
ln -s ../init.d/swlem-agent ./rc5.d/S80AgentStart
# Now stop any legacy spops and remove any startup files they have.
rm -f /etc/init.d/contego-spop
rm -f /etc/init.d/trigeo-agent
rm -f /etc/rc2.d/S80SpopStart
rm -f /etc/rc3.d/S80SpopStart
rm -f /etc/rc4.d/S80SpopStart
rm -f /etc/rc5.d/S80SpopStart
# Start the spop.
Even though this is something that I would expect to be executed during initial setup, I attempted to run the script and here are the results:
cp: cannot create regular file `/etc/init.d/swlem-agent': No such file or directory
chmod: cannot access `/usr/local/contego/ContegoSPOP/jre_1.6.0_26/bin': No such file or directory
rm: cannot remove `/etc/init.d/trigeo-agent': No such file or directory
ln: creating symbolic link `./rc2.d/S80AgentStart': No such file or directory
ln: creating symbolic link `./rc3.d/S80AgentStart': No such file or directory
ln: creating symbolic link `./rc4.d/S80AgentStart': No such file or directory
ln: creating symbolic link `./rc5.d/S80AgentStart': No such file or directory
./linuxServiceScript: line 19: /etc/init.d/contego-spop: No such file or directory
./linuxServiceScript: line 20: /etc/init.d/trigeo-agent: No such file or directory
It would appear to me that this Linux agent is incompatible with our Sourcefire Defense Center servers running the following OS and software:
Sourcefire Linux OS v4.10.0 (build 786)
Sourcefire Defense Center 1500 v126.96.36.199 (build 13)
Can you please confirm this? If confirmed can you please provide clear direction on the next steps to get logs from these servers to LEM? Are there steps we can take to make this Linux agent work? If not, can support provide an agent that is compatible? If no agent is available, is our only option to configure these servers as syslog nodes? How is that accomplished?
Justin T. Lewis
1 of 1 people found this helpful
Looking at the Sourcefire 3D connector, it appears we're expecting you to just send syslog from the devices to the LEM virtual appliance, not use the Agent. It could be that Sourcefire doesn't have all the components needed for the LEM Agent for security or simplicity reasons.
1 of 1 people found this helpful
Thank you for the reply. That is very helpful information. I just checked the Sourcefire 3D System User Guide for v4.10.3 and found the appropriate procedure for configuring syslog.
For anyone who it may help the procedure is as follows:
- Select Policy & Response > IPS > Intrusion Policy. The Intrusion Policy page appears.
- Click Edit next to the policy you want to edit. If you have unsaved changes in another policy, click OK to discard those changes and continue. To save the changes, click Cancel, open the other policy and commit your changes, then return to the beginning of this procedure. See Committing Intrusion Policy Changes on page 347 for information on saving unsaved changes in another policy.The Policy Information page appears.
- Click Advanced Settings in the navigation panel on the left. The Advanced Settings page appears.
- You have two choices, depending on whether Syslog Alerting under External Responses is enabled:
- If the configuration is enabled, click Edit.
- If the configuration is disabled, click Enabled, then click Edit.
The Syslog Alerting page appears.
*A message at the bottom of the page identifies the intrusion policy layer that contains the configuration. See Using Layers in an Intrusion Policy on page 498 for more information.
5. Optionally, in the Logging Hosts field, enter the remote access IP address you want to specify as logging host. Separate multiple hosts with commas.
6. Select facility and priority levels from the drop-down lists. See Using Syslog Responses on page 796 for details on facility and priority options.
7. You have the following options:
- You can continue editing your policy. See Editing an Intrusion Policy on page 343 for descriptions of other intrusion policy settings you can modify.
- You can remove all saved and unsaved changes on this page by reverting to the default configuration settings in the base policy. Click Revert to Defaults, then click OK at the prompt. See Understanding the Base Policy on page 363 for more information.
- You can save your changes at this time. If necessary, click Policy Information in the navigation panel on the left side of the page to return to the Policy Information page, then click Commit Changes. The Intrusion Policy page appears. See Committing Intrusion Policy Changes on page 347 for descriptions of prompts you might encounter when you save your changes. You must apply your policy to the appropriate detection engines to put your changes into effect. See Applying an Intrusion Policy on page 349.
- You can discard all unsaved changes. If necessary, click Policy Information in the navigation panel on the left side of the page to return to the Policy Information page, then click Discard Changes; click OK to discard your changes and go to the Intrusion Policy page, or click Cancel to keep your changes and return to the Policy Information page.
- You can exit the policy, leaving your changes in the system cache. On exiting, click Leave page when prompted, or click Stay on page to remain in the advanced editor. See Committing Intrusion Policy Changes on page 347 for information on how the system caches one policy per user.