No alerts

[RobboRob]

Describe the bug

I've set up the cbc-syslog tool using the poll mode on my Debian server and I do receive Audit Log syslog messages in my SIEM system but no Alerts. I have the following parameters setup in my conf file:

[general] backup_dir = "/tmp" output_format = "template" output_type = "udp" udp_out = "IP:Port"

[nav] server_url = "defense-eu.conferdeploy.net" org_key = "xxxxx" custom_api_id = "xxxxx" custom_api_key = "xxxxx" audit_logs_enabled = true alerts_enabled = true

[[nav.alert_rules]] type = [ "WATCHLIST", "DEVICE_CONTROL", "CB_ANALYTICS", "CONTAINER_RUNTIME", "HOST_BASED_FIREWALL", "INTRUSION_DETECTION_SYSTEM" ] minimum_severity = 1

[alerts_template] template = "{{datetime_utc}} localhost CEF:1|{{vendor}}|{{product}}|{{product_version}}|{{reason_code}}|{{reason}}|{{severity}}|{{extension}}" type_field = "type" time_format = "%b %d %Y %H:%m:%S" time_fields = ["backend_timestamp"]

[alerts_template.extension] default = "cat={{type}}\tact={{sensor_action}}\toutcome={{run_state}}" CB_ANALYTICS = "cat={{type}}\tact={{sensor_action}}\toutcome={{run_state}}\tframeworkName=MITRE_ATT&CK\tthreatAttackID={{attack_tactic}}:{{attack_technique}}"

[audit_logs_template] template = "{{datetime_utc}} localhost CEF:1|{{vendor}}|{{product}}|{{product_version}}|Audit Logs|{{description}}|1|{{extension}}" type_field = "" time_format = "%b %d %Y %H:%m:%S" time_fields = ["eventTime"]

[audit_logs_template.extension] default = "rt={{eventTime}}\tdvchost={{orgName}}\tduser={{loginName}}\tdvc={{clientIp}}\tcs4Label=Event_ID\tcs4={{eventId}}"

I have also checked with tcpdump what data is sent to the output port but also there only the audit log messages are sent.

When I use the CB API directly to test (using curl) I do get alerts returned...

Any idea why I don't get alerts out of the cbc-syslog tool using the poll mode?

Reproduction steps

1. use the config in the description (with correct ip, port and api keys configured).
2. run the tool using the poll option

Expected behavior

Alerts and audit logs should be polled...

Additional context

No additional context

[RobboRob]

Output I get is: 2024-03-14 16:54:30,261 - cbc_syslog.cli - INFO - Carbon Black Cloud Syslog 2.0 2024-03-14 16:54:30,359 - cbc_syslog.core - INFO - Sending 0 alerts for NXZA5P5L 2024-03-14 16:54:30,437 - cbc_syslog.core - INFO - Sending 0 audit_logs for NXZA5P5L

sometimes with 1 or more audit_logs but no alerts...

[RobboRob]

I noticed that the first time after an API account is generated or a new key is assigned the alarms are being sent once when the poll mode is used.

When the history mode is used retrieving alerts does seem to work.

I'm now trying to use the poll mode without the retrieve audit_logs being enabled to see if that changes the behaviour with regards to the retrieving alerts...

[avanbrunt-cb]

@RobboRob We have a fix in 2.0.3 for a UTC datetime issue which could be related to your issue.

For context, the poll mechanism will fetch alerts from the last time the poll command was fetched so if there are no alerts then nothing will be forwarded. The first time the poll is used it will set a start time of 90s prior call being made. If you want to confirm the most recent checkpoint you can find the timestamp in the backup directory inside cbc_syslog_state.json. If you are able to fetch alerts with the history command then you're configuration is correct and it is likely there is no alerts to be fetched assuming you aren't experiencing the UTC datetime issue

How many alerts does your organization receive per day?

Did you make a support issue as well as I want to ensure I associate any investigation to in progress tickets?

[RobboRob]

@avanbrunt-cb : thanks for responding. I noticed the history option is a more reliable but I also noticed that the script seem to run running ok from the command prompt (CLI) but not from crontab when scheduled for alerts (however it works for retrieving audit logs).

When calling it from crontab (using the same user as used at the CLI) I tried to also set and export the needed path in crontab but that didn't change the behaviour (0 alerts retrieved). No errors or warnings are generated.

[avanbrunt-cb]

Can you run the poll command with --verbose then provide the log file? Can you also provide the cron job that you have configured?

[RobboRob]

I'm always running it with the -v option.

Still some new findings: When I create a service and the call a script with an endless loop calling the cbc_syslog_forwarder script with the history option enabled retrieving only the alerts I get it all working...

[RobboRob]

BTW Could it be that when I use the cbc_syslog forwarder with the poll option and have both the audit_log and alerts set on true in the used config file that polling the audit logs is creating a new json file in the backup directory and when subsequently the alerts are retrieved the start time is not correct because it uses the end time of the poll action of the audit events as start time?

[avanbrunt-cb]

@RobboRob the script should have no issue with both Audit Logs and Alerts enabled at the same time

[avanbrunt-cb]

I need the verbose logs from a poll command to try to better understand what is going on.

Additionally how many alerts per minute does your org generate

[RobboRob]

$ cbc_syslog_forwarder --verbose poll cbc.conf 2024-03-27 16:10:17,810 - cbc_syslog.cli - INFO - Carbon Black Cloud Syslog 2.0 2024-03-27 16:10:17,964 - cbc_syslog.core - INFO - Sending 0 alerts for NXZA5P5L 2024-03-27 16:10:18,041 - cbc_syslog.core - INFO - Sending 0 audit_logs for NXZA5P5L

$ cat /tmp/cbc_syslog_state.json { "failed_orgs": {}, "end_time": "2024-03-27T16:09:47.821508Z" }[

[avanbrunt-cb]

How many alerts does your organization generate? Are there any new alerts in the last few minutes?

[RobboRob]

app 1 till 3 per day...

[avanbrunt-cb]

If you are only going to get 1 to 3 alerts per day then you won't see much between each poll depending on how frequently you poll. The poll command will take the last end time and use the current time - 30s to fetch the most recent alerts. If you want to confirm the poll command is working then modify the end_time in the cbc_syslog_state.json file to a few days back then run the poll command so that if fetches a few days.

I'd recommend a poll cycle of 10 or 15min given the low volume unless you want alerts to come in as soon as they happen but you will see a lot of 0 alert polls.

If you need to load any historical data then the history command is recommend to fetch a few days or weeks back.

I don't see any issues here as the tool appears to be working as expected with the low data volume.

[RobboRob]

but why is it working on the CLI but not via crontab (I ensured the path was set in the crontab)...

[avanbrunt-cb]

What do you have configured for your crontab

[RobboRob]

• • • • • export PATH=$PATH:[path to cbc_syslog_collector];cbc_system_collector -l cbc_syslog.log poll cbc.conf

[avanbrunt-cb]

@RobboRob The command is not called cbc_syslog_collector instead it is called cbc_syslog_forwarder.

I'm also not sure why you have an environmental variable command in the crontab export PATH=$PATH:[path to cbc_syslog_collector]; is not necessary as the cbc_syslog_forwarder command has been added to the bin directory.

You will need absolute paths for cbc_syslog.log and cbc.conf as the crontab won't execute it from the directory you expect