BUG in zabbix-alert.sh
126 views
Skip to first unread message
andre.pietsch
Sep 23, 2011, 8:55:07 AM9/23/11
to ossec-dev
Hi,
I based my active response script that sends whois information about
an IP on the zabbix-alert.sh script.
Sometimes I had the problem that my mails sent no information about
the host and the alert level. Investigating the problem I found out
that I made a mistake in one of the grep commands that analyse the
alert.log file. I thought I made a mistake. A few moments ago I looked
into the zabbix-alert.sh and saw that the problem was already there.
The problem is in the following lines:
21 ALERTID=$4
.
.
.
48 # Getting alert time
49 ALERTTIME=`echo "$ALERTID" | cut -d "." -f 1`
50
51 # Getting end of alert
52 ALERTLAST=`echo "$ALERTID" | cut -d "." -f 2`
53
54 # Getting full alert
55 ALERTTEXT=`grep -A 10 "$ALERTTIME" $PWD/../logs/alerts/alerts.log |
grep -v ".$ALERTLAST: " -A 10 `
56
57 # Extract host (agent) name from alert.
58 HOSTNAME=`echo "$ALERTTEXT" | sed -n '1,1s/^.*\:[0-9][0-9]\:[0-9]
[0-9][^A-Za-z0-9_]*\([-A-Za-z0-9_]*\)\->.*$/\1/p'`
The parameter $ALERTID is the ID given to the script. From that the
ALERTTIME and ALERTLAST is extracted. The BUG is in line 55 where the
ALERTTEXT is extracted. If only the ALERTTIME is used there and
several alerts happen at the same time (happened to me) there are
several parts extracted from the alert.log file. The result is that
the the HOSTNAME and other later needed parameters could not be
extracted exactly.
The solution would be to change the line like this:
55 ALERTTEXT=`grep -A 10 "$ALERTID" $PWD/../logs/alerts/alerts.log |
grep -v ".$ALERTLAST: " -A 10 `
The $ALERTID should be used instead of $ALERTTIME. So there is only
one alert extracted from the alert.log file.
I've tested it on several machines with the same wrong result. After
that I changed it in my active response script send-whois.sh. It
should be changed in the zabbix-alert.sh script too.
If you are interested in my active response script send-whois.sh I
would be glad to share it with you.
Kind regards
Andre Pietsch
I based my active response script that sends whois information about
an IP on the zabbix-alert.sh script.
Sometimes I had the problem that my mails sent no information about
the host and the alert level. Investigating the problem I found out
that I made a mistake in one of the grep commands that analyse the
alert.log file. I thought I made a mistake. A few moments ago I looked
into the zabbix-alert.sh and saw that the problem was already there.
The problem is in the following lines:
21 ALERTID=$4
.
.
.
48 # Getting alert time
49 ALERTTIME=`echo "$ALERTID" | cut -d "." -f 1`
50
51 # Getting end of alert
52 ALERTLAST=`echo "$ALERTID" | cut -d "." -f 2`
53
54 # Getting full alert
55 ALERTTEXT=`grep -A 10 "$ALERTTIME" $PWD/../logs/alerts/alerts.log |
grep -v ".$ALERTLAST: " -A 10 `
56
57 # Extract host (agent) name from alert.
58 HOSTNAME=`echo "$ALERTTEXT" | sed -n '1,1s/^.*\:[0-9][0-9]\:[0-9]
[0-9][^A-Za-z0-9_]*\([-A-Za-z0-9_]*\)\->.*$/\1/p'`
The parameter $ALERTID is the ID given to the script. From that the
ALERTTIME and ALERTLAST is extracted. The BUG is in line 55 where the
ALERTTEXT is extracted. If only the ALERTTIME is used there and
several alerts happen at the same time (happened to me) there are
several parts extracted from the alert.log file. The result is that
the the HOSTNAME and other later needed parameters could not be
extracted exactly.
The solution would be to change the line like this:
55 ALERTTEXT=`grep -A 10 "$ALERTID" $PWD/../logs/alerts/alerts.log |
grep -v ".$ALERTLAST: " -A 10 `
The $ALERTID should be used instead of $ALERTTIME. So there is only
one alert extracted from the alert.log file.
I've tested it on several machines with the same wrong result. After
that I changed it in my active response script send-whois.sh. It
should be changed in the zabbix-alert.sh script too.
If you are interested in my active response script send-whois.sh I
would be glad to share it with you.
Kind regards
Andre Pietsch
David M. Zendzian
Sep 23, 2011, 9:23:02 AM9/23/11
to osse...@googlegroups.com
Could you post your whois script?
And was the zabbix script the one I posted a while ago? Or is there
another floating around?
Thanks
David
--
David M. Zendzian | Managing Partner | ZZ Servers
268 Bush St. #4127 | San Francisco, CA 94104
T: 415-593-5593 ext 369 | F: 415-901-6625
Email : d...@zzservers.com
Business Hosting Solutions | PCI | HIPAA
Managed Hosting Specialists
andre.pietsch
Sep 23, 2011, 10:45:25 AM9/23/11
to ossec-dev
Hi David,
you are more than welcome.
It is the zabbix-alert.sh script that is delivered with the ossec 2.6
package provided by the atomicorp yum repository.
I haven't found your post but in the script is your name and the
version 1.0 from April 6th 2010.
My script can be found at http://pastebin.com/E6PRgR34 . I hope it
helps.
As long as the whois stuff is not included within the default
notification (maybe configurable via the ossec.conf file) this script
helps us to secure some evidence for legal purposes.
It extracts ID, time, host, rule ID and rule description, level and IP
the way your script does it. It queries whois with the IP and tries to
find the corresponding lines within the log file belonging to the
alert.
It extracts the <email_from> and all <email_to> fields from the config
file and uses sendmail to send a mail to the given recipients. If
DEBUG is set to true the mail is only send to the first configured
<email_to> address and some additional logs are created in the /tmp
directory.
Kind regards
Andre
you are more than welcome.
It is the zabbix-alert.sh script that is delivered with the ossec 2.6
package provided by the atomicorp yum repository.
I haven't found your post but in the script is your name and the
version 1.0 from April 6th 2010.
My script can be found at http://pastebin.com/E6PRgR34 . I hope it
helps.
As long as the whois stuff is not included within the default
notification (maybe configurable via the ossec.conf file) this script
helps us to secure some evidence for legal purposes.
It extracts ID, time, host, rule ID and rule description, level and IP
the way your script does it. It queries whois with the IP and tries to
find the corresponding lines within the log file belonging to the
alert.
It extracts the <email_from> and all <email_to> fields from the config
file and uses sendmail to send a mail to the given recipients. If
DEBUG is set to true the mail is only send to the first configured
<email_to> address and some additional logs are created in the /tmp
directory.
Kind regards
Andre
t...@timwel.ch
Dec 13, 2016, 10:42:10 AM12/13/16
to ossec-dev, andre....@a-sd.de
This is actually all wrong, from what I see in my own OSSEC alert.log. The alert/event is a variable number of lines long. Grepping with -A 10 will always pull in multiple events, because (in my logs anyways) the vast majority of alerts /events are between 4-6 lines long separated by a blank line... So why not use that blank line to our advantage? Ditch the initial Grep -A 10 and use awk to give us the entire single event and only that event?
awk "/$ALERTID/" RS= /var/ossec/logs/alerts/alerts.log
This will always pull in just the single message we are looking for. Again, as you noted, using ALERTTIME would potentially pull in multiple events, so we use ALERTID to extract only the one single instance.
I'm currently modifying my zabbix-alert.sh script to use awk instead of grep here. YMMV, but it looks like this is the solution. I see other active response scripts also using the "grep -A 10" method, which should be replaced in all of them.
Reply all
Reply to author
Forward
0 new messages