Sagan hangs/stops at opening the fifo
267 views
Skip to first unread message
DigiAngel
Oct 31, 2011, 11:38:39 AM10/31/11
to sagan-users
Hey all. Here's what I get sometimes:
[*] ,-._,-. -*> Sagan! <*-
[*] \/)"(\/ Version 0.2.1-svn
[*] (_o_) Champ Clark III & The Quadrant InfoSec Team
[quadrantsec.com]
[*] / \/) Copyright (C) 2009-2011 Quadrant Information Security,
et al.
[*] (|| ||) Using PCRE version: 8.12 2011-01-15
[*] oo-oo Sagan is processing events.....
[*]
[*] Attempting to open syslog FIFO (/var/run/sagan.fifo).
^C[*]
[Received signal 2. Sagan version 0.2.1-svn shutting down]-------
[*]
--------------------------------------------------------------------------
[*] Total number of events processed: 0
[*] Total number of events thresholded: 0 (0.000%)
[*] Total number of signatures matched: 0 (0.000%)
[*] Total events dropped: 0 (0.000%)
[*]
--------------------------------------------------------------------------
[*] Max Snort database threads: 0 of 50 (0.000%) | Snort DB drops: 0
[*]
--------------------------------------------------------------------------
And that's it. However after restarting rsyslog, it works fine:
[*] ,-._,-. -*> Sagan! <*-
[*] \/)"(\/ Version 0.2.1-svn
[*] (_o_) Champ Clark III & The Quadrant InfoSec Team
[quadrantsec.com]
[*] / \/) Copyright (C) 2009-2011 Quadrant Information Security,
et al.
[*] (|| ||) Using PCRE version: 8.12 2011-01-15
[*] oo-oo Sagan is processing events.....
[*]
[*] Attempting to open syslog FIFO (/var/run/sagan.fifo).
[*] Successfully opened FIFO (/var/run/sagan.fifo).
Any hints on this? Running rsyslog on Ubuntu Server 11.04:
rsyslogd 4.6.4, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: No
FEATURE_NETZIP (message compression): Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
Atomic operations supported: Yes
Runtime Instrumentation (slow code): No
Thank you.
James
[*] ,-._,-. -*> Sagan! <*-
[*] \/)"(\/ Version 0.2.1-svn
[*] (_o_) Champ Clark III & The Quadrant InfoSec Team
[quadrantsec.com]
[*] / \/) Copyright (C) 2009-2011 Quadrant Information Security,
et al.
[*] (|| ||) Using PCRE version: 8.12 2011-01-15
[*] oo-oo Sagan is processing events.....
[*]
[*] Attempting to open syslog FIFO (/var/run/sagan.fifo).
^C[*]
[Received signal 2. Sagan version 0.2.1-svn shutting down]-------
[*]
--------------------------------------------------------------------------
[*] Total number of events processed: 0
[*] Total number of events thresholded: 0 (0.000%)
[*] Total number of signatures matched: 0 (0.000%)
[*] Total events dropped: 0 (0.000%)
[*]
--------------------------------------------------------------------------
[*] Max Snort database threads: 0 of 50 (0.000%) | Snort DB drops: 0
[*]
--------------------------------------------------------------------------
And that's it. However after restarting rsyslog, it works fine:
[*] ,-._,-. -*> Sagan! <*-
[*] \/)"(\/ Version 0.2.1-svn
[*] (_o_) Champ Clark III & The Quadrant InfoSec Team
[quadrantsec.com]
[*] / \/) Copyright (C) 2009-2011 Quadrant Information Security,
et al.
[*] (|| ||) Using PCRE version: 8.12 2011-01-15
[*] oo-oo Sagan is processing events.....
[*]
[*] Attempting to open syslog FIFO (/var/run/sagan.fifo).
[*] Successfully opened FIFO (/var/run/sagan.fifo).
Any hints on this? Running rsyslog on Ubuntu Server 11.04:
rsyslogd 4.6.4, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: No
FEATURE_NETZIP (message compression): Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
Atomic operations supported: Yes
Runtime Instrumentation (slow code): No
Thank you.
James
![Champ Clark III [Quadrant]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjWpKOXJBQY6EQvH3XDqOXRmVvIrI-_FfvfR6TIvqCGu9pCsMw=s40-c)
Champ Clark III [Quadrant]
Oct 31, 2011, 11:48:03 AM10/31/11
to sagan...@googlegroups.com
On Oct 31, 2011, at 11:38 AM, DigiAngel wrote:
Hey all. Here's what I get sometimes:
[*] ,-._,-. -*> Sagan! <*-
[*] \/)"(\/ Version 0.2.1-svn
[*] (_o_) Champ Clark III & The Quadrant InfoSec Team
[quadrantsec.com]
[*] / \/) Copyright (C) 2009-2011 Quadrant Information Security,
et al.
[*] (|| ||) Using PCRE version: 8.12 2011-01-15
[*] oo-oo Sagan is processing events.....
[*]
[*] Attempting to open syslog FIFO (/var/run/sagan.fifo).
In order for Sagan to function (and the nature of FIFO's in *nix), the "reader" (Sagan) cannot open the FIFO unless there is a writer (rsyslog). What's happening is Sagan believe that there is no "writer". That is, rsyslog hasn't opened the FIFO for writing, so Sagan can "read" the FIFO. I've seen this happen with rsyslog before, but haven't identified the problem (yet).
It doesn't happen at all with syslog-ng. Don't get me wrong, I have rsyslog running in some environment 24/7 without problem. Just wanted to explain the issue.
For example. I'll bet if you start Sagan and it hangs, if you open another terminal add reload/reset rsyslog, Sagan will then open the FIFO. It might be some recent change with rsyslog. I'm not sure. I'll look back into this ASAP.
Champ Clark III
(office) 904.253.7856
(mobile) 850.443.2440
(SOC) 800.538.9357 ext 101
DigiAngel
Oct 31, 2011, 12:10:07 PM10/31/11
to sagan-users
Thanks Champ...sorry I'm such a hassle ;)
James
On Oct 31, 9:48 am, "Champ Clark III [Quadrant]"
James
On Oct 31, 9:48 am, "Champ Clark III [Quadrant]"
Jan Koch
Sep 17, 2012, 7:17:52 AM9/17/12
to sagan...@googlegroups.com
Is there any news on this topic ? I have 1 server running without any problem at all, but another 2 where rsyslog keeps stoping frequently. I still have no idea why :/
Champ Clark III
Sep 17, 2012, 10:43:30 AM9/17/12
to sagan...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 9/17/12 7:17 AM, Jan Koch wrote:
> Is there any news on this topic ? I have 1 server running without
> any problem at all, but another 2 where rsyslog keeps stoping
> frequently. I still have no idea why :/
I've wrote about this several times. It's not a Sagan issue. If
Sagan doesn't "receive" the data from the FIFO, it can't do analysis
on it. I've seen this problem on an older Ubuntu box. If I remember
correctly, I upgraded rsyslog to the latest available.
In my experience, rsyslog typically stops writing to the FIFO due to
logrotate being run. You could try to disable logrotate temporarily
and see if the problem goes away.
Also, since it's not happening on one of the servers, compare the
configurations and rsyslog version between the working server and the
two servers that experience the problem.
Hope this helps.
- --
- - Champ Clark III (ccl...@quadrantsec.com)
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQEcBAEBAgAGBQJQVzcSAAoJENnmXt7Lmc3KHFUH/3y2QDjJGzHHpEyUwEDYy3Gs
cooIk6StN5OiYMymHu3m8eDSt2KNpm3wzEp4fvmaLyFp16YWl4hB4H8LqFu5MC4S
3CH25IfT0K9Tc7/Tg/snwyj62YcEpatmykX1PsneliVJaSQjRmgy69ut2mie8UId
DwsIfz+1zsus7/l3zq6LXdiotlpvWgRIv6f8+cQutbvqcwprCWw4jq0Kp1Nh98tO
cd4RIHzAk3HGkRI9zWXdV730EEa+GEGYFNP+m1kz+gU9bLK43/AXILTFaZzBZZik
3M1YWJzuxEdQoR9REDqE8NfJWe0GJrB3iGSHfqzxybjjppHuFJZvMdXhLnvJyas=
=SVmT
-----END PGP SIGNATURE-----
Hash: SHA1
On 9/17/12 7:17 AM, Jan Koch wrote:
> Is there any news on this topic ? I have 1 server running without
> any problem at all, but another 2 where rsyslog keeps stoping
> frequently. I still have no idea why :/
Sagan doesn't "receive" the data from the FIFO, it can't do analysis
on it. I've seen this problem on an older Ubuntu box. If I remember
correctly, I upgraded rsyslog to the latest available.
In my experience, rsyslog typically stops writing to the FIFO due to
logrotate being run. You could try to disable logrotate temporarily
and see if the problem goes away.
Also, since it's not happening on one of the servers, compare the
configurations and rsyslog version between the working server and the
two servers that experience the problem.
Hope this helps.
- --
- - Champ Clark III (ccl...@quadrantsec.com)
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQEcBAEBAgAGBQJQVzcSAAoJENnmXt7Lmc3KHFUH/3y2QDjJGzHHpEyUwEDYy3Gs
cooIk6StN5OiYMymHu3m8eDSt2KNpm3wzEp4fvmaLyFp16YWl4hB4H8LqFu5MC4S
3CH25IfT0K9Tc7/Tg/snwyj62YcEpatmykX1PsneliVJaSQjRmgy69ut2mie8UId
DwsIfz+1zsus7/l3zq6LXdiotlpvWgRIv6f8+cQutbvqcwprCWw4jq0Kp1Nh98tO
cd4RIHzAk3HGkRI9zWXdV730EEa+GEGYFNP+m1kz+gU9bLK43/AXILTFaZzBZZik
3M1YWJzuxEdQoR9REDqE8NfJWe0GJrB3iGSHfqzxybjjppHuFJZvMdXhLnvJyas=
=SVmT
-----END PGP SIGNATURE-----
Jan Koch
Sep 17, 2012, 10:51:15 AM9/17/12
to sagan...@googlegroups.com
Sorry. I know this is not a sagan bug. I just wanted to ask in here if anybody came up with a solution for rsyslogd, sorry for the mislead :)
Best regards,
Jan
--
Reply all
Reply to author
Forward
0 new messages