一条命令诊断OSSIM系统

alienvault-doctor是一个非常实用的OSSIM系统检测脚本,下面看看对一个故障系统的检测效果:

VirtualUSMAllInOne:~# alienvault-doctor 

AlienVault Doctor version 4.13.0 (Hemingway)

     AlienVault version:                                     4.13.0

     Installed profiles:           Server,Database,Framework,Sensor

     Operating system:                                        Linux

     Hardware platform:                                      x86_64

     Hostname:                                   VirtualUSMAllInOne

Hmmm, let the Doctor have a look at you…

[Warning] Could not evaluate ” “Can’t retrieve sensor list: Error while querying for ‘Sensor’ systems: (OperationalError) (2003, “Can’t connect to MySQL server on ‘127.0.0.1’ (111)”) None None” ==””” in check “Celery workers”: invalid syntax (<string>, line 1)

Hooray! The Doctor has diagnosed you, check out the results…

     Plugin ansiblemgr_log.plg didn’t run: Cannot parse file “/var/log/alienvault/api/ansiblemgr.log”: [Errno 2] No such file or directory: ‘/var/log/alienvault/api/ansiblemgr.log’

     Plugin: connection_no

          [*] Connections: Number of connections between server, mysql and/or IDM not expected

              Word of advice: Connections to the AlienVault subsystems vary between a well defined range. Please check where the extra connections come from

     Plugin: disk_usage

          [*] root partition critical: All good

          [*] root partition warning: All good

     Plugin mysql_history didn’t run: Cannot parse file “/root/.mysql_history”: [Errno 2] No such file or directory: ‘/root/.mysql_history’

     Plugin: netstat

          [*] RX and TX queues: ossim server, agent or mysql may have problems with their rx/tx queues

              Word of advice: RX/TX queues are network buffers. Large queues may point to network problems. Please check your network connection and hardware

     Plugin gunicorn_access_log didn’t run: Cannot parse file “/var/log/alienvault/api/gunicorn_access.log”: [Errno 2] No such file or directory: ‘/var/log/alienvault/api/gunicorn_access.log’

     Plugin: corrupt_tables

          [*] Corrupted tables: All good

     Plugin: installed_pkg

          [*] Default packages: Some packages do not match default installation

              Word of advice: AlienVault systems are designed to work with a well defined set of packages. Adding or deleting packages manually is not supported and may lead to unexpected results

          [*] Version compliance: Some package versions do not match with the installed AlienVault version

              Word of advice: AlienVault packages are built and tested to work in a version consistent fashion. Inconsistent versions across different AlienVault packages could lead to unexpected issues.

     Plugin superdoctor didn’t run: Required file “/usr/sbin/sdt” does not exist

     Plugin: percona_logrotate

          [*] signatures: All good

          [*] mysql.err: mysql.err is not on the logrotate configuration

              Word of advice: The mysql.err file may become too large and should be rotated properly. Please check your logrotate configuration

          [*] mysql.log: All good

     Plugin: celerybeat_log.plg

          [*] Celerybeat process: All good

     Plugin gunicorn_log didn’t run: Cannot parse file “/var/log/alienvault/api/gunicorn.log”: [Errno 2] No such file or directory: ‘/var/log/alienvault/api/gunicorn.log’

     Plugin chassis didn’t run: Required module “ipmi_devintf” is not present

     Plugin: celeryworker_log.plg

          [*] Celery workers: Celery is not working properly

              Word of advice: Celery is the task manager of choice in AlienVault. Workers reporting errors may suggest that your queues or custom tasks are not working properly.

     Plugin: processes

          [*] Server: All good

          [*] Indexer: All good

          [*] MySQL: All good

     Plugin: api_log

          [*] Number of connection attempts to RabbitMQ: All good

     Plugin bash_history didn’t run: Cannot parse file “/root/.bash_history”: [Errno 2] No such file or directory: ‘/root/.bash_history’

     Plugin: pkg_checksum

          [*] ossim_checks: All good

     Plugin: server_log

          [*] IDM connection recovery: All good

          [*] Remote server connection recovery: All good

     Plugin: network_interface

          [*] Collisions: All good

          [*] RX/TX errors: All good

          [*] MTU: All good

     Plugin: default_hw

          [*] Default hardware: All good

     Plugin: schema_version

          [*] Schema version: All good

     Plugin: null_fields

          [*] Event sensor field: Some events in your database have null sensor_id fields

              Word of advice: Events without an associated sensor_id are a sign of misconfigured plugins and/or sensor properties. Please check both in your system

          [*] Server DB configuration: All good

     Plugin vm_requirements didn’t run: Memory requirement is not met

接下来我们根据这些标红的提示来有针对性的进行故障处理。

下面还是要了解正常系统的检测数据:

# alienvault-doctor 

AlienVault Doctor version 5.1.1 (Mewes)

     AlienVault version:                                                    5.1.1-TRIAL

     License:                                                                      None

     Licensed Assets:                                                         UNLIMITED

     Software profile:                              Server, Database, Framework, Sensor

     Hardware profile:                                      alienvault-vmware-aio-6x1gb

     Last updated:                                         Mon Sep 07 11:35:35 2015 EST

Hmmm, let the Doctor have a look at you

[Warning

Check 00560002 is not meant to be run in alienvault-vmware-aio-6x1gb

[Warning

Check 00030002 is not meant to be run in alienvault-vmware-aio-6x1gb

[Warning

Check 00210009 is not meant to be run in alienvault-vmware-aio-6x1gb

[Warning

Check 00210008 is not meant to be run in alienvault-vmware-aio-6x1gb

[Warning

Check 00210007 is not meant to be run in alienvault-vmware-aio-6x1gb

[Warning

Check 00210006 is not meant to be run in alienvault-vmware-aio-6x1gb

[Warning

Check 00210005 is not meant to be run in alienvault-vmware-aio-6x1gb

[Warning

Check 00260001 is not meant to be run in a TRIAL license

Hooray! The Doctor has diagnosed you, check out the results…

  Be careful! Seems that you are not in the Strike Zone! Please check the output below.

     Plugin: 0001 Agent Cache Disk

             Check the disk space used by the AlienVault Agent cache

         [*00010001: All good

     Plugin: 0002 Agent Cache Files

             Checks the integrity of the AlienVault Agent cache

         [*00020001: All good

     Plugin: 0003 AlienVault Agent log

             Parses the Agent log to search for errors.

         [*00030003: All good

         [*00030001: All good

     Plugin: 0004 Enabled Agent Plugins

             Check the number of AlienVault plugins enabled in the Agent

         [*00040001: All good

         [*00040002: All good

     Plugin: 0005 Agent Plugins

             Looks for the plugin files enabled, and then checks its existance

             In the Strike Zone?: True

         [*00050001: All good

     Plugin: 0006 Agent plugins integrity

             Verifies the integrity of the default Agent plugins.

             In the Strike Zone?: True

         [*00060002: All good

         [*00060001: All good

     Plugin: 0007 Agent Plugins

             Check the integrity of the agent plugins configuration

         [*00070001: All good

     Plugin: 0008 Agent rsyslog configuration files integrity

             Check the integrity of the default Agent rsyslog configuration files.

             In the Strike Zone?: True

         [*00080001: All good

         [*00080002: All good

     Plugin: 0009 Dummy packages

             Check the dummy packages

             In the Strike Zone?: True

         [*00090001: All good

     Plugin: 0010 AlienVault API log

             Parses the API log to search for issues.

         [*00100002: All good

         [*00100001: All good

     Plugin: 0011 Backup Manager errors in frameworkd_error.log

             Parses the frameworkd error log searching for Backup Manager errors

         [*00110001: All good

     Plugin: 0012 Backup notifications log

             Parses the api backup notifications log to search for issues.

         [*00120001: All good

     Plugin: 0013 Bash history

             Searches for anomalies in the root .bash_history file.

             In the Strike Zone?: True

         [*00130001: All good

         [*00130002: All good

         [*00130003: All good

         [*00130004: All good

         [*00130005: All good

         [*00130006: All good

         [*00130007: All good

     Plugin: 0014 Celerybeat log

             Parses the celerybeat.log file, searching for errors.

         [*00140001: All good

     Plugin: 0015 Celery worker log

             Parses the Celery w1.log file for errors.

         [*00150001: All good

     Plugin: 0016 Appliance chassis

         [*00160001: All good

     Plugin: 0017 Connection number

             Checks the number of connections from/to this computer.

         [*00170001: All good

     Plugin: 0018 Current network configuration

             Monitors the network configuration searching for network problems.

             In the Strike Zone?: False

         [*00180003: All good

         [*00180002: Configured and running network interfaces do not match

             Word of advice: The number of configured network interfaces and running network interfaces do not match. Please check the network configuration to adjust the running interfaces

         [*00180001: All good

         [*00180005: All good

         [*00180004: All good

     Plugin: 0019 Licensed Devices

             Compares the number of current devices registered against the number of licensed devices

             In the Strike Zone?: True

         [*00190001: All good

     Plugin: 0020 Database migration log

             Parses the database_migration.log file, searching for errors.

         [*00200001: All good

     Plugin: 0021 AlienVault appliance processes

             Check for misbehaviour of running/not running processes in each of the AlienVault appliances.

         [*00210004: All good

         [*00210003: All good

         [*00210002: All good

         [*00210001: All good

     Plugin: 0022 DB data consistency

             Checks the data consistency in the AlienVault database.

             In the Strike Zone?: False

         [*00220019: All good

         [*00220018: All good

         [*00220017: All good

         [*00220016: All good

         [*00220015: All good

         [*00220014: All good

         [*00220013: All good

         [*00220012: All good

         [*00220011: All good

         [*00220010: All good

         [*00220022: All good

         [*00220023: All good

         [*00220020: All good

         [*00220021: All good

         [*00220008: All good

         [*00220009: All good

         [*00220004: Current event window is bigger than the backup one

             Word of advice: A malfunctioning backup system may lead to a general failure. Please check the AlienVault backup configuration

         [*00220005: All good

         [*00220006: All good

         [*00220007: All good

         [*00220001: All good

         [*00220002: All good

     Plugin: 0023 Database status

             Tests database health, searching for crashed processes or inefficient queries, among other issues.

         [*00230005: All good

         [*00230004: All good

         [*00230001: All good

         [*00230003: All good

         [*00230002: All good

     Plugin: 0024 Default mounted file systems

             Checks the mounted file systems.

         [*00240001: All good

     Plugin: 0025 Default hardware

             Checks the standard hardware.

             In the Strike Zone?: True

         [*00250001: All good

     Plugin: 0026 Default repositories

             Searches for the default repositories

             In the Strike Zone?: True

         [*00260002: All good

         [*00260003: All good

         [*00260004: All good

     Plugin: 0027 Default server packages

             Searches for the default packages in a Server profile.

             In the Strike Zone?: False

         [*00270001: Some packages do not match with the AlienVault default installation

             Word of advice: AlienVault systems are designed to work with a well defined set of packages. Adding or deleting packages manually is not supported and may lead to unexpected results

         [*00270003: All good

         [*00270002: All good

         [*00270004: All good

     Plugin: 0028 Detailed network link status

             Uses ethtool to check the network link status

         [*00280001: All good

     Plugin: 0029 Disk size

             Checks the disk size

             In the Strike Zone?: True

         [*00290001: All good

     Plugin: 0030 Disk usage

             Checks the disk usage in AlienVault important partitions.

         [*00300001: All good

         [*00300002: All good

     Plugin: 0031 Hosts configuration file

             Parses the /etc/hosts file for inconsistencies

             In the Strike Zone?: True

         [*00310001: All good

         [*00310002: All good

         [*00310003: All good

     Plugin: 0032 IO speed

             Detects low IO speed.

         [*00320001: All good

     Plugin: 0033 Kernel configuration

             Detects Kernel configuration changes.

             In the Strike Zone?: True

         [*00330001: All good

     Plugin: 0034 MySQL history

             Searches for anomalies in the root .mysql_history file.

             In the Strike Zone?: True

         [*00340001: All good

         [*00340002: All good

     Plugin: 0035 Network link status

             Uses mii-tool to check the network link status

             In the Strike Zone?: True

         [*00350001: All good

         [*00350002: All good

     Plugin: 0036 Network services

             Detects common network service related problems.

         [*00360002: All good

         [*00360001: All good

     Plugin: 0037 Network routing

             Parses the /etc/resolv.conf file for inconsistencies

             In the Strike Zone?: True

         [*00370001: All good

     Plugin: 0041 Package checksum

             Searches for modified files that originally belonged to a package.

             In the Strike Zone?: True

         [*00410001: All good

     Plugin: 0042 Reachable systems

             Checks for reachable systems using the API

         [*00420001: All good

     Plugin: 0043 Redis Health Status

             Checks Health Status by pinging through redis-cli

         [*00430001: All good

     Plugin: 0044 Redis dump.rdb size

             Checking Redis Health Status by computing /var/lib/redis/dump.rdb size

         [*00440001: All good

     Plugin: 0045 Domain nameservers configuration file

             Parses the /etc/resolv.conf file to search for inconsistencies

             In the Strike Zone?: True

         [*00450001: All good

         [*00450002: All good

     Plugin: 0046 Backup restore process log

             Parses the restore process log searching for potential issues.

         [*00460002: All good

         [*00460003: All good

         [*00460001: All good

         [*00460006: All good

         [*00460007: All good

         [*00460004: All good

         [*00460014: All good

         [*00460008: All good

         [*00460005: All good

         [*00460015: All good

         [*00460013: All good

         [*00460009: All good

         [*00460011: All good

         [*00460010: All good

         [*00460012: All good

     Plugin: 0047 Database schema version

             Looks for compatibility problems between the DB schema deployed and the packages installed.

             In the Strike Zone?: True

         [*00470001: All good

     Plugin: 0048 AlienVault Server profile connections

             Analyzes the connections established to the AV Server

         [*00480001: All good

         [*00480002: Missing connections to the AV Forward

             Word of advice: Some expected network connections to the AV Forward are not present. Please check your configuration and/or network status.

     Plugin: 0049 Server log files

             Searches for Server issues parsing its log file.

         [*00490001: All good

         [*00490002: All good

     Plugin: 0051 Server statistics

             Checks the server status by parsing statistics

         [*00510004: All good

         [*00510002: All good

         [*00510003: All good

         [*00510001: All good

     Plugin: 0053 Supermicro SuperDoctor

         [*00530004: All good

         [*00530005: All good

         [*00530006: All good

         [*00530001: All good

         [*00530002: All good

         [*00530003: All good

     Plugin: 0054 Unsupported Installations

             Searches for unsupported installations

             In the Strike Zone?: True

         [*00540001: All good

     Plugin: 0055 AlienVault Update log

             Parses the Update log to search for errors.

         [*00550001: All good

     Plugin: 0056 VM requirements

             Analyzes the deployment details in a virtual environment extracting the detailed information on the hardware configuration of the machine.

             In the Strike Zone?: True

         [*00560001: All good

 本文转自 李晨光 51CTO博客,原文链接:http://blog.51cto.com/chenguang/1689915,如需转载请自行联系原作者

点赞