Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Installation and Upgrades / Help with configuring event alerts-sending to jabber account (gtalk supported?)
« on: February 28, 2014, 10:45:48 am »
Hi,
Reading through the official documentation, I couldn't help but to notice that the information about creating Jabber account is pretty scarce.
Firstly, are gtalk accounts even supported?
And if not, is there any detailed info about using Jabber account for sending logs ?
Now, i have created a user on jabb3r.org server, configured it in Pidgin client, added a *@gmail.com user as a friend, and the communication worked without problem.
When configured the same thing in Zentyal, i do not receive any messages on my client.
I tested that by stopping some service, then check in /var/log/zentyal.events.log and on my mobile phone. Log file has written the event in the file, but my phone didn't receive anything.
Reading through the official documentation, I couldn't help but to notice that the information about creating Jabber account is pretty scarce.
Firstly, are gtalk accounts even supported?
And if not, is there any detailed info about using Jabber account for sending logs ?
Now, i have created a user on jabb3r.org server, configured it in Pidgin client, added a *@gmail.com user as a friend, and the communication worked without problem.
When configured the same thing in Zentyal, i do not receive any messages on my client.
I tested that by stopping some service, then check in /var/log/zentyal.events.log and on my mobile phone. Log file has written the event in the file, but my phone didn't receive anything.
2
Installation and Upgrades / Intel NIC (82574L Gigabit Network) stops working
« on: February 24, 2014, 10:18:26 am »
Hi,
I configured server with 4 NICs (3 Intel, 1 Dlink with VIA Rhine3 chipset) to be used as a dhcp and a gateway server. Until recently, everything worked, and then something strange happened.
DHCP stopped work on one Intel interface, and web gui said it had link but it was down.
Then i searched through syslog and found this :
So, clients in one network constantly send DHCPDISCOVER packages but never finish this procedure and they never get the address. I was scanning on the wireshark and the client never saw this DHCPOFFER packages, so I think they never went out that ETH2 interface.
As you can see, ETH3 network works as usual , everything is normal.
So i said : "Something is very suspicious".
Lets look a little deeper, and yes , i found this, 2 days ago (in syslog file, too) :
AND IMMEDIATELY after that this (a put that in a different code formatting for easier reading) :
Something happens to this adapter, and it stops working, and I really can't interpret all those messages.
Can somebody provide further info in this situation?
A reboot should resolve this situation temporarily, but it is not a permanent solution.
I configured server with 4 NICs (3 Intel, 1 Dlink with VIA Rhine3 chipset) to be used as a dhcp and a gateway server. Until recently, everything worked, and then something strange happened.
DHCP stopped work on one Intel interface, and web gui said it had link but it was down.
Then i searched through syslog and found this :
Code: [Select]
Feb 24 07:33:35 mars dhcpd: DHCPDISCOVER from 6c:62:6d:44:02:07 (ws5-lb3) via eth2
Feb 24 07:33:35 mars dhcpd: DHCPOFFER on 70.70.70.35 to 6c:62:6d:44:02:07 (ws5-lb3) via eth2
Feb 24 07:33:37 mars dhcpd: DHCPDISCOVER from 6c:62:6d:44:02:07 (ws5-lb3) via eth2
Feb 24 07:33:37 mars dhcpd: DHCPOFFER on 70.70.70.35 to 6c:62:6d:44:02:07 (ws5-lb3) via eth2
Feb 24 07:33:45 mars dhcpd: DHCPDISCOVER from 6c:62:6d:44:02:07 (ws5-lb3) via eth2
Feb 24 07:33:45 mars dhcpd: DHCPOFFER on 70.70.70.35 to 6c:62:6d:44:02:07 (ws5-lb3) via eth2
Feb 24 07:34:03 mars dhcpd: DHCPDISCOVER from 6c:62:6d:44:02:07 (ws5-lb3) via eth2
Feb 24 07:34:03 mars dhcpd: DHCPOFFER on 70.70.70.35 to 6c:62:6d:44:02:07 (ws5-lb3) via eth2
Feb 24 07:34:03 mars dhcpd: DHCPINFORM from 80.80.80.37 via eth3
Feb 24 07:34:03 mars dhcpd: DHCPACK to 80.80.80.37 (6c:62:6d:44:00:27) via eth3
So, clients in one network constantly send DHCPDISCOVER packages but never finish this procedure and they never get the address. I was scanning on the wireshark and the client never saw this DHCPOFFER packages, so I think they never went out that ETH2 interface.
As you can see, ETH3 network works as usual , everything is normal.
So i said : "Something is very suspicious".
Lets look a little deeper, and yes , i found this, 2 days ago (in syslog file, too) :
Code: [Select]
Feb 22 12:40:01 mars CRON[17247]: (root) CMD (/usr/share/zentyal-users/slave-sync)
Feb 22 12:40:01 mars CRON[17248]: (root) CMD ((pgrep -u root,ebox cronjob-runner || /usr/share/zentyal-remoteservices/cronjo$
Feb 22 12:40:01 mars CRON[17249]: (root) CMD ((pgrep -u root,ebox run-pending-ops || /usr/share/zentyal-remoteservices/run-p$
Feb 22 12:45:01 mars CRON[17273]: (root) CMD (/usr/share/zentyal-users/slave-sync)
Feb 22 12:45:01 mars CRON[17274]: (root) CMD ((pgrep -u root,ebox run-pending-ops || /usr/share/zentyal-remoteservices/run-p$
Feb 22 12:45:14 mars kernel: [692378.403101] irq 51: nobody cared (try booting with the "irqpoll" option)
Feb 22 12:45:14 mars kernel: [692378.403109] Pid: 0, comm: swapper/0 Tainted: GF 3.8.0-35-generic #52~precise1-Ub$
Feb 22 12:45:14 mars kernel: [692378.403112] Call Trace:
Feb 22 12:45:14 mars kernel: [692378.403115] <IRQ> [<ffffffff810f085d>] __report_bad_irq+0x3d/0xe0
Feb 22 12:45:14 mars kernel: [692378.403132] [<ffffffff810f0c85>] note_interrupt+0x135/0x190
Feb 22 12:45:14 mars kernel: [692378.403138] [<ffffffff810ee499>] handle_irq_event_percpu+0xa9/0x210
Feb 22 12:45:14 mars kernel: [692378.403143] [<ffffffff810ee64e>] handle_irq_event+0x4e/0x80
Feb 22 12:45:14 mars kernel: [692378.403147] [<ffffffff810f0fe4>] handle_edge_irq+0x84/0x130
Feb 22 12:45:14 mars kernel: [692378.403155] [<ffffffff81016762>] handle_irq+0x22/0x40
Feb 22 12:45:14 mars kernel: [692378.403160] [<ffffffff816ffc6a>] do_IRQ+0x5a/0xe0
Feb 22 12:45:14 mars kernel: [692378.403166] [<ffffffff816f56ed>] common_interrupt+0x6d/0x6d
Feb 22 12:45:14 mars kernel: [692378.403169] <EOI> [<ffffffff8158c530>] ? cpuidle_wrap_enter+0x50/0xa0
Feb 22 12:45:14 mars kernel: [692378.403179] [<ffffffff8158c529>] ? cpuidle_wrap_enter+0x49/0xa0
Feb 22 12:45:14 mars kernel: [692378.403184] [<ffffffff8158d96e>] ? menu_select+0x16e/0x2b0
Feb 22 12:45:14 mars kernel: [692378.403189] [<ffffffff8158c590>] cpuidle_enter_tk+0x10/0x20
Feb 22 12:45:14 mars kernel: [692378.403193] [<ffffffff8158c13f>] cpuidle_idle_call+0xaf/0x2c0
Feb 22 12:45:14 mars kernel: [692378.403199] [<ffffffff8101db6f>] cpu_idle+0xcf/0x120
Feb 22 12:45:14 mars kernel: [692378.403204] [<ffffffff816c8302>] rest_init+0x72/0x80
Feb 22 12:45:14 mars kernel: [692378.403209] [<ffffffff81d05c4f>] start_kernel+0x3d1/0x3de
Feb 22 12:45:14 mars kernel: [692378.403216] [<ffffffff81d057ff>] ? pass_bootoption.constprop.3+0xd3/0xd3
Feb 22 12:45:14 mars kernel: [692378.403222] [<ffffffff81d05397>] x86_64_start_reservations+0x131/0x135
Feb 22 12:45:14 mars kernel: [692378.403227] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120
Feb 22 12:45:14 mars kernel: [692378.403232] [<ffffffff81d05468>] x86_64_start_kernel+0xcd/0xdc
Feb 22 12:45:14 mars kernel: [692378.403235] handlers:
Feb 22 12:45:14 mars kernel: [692378.403254] [<ffffffffa0039050>] e1000_msix_other [e1000e]
Feb 22 12:45:14 mars kernel: [692378.403257] Disabling IRQ #51
Feb 22 12:45:17 mars kernel: [692381.180378] ------------[ cut here ]------------
Feb 22 12:45:17 mars kernel: [692381.180389] WARNING: at /build/buildd/linux-lts-raring-3.8.0/net/sched/sch_generic.c:254 de$
Feb 22 12:45:17 mars kernel: [692381.180392] Hardware name: Lenovo ThinkServer TS200 -[652512G]-
AND IMMEDIATELY after that this (a put that in a different code formatting for easier reading) :
Code: [Select]
Feb 22 12:45:17 mars kernel: [692381.180394] NETDEV WATCHDOG: eth2 (e1000e): transmit queue 0 timed out
Feb 22 12:45:17 mars kernel: [692381.180397] Modules linked in: xt_multiport(F) nfnetlink_queue(F) nfnetlink(F) xt_REDIRECT($
Feb 22 12:45:17 mars kernel: [692381.180461] Pid: 0, comm: swapper/0 Tainted: GF 3.8.0-35-generic #52~precise1-Ub$
Feb 22 12:45:17 mars kernel: [692381.180463] Call Trace:
Feb 22 12:45:17 mars kernel: [692381.180466] <IRQ> [<ffffffff81059b6f>] warn_slowpath_common+0x7f/0xc0
Feb 22 12:45:17 mars kernel: [692381.180479] [<ffffffff81059c66>] warn_slowpath_fmt+0x46/0x50
Feb 22 12:45:17 mars kernel: [692381.180484] [<ffffffff81062bf9>] ? raise_softirq_irqoff+0x9/0x40
Feb 22 12:45:17 mars kernel: [692381.180492] [<ffffffff81603262>] dev_watchdog+0x262/0x270
Feb 22 12:45:17 mars kernel: [692381.180497] [<ffffffff8101bb39>] ? read_tsc+0x9/0x20
Feb 22 12:45:17 mars kernel: [692381.180504] [<ffffffff810773c0>] ? __queue_work+0x2d0/0x2d0
Feb 22 12:45:17 mars kernel: [692381.180508] [<ffffffff81603000>] ? pfifo_fast_dequeue+0xe0/0xe0
Feb 22 12:45:17 mars kernel: [692381.180514] [<ffffffff81069956>] call_timer_fn+0x46/0x160
Feb 22 12:45:17 mars kernel: [692381.180520] [<ffffffff8106b427>] run_timer_softirq+0x267/0x2c0
Feb 22 12:45:17 mars kernel: [692381.180527] [<ffffffff81450131>] ? add_interrupt_randomness+0x41/0x190
Feb 22 12:45:17 mars kernel: [692381.180532] [<ffffffff81603000>] ? pfifo_fast_dequeue+0xe0/0xe0
Feb 22 12:45:17 mars kernel: [692381.180537] [<ffffffff81062670>] __do_softirq+0xc0/0x240
Feb 22 12:45:17 mars kernel: [692381.180542] [<ffffffff816f50fe>] ? _raw_spin_lock+0xe/0x20
Feb 22 12:45:17 mars kernel: [692381.180549] [<ffffffff816ff3dc>] call_softirq+0x1c/0x30
Feb 22 12:45:17 mars kernel: [692381.180555] [<ffffffff810167e5>] do_softirq+0x65/0xa0
Feb 22 12:45:17 mars kernel: [692381.180559] [<ffffffff8106294e>] irq_exit+0x8e/0xb0
Feb 22 12:45:17 mars kernel: [692381.180564] [<ffffffff816ffc73>] do_IRQ+0x63/0xe0
Feb 22 12:45:17 mars kernel: [692381.180569] [<ffffffff816f56ed>] common_interrupt+0x6d/0x6d
Feb 22 12:45:17 mars kernel: [692381.180571] <EOI> [<ffffffff810b49cc>] ? clockevents_notify+0x4c/0x1a0
Feb 22 12:45:17 mars kernel: [692381.180582] [<ffffffff8158c530>] ? cpuidle_wrap_enter+0x50/0xa0
Feb 22 12:45:17 mars kernel: [692381.180587] [<ffffffff8158c529>] ? cpuidle_wrap_enter+0x49/0xa0
Feb 22 12:45:17 mars kernel: [692381.180591] [<ffffffff8158d96e>] ? menu_select+0x16e/0x2b0
Feb 22 12:45:17 mars kernel: [692381.180596] [<ffffffff8158c590>] cpuidle_enter_tk+0x10/0x20
Feb 22 12:45:17 mars kernel: [692381.180601] [<ffffffff8158c13f>] cpuidle_idle_call+0xaf/0x2c0
Feb 22 12:45:17 mars kernel: [692381.180606] [<ffffffff8101db6f>] cpu_idle+0xcf/0x120
Feb 22 12:45:17 mars kernel: [692381.180610] [<ffffffff816c8302>] rest_init+0x72/0x80
Feb 22 12:45:17 mars kernel: [692381.180615] [<ffffffff81d05c4f>] start_kernel+0x3d1/0x3de
Feb 22 12:45:17 mars kernel: [692381.180621] [<ffffffff81d057ff>] ? pass_bootoption.constprop.3+0xd3/0xd3
Feb 22 12:45:17 mars kernel: [692381.180627] [<ffffffff81d05397>] x86_64_start_reservations+0x131/0x135
Feb 22 12:45:17 mars kernel: [692381.180632] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120
Feb 22 12:45:17 mars kernel: [692381.180637] [<ffffffff81d05468>] x86_64_start_kernel+0xcd/0xdc
Feb 22 12:45:17 mars kernel: [692381.180641] ---[ end trace 4e14019b94f73825 ]---
Feb 22 12:45:17 mars kernel: [692381.180666] e1000e 0000:15:00.0 eth2: Reset adapter
Something happens to this adapter, and it stops working, and I really can't interpret all those messages.
Can somebody provide further info in this situation?
A reboot should resolve this situation temporarily, but it is not a permanent solution.
3
Installation and Upgrades / Adding repository for newest stable build of Suricata on Ubuntu
« on: November 29, 2013, 02:28:03 pm »
Since Zentyal team uses default Ubuntu repository and default configuration, i guess it doesn't hurt to add stable repository for Suricata package. If you want to do that, just type this in terminal :
Now, i DO NOT recommend that for any production server, but that should be self explanatory. I would like to hear from the devs, if there is some reason not to do such a thing ?
Code: [Select]
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get upgradeNow, i DO NOT recommend that for any production server, but that should be self explanatory. I would like to hear from the devs, if there is some reason not to do such a thing ?
4
Installation and Upgrades / Suricata "stats.log" cleaning and configuration optimization
« on: November 22, 2013, 01:23:42 pm »
Hi,
Since default config from Suricata states that it will put some info every 8 seconds into stats.log file, it can grow very large in no time. And if you access your server remotely, you can not become root, and sudo does not allow you zero that file.
When i say big, i mean gigabytes big, and most admins rarely look at that realtime data.
So, we need to take care of it.
To delete a file (Suricata will recreate it at start), stop the Suricata engine first :
Then delete the "stats.log" file (you can first check its size )
Then, we need to optimize that configuration a little. Open its main config file :
And then locate a category "stats:"
Under it you will find the line "interval: 8". That mean, that every 8 seconds file will be refreshed with new data. For starters, you can put there a 60 or so, and after a while, if you're not satisfied, play with those numbers a little. Save that file.
And then start the Suricata engine :
P.S. If I can make some suggestions, I think Suricata is really a good choice for modern secure systems, and congrats to developers for choosing it over Snort.
But,first off all, we really shouldn't have that old version from Ubuntu repo, maybe you should build the last stable version and put it in your own repo.
And last but not least, some configuration changes should be implemented. Rules could be used from Emerging Threats. And does anybody know how are there rules updated? Or should we use oinkmaster for it ?
And definitely, not bound only to Suricata, better reporting module is needed, (GUI, better filtering options).
Since default config from Suricata states that it will put some info every 8 seconds into stats.log file, it can grow very large in no time. And if you access your server remotely, you can not become root, and sudo does not allow you zero that file.
When i say big, i mean gigabytes big, and most admins rarely look at that realtime data.
So, we need to take care of it.
To delete a file (Suricata will recreate it at start), stop the Suricata engine first :
Code: [Select]
[b]"sudo /etc/init.d/zentyal ips stop"[/b]Then delete the "stats.log" file (you can first check its size
)Code: [Select]
[b]"sudo rm /var/log/suricata/stats.log"[/b]Then, we need to optimize that configuration a little. Open its main config file :
Code: [Select]
[b]"sudo nano /usr/share/zentyal/stubs/ips/suricata-debian.yaml.mas"[/b]And then locate a category "stats:"
Under it you will find the line "interval: 8". That mean, that every 8 seconds file will be refreshed with new data. For starters, you can put there a 60 or so, and after a while, if you're not satisfied, play with those numbers a little. Save that file.
And then start the Suricata engine :
Code: [Select]
[b]"sudo /etc/init.d/zentyal ips start"[/b]P.S. If I can make some suggestions, I think Suricata is really a good choice for modern secure systems, and congrats to developers for choosing it over Snort.
But,first off all, we really shouldn't have that old version from Ubuntu repo, maybe you should build the last stable version and put it in your own repo.
And last but not least, some configuration changes should be implemented. Rules could be used from Emerging Threats. And does anybody know how are there rules updated? Or should we use oinkmaster for it ?
And definitely, not bound only to Suricata, better reporting module is needed, (GUI, better filtering options).
5
Installation and Upgrades / Cannot delete BR1 interface, bug or intentional ?
« on: October 09, 2013, 06:02:34 pm »
While I had an 3.1 installation, I tried to experiment with virtual machines. For that, I had to install bridge adapter (convert eth0 to bridge mode, and br1 appeared). After, when 3.2 was released, libvirt module lost support , and I uninstalled "Virtual Machines" module. Then, tried to convert eth0 to static IP addressing, hoping it would delete br1 interface. But, alas, it was still there. Then i disabled eth0 (Method : not set), br1 is still there. Even tried rebooting, nothing.
Ifconfig shows nothing or "ip addr":
"locate br1" showed some upstart br1 log files, some br1.xml files under libvirt folder, but i manually removed them :
Is there some other methods I should be using to remove that interface ? Should I uninstall libvirt module with apt-get ?
Thank you
Ifconfig shows nothing or "ip addr":
Code: [Select]
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:06:29:ec:88:2c brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:08:54:53:54:d3 brd ff:ff:ff:ff:ff:ff
4: [b]eth2[/b]: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:11:09:94:05:76 brd ff:ff:ff:ff:ff:ff"locate br1" showed some upstart br1 log files, some br1.xml files under libvirt folder, but i manually removed them :
Code: [Select]
/lib/modules/3.5.0-23-generic/kernel/drivers/media/radio/dsbr100.ko
/lib/modules/3.5.0-40-generic/kernel/drivers/media/radio/dsbr100.ko
/lib/modules/3.5.0-41-generic/kernel/drivers/media/radio/dsbr100.ko
/opt/ltsp/i386/lib/modules/3.2.0-53-generic-pae/kernel/drivers/media/radio/dsbr100.ko
Is there some other methods I should be using to remove that interface ? Should I uninstall libvirt module with apt-get ?
Thank you
6
Installation and Upgrades / [SOLVED] Zentyal won't remember changes I make in Suricata config file
« on: September 27, 2013, 04:29:43 pm »
Everytime i make changes in a "suricata-debian.yaml" file, and restart the service, i comes back to default. Should I change some other file, or what am I doing wrong?
Pages: [1]