CSPM doesn't get any alarms or logs

ksalustro · ‎02-25-2002

Hi,

My lab install of CSPM & sensors are CSPM 2.3.3i, sensors at 3.0(5)S17, and communication between them works fine. Using snoop on the sensor's interface I can tell that it sees my attack traffic. I have done ping scans, port scans, and "ping -l 20000", but I get no alarms or logs or anything in CSPM.

Do I have the networks listed right? In the HPOV version v2.2.1, you used to configure the "protected nets" and now in CSPM there are tabs called "Monitor" (I left it blank) and "Internal Network" (I put in the class C I am protecting). Is this right?

Is there any way to tell why I don't see any of these events in CSPM?

Also, there used to be a document to troubleshoot the HPOV version for things like this... is there any such doc for this CSPM version?

Thanks...

pbobby · ‎02-25-2002

Actually you don't need to specify which networks are considered 'internal' it will just treat it all as outside traffic. OUT OUT alerts are common.

You might want to put snoop between CSPM and the sensor. Do you see traffic going to and from port 45000 (the postoffice port).

If you see attempts to connect on these ports, then a configuration error (sensor or cspm) is at hand.

Let us know what you see and we'll continue.

Also, I presume when you added the sensor you went through the wizard and it added the sensor to your topology with no errors?

When you connect directly to your sensor, do a 'nrstatus'. Is nr.packetd running? If not, it sounds like it's a brand new sensor you added to CSPM and you have yet to apply a packetd.conf to it, thus enabling nr.packetd (the daemon that actually logs the alerts).

Even though snoop shows the traffic to your sensor, do a tail /usr/nr/var/log*... does it show alerts being recorded?

If nr.packetd is not running, then no alerts will be recorded... thus no alerts will get sent to cspm.

Just a few things

I don't know of any document other than this forum for troubleshooting CSPM. Searching through past messages has been the biggest benefit to me.

ksalustro · ‎02-25-2002

When snooping between CSPM and the sensor, I see a little traffic on port 45000... I see about 3 packets between them every 5 seconds. Whether I am doing an attack or not it seems roughly the same.

When I added the sensor, I used the wizard and there were no errors.

'nrstatus' reports that nr.packetd is running. Everything else looks normal in that command.

'nrconns' reports that connection is established.

The only wierd thing I see is when I do 'tail -f /usr/nr/var/log*' I do not see any new entries!

The packetd.conf file "nameofPacketDevice" reports the correct interface, /dev/spwr0.

The only log entries I get are when I disconnect and reconnect the spwr0 interface and it tells me that traffic flow has started.

ksalustro · ‎02-25-2002

The Daemons just died... do I have a different problem?

I got notifications that sapd, loggerd, filesXferd... went down and were unstartable. When I did nrstatus on the sensor, only postofficed was still running.

I must have some other problem... do I have the correct versions installed?

nrvers reports:

The Version of the Sensor is: 3.0(5)S17

postoffice v220 (Release) 01/12/14-20:01

fileXfer v175 (Release) 01/07/11-21:48

logger v220 (Release) 01/12/14-19:59

sap v220 (Release) 01/12/14-20:01

sensor v242 (Release) 02/02/13-17:15

thanks for any insight... this must be related.

ttorgerson · ‎03-25-2002

hello...

I was interested in finding out if you were able to resolve the problems you were having with receiving logs/events on the CSPM server. I seem to be having the same issue... I see open communication between my sensors and the CSPM server, but I receive no log data... When running snoop on the sensors, I see all the traffic on the wire so I know the problem does not lie there...

I am running 2.3.3i on CSPM and 3.05.s17 on the sensors...

funny thing is ... I receive notifications via email, but the message contains no useful information... and I have nothing in PM to help with the event...

Any input is very helpful!

Thanks,

Thomas

kchrona · ‎04-05-2002

Hello,

I have been having a similar problem in having my IDSM log files within my CSPM. I am running CSPM 2.3.3i, at 3.0(5)S17. I am not sure if I have it configured correctly to log to my CSPM. If anyone can indicate where the logs are suppose to reside on the CSPM and the IDSM it would be greatly appreciated. I am running this product in the lab and have been learning about this produce via web information. Thanks

HEATH FREEL · ‎04-24-2002

I have the ame issue. I can tell the communictaion is there because the CSPM actually Shuns IP's on my PIX. I can get the event viewer to work somtimes, but most of the time it displays nothing - I too am running 3.0(5)S17...

g.rodegari · ‎04-24-2002

Hi,

I've experimented the same problem...

Try to use the default signature!

or sinchronize the signature version on the sensor and on the cspm.

Graz.

jekrauss · ‎04-24-2002

The listing of the networks is not relevant to whether or not you will see the traffic in the event viewer, simply whether the network is considered inside or outside when an alarm does pop up.

You have confirmed that the traffic is hitting the sensors sniffing interface, now check to make sure that the packetd daemon is running:

nrstatus (while logged in as netranger).

If it's not running, make sure that you do an approve now on your sensor from CSPM to push out the config from CSPM and start packetd.

If packetd is already running, then check your logs:

/usr/nr/var/log.

This requires that loggerd daemon be running. If it isn't running, then enable that on the sensor in CSPM and do an approve now to push it out to the sensor.

The most likely cause is that packetd is simply not running right now. Keep in mind that once you have configured CSPM for that sensor, you don't want to run sysconfig-sensor on the sensor again or it will wipe out your config from CSPM, including packetd.

HTH

Jeff

clark.rick · ‎05-02-2002

We are experiencing the same problem of not receiving any messages from the sensor which started around the same time the IDS box crashed and we had to run fschk.

I have confirmed that packetd is running but there is an error: Unable to open signature file: ../etc/SigUser.conf

The file shows 0 bytes and no errors on the approval from CSPM.

Any thoughts on how to get back the siguser file?

community · ‎05-02-2002

I had the same problem. It turned out that in my situation, my log file was to big. I saved the log to old and let the CSPM start a new log.

clark.rick · ‎05-02-2002

How did you clear out the log file? Did you use cvtnrlog -d or something else? I tried and that didn't clear it.

Thanks.

clark.rick · ‎05-06-2002

Thanks. I think I may have solved this. Installing the latest version of CSPM (after uninstalling the old) then updating to the latest signatures seems to have fixed the problem. My original problem was a corrupt disk system on the sensor. I think that started a domino effect which required the re-install.