4 Replies Latest reply on Jul 31, 2015 11:11 AM by justin.lewis

    Sourcefire LEM agent

    justin.lewis

      I installed the LEM 6.1.0 64bit Linux agent on a clients Sourcefire Defense Center servers and I am unsure if the installation was truly successful. Both servers I performed the installation on reported the following error in the middle of the installation:"Fontconfig error: Cannot load default config file", but still stated that the installation was successful in the end. The logging traffic does not appear to be making off of the Sourcefire servers because I don't see any traffic from these servers heading for the LEM server when I check the firewalls. Can anyone suggest something to I can check on the Sourcefire servers to confirm the agent installed correctly?

       

      sourcefire.lem.agent.png

        • Re: Sourcefire LEM agent
          justin.lewis

          I opened support case #844744 and received the following response:

           

          31 Jul 2015 07:21:00

          Hi Justin

           

          Thank you for contacting SolarWinds Technical Support.

          My name is Khaled and I will be working on this case with you.

           

          Can you see the agent on LEM Console (Manage > Node) ?

           

          Can you verify 
          - The LEM Agent service is running
          - A firewall is not blocking the connection
              37890-37892: Traffic from LEM Agents to the LEM appliance
              37893-37896: Traffic from the LEM appliance to LEM Agents
          - The LEM Agent is running the current version of the software

           

                To check the version of a LEM Agent: Open the most recent copy of spoplog.txt
                  /usr/local/contego/ContegoSPOP/

           

          Can you send me this file "spoplog.txt" can be under
                /usr/local/contego/ContegoSPOP/

           

          Please let me know if this helps or if you require further assistance.

           

          Kind Regards,
          Khaled Mohamed
          SolarWinds Technical Support

            • Re: Sourcefire LEM agent
              justin.lewis

              This type of canned response always gets under my skin, so my reply was a little preachy and I will leave that piece out. Here is what I have found so far:

               

              31 Jul 2015 01:57:00

              The service is not running...

              root@hostname:/var/tmp# ps ax | grep contego

              26487 pts/0 S+ 0:00 grep contego

               

              The service cannot be started...

              root@hostname:/var/tmp# sudo /etc/init.d/swlem-agent start.

              sudo: /etc/init.d/swlem-agent: command not found

               

              And the spoplog.txt file is empty...

              root@hostname:/usr/local/contego/ContegoSPOP# ls -l | grep spoplog.txt

              -rwxrwxr-x 1 root root 0 Jul 31 12:58 spoplog.txt

              root@hostname:/usr/local/contego/ContegoSPOP# more spoplog.txt

              root@hostname:/usr/local/contego/ContegoSPOP#

               

              So, I poked around and found this...

              root@hostname:/usr/local/contego/ContegoSPOP# more linuxServiceScript

              #!/bin/sh

              #

              # This script will setup up the spop to run on boot.

              # First move the ContegoSpop executable to /etc/init.d.

              cp /usr/local/contego/ContegoSPOP/swlem-agent /etc/init.d/swlem-agent

              chmod -R 775 /usr/local/contego/ContegoSPOP/jre_1.6.0_26/bin

              rm /etc/init.d/trigeo-agent

               

              # Now move into /etc.

              cd /etc

               

              # Make links to the executable in run levels 2 through 5

              ln -s ../init.d/swlem-agent ./rc2.d/S80AgentStart

              ln -s ../init.d/swlem-agent ./rc3.d/S80AgentStart

              ln -s ../init.d/swlem-agent ./rc4.d/S80AgentStart

              ln -s ../init.d/swlem-agent ./rc5.d/S80AgentStart

               

              # Now stop any legacy spops and remove any startup files they have.

              /etc/init.d/contego-spop stop

              /etc/init.d/trigeo-agent stop

              rm -f /etc/init.d/contego-spop

              rm -f /etc/init.d/trigeo-agent

              rm -f /etc/rc2.d/S80SpopStart

              rm -f /etc/rc3.d/S80SpopStart

              rm -f /etc/rc4.d/S80SpopStart

              rm -f /etc/rc5.d/S80SpopStart

               

              # Start the spop.

              #/etc/init.d/swlem-agent start

               

              Even though this is something that I would expect to be executed during initial setup, I attempted to run the script and here are the results:

              root@hostname:/usr/local/contego/ContegoSPOP# ./linuxServiceScript

              cp: cannot create regular file `/etc/init.d/swlem-agent': No such file or directory

              chmod: cannot access `/usr/local/contego/ContegoSPOP/jre_1.6.0_26/bin': No such file or directory

              rm: cannot remove `/etc/init.d/trigeo-agent': No such file or directory

              ln: creating symbolic link `./rc2.d/S80AgentStart': No such file or directory

              ln: creating symbolic link `./rc3.d/S80AgentStart': No such file or directory

              ln: creating symbolic link `./rc4.d/S80AgentStart': No such file or directory

              ln: creating symbolic link `./rc5.d/S80AgentStart': No such file or directory

              ./linuxServiceScript: line 19: /etc/init.d/contego-spop: No such file or directory

              ./linuxServiceScript: line 20: /etc/init.d/trigeo-agent: No such file or directory

               

              It would appear to me that this Linux agent is incompatible with our Sourcefire Defense Center servers running the following OS and software:

              Sourcefire Linux OS v4.10.0 (build 786)

              Sourcefire Defense Center 1500 v4.10.3.10 (build 13)

               

              Can you please confirm this? If confirmed can you please provide clear direction on the next steps to get logs from these servers to LEM? Are there steps we can take to make this Linux agent work? If not, can support provide an agent that is compatible? If no agent is available, is our only option to configure these servers as syslog nodes? How is that accomplished?

               

              Thank you,

              Justin T. Lewis

            • Re: Sourcefire LEM agent
              curtisi

              Looking at the Sourcefire 3D connector, it appears we're expecting you to just send syslog from the devices to the LEM virtual appliance, not use the Agent.  It could be that Sourcefire doesn't have all the components needed for the LEM Agent for security or simplicity reasons.

              1 of 1 people found this helpful
                • Re: Sourcefire LEM agent
                  justin.lewis

                  Thank you for the reply. That is very helpful information. I just checked the Sourcefire 3D System User Guide for v4.10.3 and found the appropriate procedure for configuring syslog.

                   

                  For anyone who it may help the procedure is as follows:

                   

                  1. Select Policy & Response > IPS > Intrusion Policy. The Intrusion Policy page appears.
                  2. Click Edit next to the policy you want to edit. If you have unsaved changes in another policy, click OK to discard those changes and continue. To save the changes, click Cancel, open the other policy and commit your changes, then return to the beginning of this procedure. See Committing Intrusion Policy Changes on page 347 for information on saving unsaved changes in another policy.The Policy Information page appears.
                  3. Click Advanced Settings in the navigation panel on the left. The Advanced Settings page appears.
                  4. You have two choices, depending on whether Syslog Alerting under External Responses is enabled:
                    • If the configuration is enabled, click Edit.
                    • If the configuration is disabled, click Enabled, then click Edit.

                            The Syslog Alerting page appears.

                            *A message at the bottom of the page identifies the intrusion policy layer that contains the configuration. See Using Layers in an Intrusion Policy on page 498 for more information.

                     5. Optionally, in the Logging Hosts field, enter the remote access IP address you want to specify as logging host. Separate multiple hosts with commas.

                     6. Select facility and priority levels from the drop-down lists. See Using Syslog Responses on page 796 for details on facility and priority options.

                     7. You have the following options:

                    • You can continue editing your policy. See Editing an Intrusion Policy on page 343 for descriptions of other intrusion policy settings you can modify.
                    • You can remove all saved and unsaved changes on this page by reverting to the default configuration settings in the base policy. Click Revert to Defaults, then click OK at the prompt. See Understanding the Base Policy on page 363 for more information.
                    • You can save your changes at this time. If necessary, click Policy Information in the navigation panel on the left side of the page to return to the Policy Information page, then click Commit Changes. The Intrusion Policy page appears. See Committing Intrusion Policy Changes on page 347 for descriptions of prompts you might encounter when you save your changes. You must apply your policy to the appropriate detection engines to put your changes into effect. See Applying an Intrusion Policy on page 349.
                    • You can discard all unsaved changes. If necessary, click Policy Information in the navigation panel on the left side of the page to return to the Policy Information page, then click Discard Changes; click OK to discard your changes and go to the Intrusion Policy page, or click Cancel to keep your changes and return to the Policy Information page.
                    • You can exit the policy, leaving your changes in the system cache. On exiting, click Leave page when prompted, or click Stay on page to remain in the advanced editor. See Committing Intrusion Policy Changes on page 347 for information on how the system caches one policy per user.
                  1 of 1 people found this helpful