Verify that an Enabled Plugin Is Working Properly

Applies to Product: USM Appliance™ LevelBlue OSSIM®

It's good practice to test whether or not a plugin is working correctly, after you have enabled it in USM Appliance and configured the application or device to forward logs to USM Appliance.

Note: You can confirm the plugins enabled at the sensor level by viewing the [plugin] section of the /etc/ossim/agent/config.cfg file. Per-asset plugin configurations are stored in the /etc/ossim/agent/config.yml file.

To confirm an enabled plugin is working properly

  1. In the USM Appliance web UI, go to Analysis > Security Events (SIEM).

  2. In Data Sources, select the plugin for which you expect to see events.

    Security Events (SEIM) page from Analysis.

If you see events, the plugin is working properly.

If there are no events, you can troubleshoot by following the steps below.

  1. Connect to the LevelBlue Console through SSH and use your credentials to log in.

    The LevelBlue Setup menu displays.

  2. On the LevelBlue Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. Validate that you are receiving syslog packets from the source device.

    tcpdump –i eth0 –v –w /dev/null src <device_IP_Address> and port 514

    Replace <device_IP_Address> with the IP address you are collecting syslog data from.

If no packets appear in the output, then USM Appliance is not receiving data from your device. Please make sure that you have configured your device or application to forward logs to the USM Appliance Sensor.

If the output shows the captured packets, it suggests that the issue is not the connection. Next, you can check if the syslog messages arrive in the correct log locations.

  1. Connect to the LevelBlue Console through SSH and use your credentials to log in.

    The LevelBlue Setup menu displays.

  2. On the LevelBlue Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. Check log files for new messages.

    Messages from your device appear in different files depending on how the plugin is enabled.

    • If the plugin is enabled on a per-asset basis, incoming syslog messages are saved in /var/log/alienvault/devices/<asset_IP>, one folder per asset IP address.

      tail -f /var/log/alienvault/devices/<asset_IP>/<asset_IP>.log

    • If the plugin is enabled at the sensor level, rsyslog is often configured to forward messages to a unique file, which is defined in the location parameter under the [config] section of the plugin file. After you have identified the file, type the following

      tail -f /path/to/<data-Source-name>.log

    • If syslog messages do not appear in either files mentioned above, you can check the default location for all syslog messages.

      • tail -f /var/log/syslog

If you do not find new messages in the corresponding log file, but you have confirmed that USM Appliance is receiving packets from your device through UDP port 514, verify that the rsyslog configuration directs the messages to the correct file. Restart rsyslog if needed.

/etc/init.d/rsyslog restart

If you see new messages in the log files, but there are no events, the error is in either the plugin or the agent configuration.

  1. Connect to the LevelBlue Console through SSH and use your credentials to log in.

    The LevelBlue Setup menu displays.

  2. Select Maintenance & Troubleshooting.
  3. Select Troubleshooting Tools.
  4. Select View LevelBlue Components Logs.

  5. Select View LevelBlue Agent log.

    After confirmation, the content of /var/log/alienvault/agent/agent.log will be displayed in the console. You can press "q" to return to the menu.

  6. Search for the plugin name in the log file.

    For example, type "/ssh" and press Enter. If the plugin is running, you should see output similar to the following

    WatchDog[24430] Checking process sshd for plugin ssh

    WatchDog[24430] plugin (ssh) is running

    WatchDog[24430] plugin (ssh) is enabled

  7. In addition, you will see information about the plugin outputted every 10 seconds. For example

    Aug 10 13:01:24 Alienvault-Agent[INFO]: ssh[4003] Total lines [12759] TotalEvents:[643] EPS: [0.00] elapsed [10.01] seconds

    Aug 10 13:01:34 Alienvault-Agent[INFO]: ssh[4003] Total lines [12759] TotalEvents:[643] EPS: [0.00] elapsed [10.00] seconds

    Aug 10 13:01:44 Alienvault-Agent[INFO]: ssh[4003] Total lines [12859] TotalEvents:[683] EPS: [4.00] elapsed [10.00] seconds

    where

    • Total lines [12759] shows the number of lines (in the data source log file) that the plugin has processed after it is enabled.
    • TotalEvents: [643] shows the number of events that the plugin has generated from those lines.

    • EPS: [0.00] means Event Per Second and it is calculated every 10 seconds.

      EPS 0.00 indicates that zero event has been generated in the last 10 seconds; EPS 4.00 indicates that 40 events (683 - 643) have been generated in the last 10 seconds.

    • elapsed [10.01] seconds indicates that this information is gathered every 10 seconds.

Total lines and TotalEvents may not be the same because not every line can be turned into an event. If TotalEvents is 0, it means that the plugin has not generated any event. If Total lines is also 0, it means that the data source log file is empty, so the plugin has no data to process. But if Total lines is not 0, it means that the plugin does not turn those lines into events. You can look at the plugin configuration file to investigate further or contact LevelBlue Technical Support.