9 Replies Latest reply on Mar 22, 2017 9:19 AM by tommie.roetz

    LEM Linux agent connects but no logs

    brian.chaffins

      I am struggling with getting a Open SuSE Linux server to log to my LEM.

       

      Details:

      • LEM 5.4
      • Linux Client 5.3.1
      • Linux OpenSuSE 11.2

       

      It installed and even connected to the console. I created the Pam, Audit and Apache tools and they start with no problems.

       

      netstat shows the established connection to my LEM

       

      But I get NO log traffic at all.

       

      This server is across a Firewall and I believe I have the proper ports open, 37890 & 37892

       

      Still nothing.

       

      Any idea what I might be missing?

       

      Thanks

      Brian

        • Re: LEM Linux agent connects but no logs
          nicole pauls

          Hmm, my first guess would be that the default logging path for those tools doesn't match your system.

           

          From a little digging, it looks like

          • PAM is in /var/log/messages
          • apache is in /var/log/apache2 (but I'm not sure the filenames - might be error_log and access_log instead of error.log and access.log)
          • auditd is in /var/log/audit/auditd.log

           

          Double check those paths then reconfigure the connectors to the SuSE-appropriate ones, see if that gets the data moving.

           

          If you've adjusted the path, other possibilities include...

          • If you've configured the agent to run as a user other than root, make sure that user can access the logs in question (often they are limited to root, adm, www-data, or other restricted groups).
          • It's possible the data format is slightly varied from the format the connector was written for, we can take a closer look with log samples.
            • Re: LEM Linux agent connects but no logs
              brian.chaffins

              Thanks for the reply,

               

              Ok, I changed the log file to in the PAM tool to be /var/log/messages and restarted it. I still get nothing in my "All Alerts" filter.

              Here's a clip from my messages log file. Also the service is running as root.

               

              And it looks like the service is attached:

              tcp    0 hermes:37894        192.168.100.2%427:37892 ESTABLISHED

               

              Sep 28 15:04:04 hermes sshd[6023]: pam_unix2(sshd:auth): pam_sm_authenticate() called

              Sep 28 15:04:04 hermes sshd[6023]: pam_unix2(sshd:auth): username=[bchaffins]

              Sep 28 15:04:06 hermes sshd[6023]: pam_unix2(sshd:auth): pam_sm_authenticate: PAM_SUCCESS

              Sep 28 15:04:06 hermes sshd[6023]: pam_unix2(sshd:account): pam_sm_acct_mgmt() called

              Sep 28 15:04:06 hermes sshd[6023]: pam_unix2(sshd:account): username=[bchaffins]

              Sep 28 15:04:06 hermes sshd[6023]: pam_unix2(sshd:account): expire() returned with 0

              Sep 28 15:04:06 hermes sshd[6018]: Accepted keyboard-interactive/pam for bchaffins from 192.168.100.50 port 52892 ssh2

              Sep 28 15:04:06 hermes sshd[6018]: pam_unix2(sshd:setcred): pam_sm_setcred() called

              Sep 28 15:04:06 hermes sshd[6018]: pam_unix2(sshd:setcred): username=[bchaffins]

              Sep 28 15:04:06 hermes sshd[6018]: pam_unix2(sshd:setcred): pam_sm_setcred: PAM_SUCCESS

              Sep 28 15:04:06 hermes sshd[6018]: pam_unix2(sshd:session): session started for user bchaffins: service=sshd, tty=ssh, rhost=192.168.100.50

              Sep 28 15:04:06 hermes sshd[6028]: pam_unix2(sshd:setcred): pam_sm_setcred() called

              Sep 28 15:04:06 hermes sshd[6028]: pam_unix2(sshd:setcred): username=[bchaffins]

              Sep 28 15:04:06 hermes sshd[6028]: pam_unix2(sshd:setcred): pam_sm_setcred: PAM_SUCCESS

              Sep 28 15:15:01 hermes /usr/sbin/cron[6509]: pam_unix2(crond:account): pam_sm_acct_mgmt() called

              Sep 28 15:15:01 hermes /usr/sbin/cron[6509]: pam_unix2(crond:account): username=[root]

              Sep 28 15:15:01 hermes /usr/sbin/cron[6509]: pam_unix2(crond:account): expire() returned with 0

              Sep 28 15:15:01 hermes /usr/sbin/cron[6509]: pam_unix2(crond:session): session started for user root: service=crond, tty=cron

              Sep 28 15:15:01 hermes /usr/sbin/cron[6509]: pam_unix2(crond:session): session finished for user root: service=crond, tty=cron

               

              Is there any documentation on the Linux Agent explaining what I might need to confirm?

               

              Thanks

              Brian

                • Re: LEM Linux agent connects but no logs
                  nicole pauls

                  Hey Brian,

                   

                  I had our dev team check your logs against the PAM integration, and they should be caught, you should be seeing UserLogon and UserLogoff alerts in Monitor.

                   

                  The Linux agent node shows online under Manage>Nodes? (Assuming yes, since you're messing with the tool configuration.)

                   

                  How are you verifying there is/isn't data coming in? Maybe it's there, but hiding? For that agent, you should at least see InternalToolOnline and InternalToolOffline alerts when you're starting/stopping the tool, and InternalAgentOnline/InternalAgentOffline when the agent connects/disconnects. Easiest way to do that is to create a filter that uses the "Any Alert" alert group and says something like "Any Alert.InsertionIP = <agent name or IP>".

                • Re: LEM Linux agent connects but no logs
                  brian.chaffins

                  I just reconfigured my rsyslog.conf to use the following:

                   

                  # Added

                  authpriv.*    /var/log/auth.log

                   

                  And now all PAM info in in the /var/log/auth.log file.

                   

                  I reconfigured the client tool to use that fine and still no go.

                   

                  What am I missing?

                   

                  Brian

                    • Re: LEM Linux agent connects but no logs
                      evanr

                      What about setting up an alias on your connector?

                      connector.JPG

                       

                      Then call your new filter PAM.

                      alias.JPG

                      I know we had some issues where we had to point it to auth.log.1 then back to auth.log and it would start to log correctly again.  Not sure if there was an issue with the log rotation that day but it seemed to snap it back into place.

                  • Re: LEM Linux agent connects but no logs
                    mattrvbc

                    Hi Guys,

                     

                    I have a similar issue, I have the Linux agent running on a Ubuntu server which seems to be configured correctly as this now appears as a managed node. The host in question reports that the last connected on the 31st July however I cant seem to find any logs for it within nDepth. With regards to connectors these have been left in the default state except for me creating a connector for the Apache access.log file (/var/log/apache2/access.log) which i cant seem to find and log information form within the console.

                     

                    LEM Appliance: V5.6.0

                     

                    Any suggestions welcome........

                     

                    Matt

                    • Re: LEM Linux agent connects but no logs
                      harshitj

                      I have the same issue with Linux Server.

                      • Re: LEM Linux agent connects but no logs
                        tommie.roetz

                        Delete the SPOP folder in the installation path: $ rm -R /usr/local/contego/ContegoSPOP/spop

                        Restart the agent: $ /etc/init.d/swlem-agent restart