alienvault-doctor是一个非常实用的OSSIM系统检测脚本,下面看看对一个故障系统的检测效果:
VirtualUSMAllInOne:~# alienvault-doctor
AlienVault Doctor version 4.13.0 (Hemingway)
AlienVault version: 4.13.0
Installed profiles: Server,Database,Framework,Sensor
Operating system: Linux
Hardware platform: x86_64
Hostname: VirtualUSMAllInOne
Hmmm, let the Doctor have a look at you...
[Warning] Could not evaluate " "Can't retrieve sensor list: Error while querying for 'Sensor' systems: (OperationalError) (2003, "Can't connect to MySQL server on '127.0.0.1' (111)") None None" ==""" in check "Celery workers": invalid syntax (<string>, line 1)
...
Hooray! The Doctor has diagnosed you, check out the results...
Plugin ansiblemgr_log.plg didn't run: Cannot parse file "/var/log/alienvault/api/ansiblemgr.log": [Errno 2] No such file or directory: '/var/log/alienvault/api/ansiblemgr.log'
Plugin: connection_no
[*] Connections: Number of connections between server, mysql and/or IDM not expected
Word of advice: Connections to the AlienVault subsystems vary between a well defined range. Please check where the extra connections come from
Plugin: disk_usage
[*] root partition critical: All good
[*] root partition warning: All good
Plugin mysql_history didn't run: Cannot parse file "/root/.mysql_history": [Errno 2] No such file or directory: '/root/.mysql_history'
Plugin: netstat
[*] RX and TX queues: ossim server, agent or mysql may have problems with their rx/tx queues
Word of advice: RX/TX queues are network buffers. Large queues may point to network problems. Please check your network connection and hardware
Plugin gunicorn_access_log didn't run: Cannot parse file "/var/log/alienvault/api/gunicorn_access.log": [Errno 2] No such file or directory: '/var/log/alienvault/api/gunicorn_access.log'
Plugin: corrupt_tables
[*] Corrupted tables: All good
Plugin: installed_pkg
[*] Default packages: Some packages do not match default installation
Word of advice: AlienVault systems are designed to work with a well defined set of packages. Adding or deleting packages manually is not supported and may lead to unexpected results
[*] Version compliance: Some package versions do not match with the installed AlienVault version
Word of advice: AlienVault packages are built and tested to work in a version consistent fashion. Inconsistent versions across different AlienVault packages could lead to unexpected issues.
Plugin superdoctor didn't run: Required file "/usr/sbin/sdt" does not exist
Plugin: percona_logrotate
[*] signatures: All good
[*] mysql.err: mysql.err is not on the logrotate configuration
Word of advice: The mysql.err file may become too large and should be rotated properly. Please check your logrotate configuration
[*] mysql.log: All good
Plugin: celerybeat_log.plg
[*] Celerybeat process: All good
Plugin gunicorn_log didn't run: Cannot parse file "/var/log/alienvault/api/gunicorn.log": [Errno 2] No such file or directory: '/var/log/alienvault/api/gunicorn.log'
Plugin chassis didn't run: Required module "ipmi_devintf" is not present
Plugin: celeryworker_log.plg
[*] Celery workers: Celery is not working properly
Word of advice: Celery is the task manager of choice in AlienVault. Workers reporting errors may suggest that your queues or custom tasks are not working properly.
Plugin: processes
[*] Server: All good
[*] Indexer: All good
[*] MySQL: All good
Plugin: api_log
[*] Number of connection attempts to RabbitMQ: All good
Plugin bash_history didn't run: Cannot parse file "/root/.bash_history": [Errno 2] No such file or directory: '/root/.bash_history'
Plugin: pkg_checksum
[*] ossim_checks: All good
Plugin: server_log
[*] IDM connection recovery: All good
[*] Remote server connection recovery: All good
Plugin: network_interface
[*] Collisions: All good
[*] RX/TX errors: All good
[*] MTU: All good
Plugin: default_hw
[*] Default hardware: All good
Plugin: schema_version
[*] Schema version: All good
Plugin: null_fields
[*] Event sensor field: Some events in your database have null sensor_id fields
Word of advice: Events without an associated sensor_id are a sign of misconfigured plugins and/or sensor properties. Please check both in your system
[*] Server DB configuration: All good
Plugin vm_requirements didn't run: Memory requirement is not met
接下来我们根据这些标红的提示来有针对性的进行故障处理。
下面还是要了解正常系统的检测数据:
# alienvault-doctor
AlienVault Doctor version 5.1.1 (Mewes)
AlienVault version: 5.1.1-TRIAL
License: None
Licensed Assets: UNLIMITED
Software profile: Server, Database, Framework, Sensor
Hardware profile: alienvault-vmware-aio-6x1gb
Last updated: Mon Sep 07 11:35:35 2015 EST
Hmmm, let the Doctor have a look at you
[Warning]
Check 00560002 is not meant to be run in alienvault-vmware-aio-6x1gb
[Warning]
Check 00030002 is not meant to be run in alienvault-vmware-aio-6x1gb
[Warning]
Check 00210009 is not meant to be run in alienvault-vmware-aio-6x1gb
[Warning]
Check 00210008 is not meant to be run in alienvault-vmware-aio-6x1gb
[Warning]
Check 00210007 is not meant to be run in alienvault-vmware-aio-6x1gb
[Warning]
Check 00210006 is not meant to be run in alienvault-vmware-aio-6x1gb
[Warning]
Check 00210005 is not meant to be run in alienvault-vmware-aio-6x1gb
[Warning]
Check 00260001 is not meant to be run in a TRIAL license
...
Hooray! The Doctor has diagnosed you, check out the results...
Be careful! Seems that you are not in the Strike Zone! Please check the output below.
Plugin: 0001 Agent Cache Disk
Check the disk space used by the AlienVault Agent cache
[*] 00010001: All good
Plugin: 0002 Agent Cache Files
Checks the integrity of the AlienVault Agent cache
[*] 00020001: All good
Plugin: 0003 AlienVault Agent log
Parses the Agent log to search for errors.
[*] 00030003: All good
[*] 00030001: All good
Plugin: 0004 Enabled Agent Plugins
Check the number of AlienVault plugins enabled in the Agent
[*] 00040001: All good
[*] 00040002: All good
Plugin: 0005 Agent Plugins
Looks for the plugin files enabled, and then checks its existance
In the Strike Zone?: True
[*] 00050001: All good
Plugin: 0006 Agent plugins integrity
Verifies the integrity of the default Agent plugins.
In the Strike Zone?: True
[*] 00060002: All good
[*] 00060001: All good
Plugin: 0007 Agent Plugins
Check the integrity of the agent plugins configuration
[*] 00070001: All good
Plugin: 0008 Agent rsyslog configuration files integrity
Check the integrity of the default Agent rsyslog configuration files.
In the Strike Zone?: True
[*] 00080001: All good
[*] 00080002: All good
Plugin: 0009 Dummy packages
Check the dummy packages
In the Strike Zone?: True
[*] 00090001: All good
Plugin: 0010 AlienVault API log
Parses the API log to search for issues.
[*] 00100002: All good
[*] 00100001: All good
Plugin: 0011 Backup Manager errors in frameworkd_error.log
Parses the frameworkd error log searching for Backup Manager errors
[*] 00110001: All good
Plugin: 0012 Backup notifications log
Parses the api backup notifications log to search for issues.
[*] 00120001: All good
Plugin: 0013 Bash history
Searches for anomalies in the root .bash_history file.
In the Strike Zone?: True
[*] 00130001: All good
[*] 00130002: All good
[*] 00130003: All good
[*] 00130004: All good
[*] 00130005: All good
[*] 00130006: All good
[*] 00130007: All good
Plugin: 0014 Celerybeat log
Parses the celerybeat.log file, searching for errors.
[*] 00140001: All good
Plugin: 0015 Celery worker log
Parses the Celery w1.log file for errors.
[*] 00150001: All good
Plugin: 0016 Appliance chassis
[*] 00160001: All good
Plugin: 0017 Connection number
Checks the number of connections from/to this computer.
[*] 00170001: All good
Plugin: 0018 Current network configuration
Monitors the network configuration searching for network problems.
In the Strike Zone?: False
[*] 00180003: All good
[*] 00180002: Configured and running network interfaces do not match
Word of advice: The number of configured network interfaces and running network interfaces do not match. Please check the network configuration to adjust the running interfaces
[*] 00180001: All good
[*] 00180005: All good
[*] 00180004: All good
Plugin: 0019 Licensed Devices
Compares the number of current devices registered against the number of licensed devices
In the Strike Zone?: True
[*] 00190001: All good
Plugin: 0020 Database migration log
Parses the database_migration.log file, searching for errors.
[*] 00200001: All good
Plugin: 0021 AlienVault appliance processes
Check for misbehaviour of running/not running processes in each of the AlienVault appliances.
[*] 00210004: All good
[*] 00210003: All good
[*] 00210002: All good
[*] 00210001: All good
Plugin: 0022 DB data consistency
Checks the data consistency in the AlienVault database.
In the Strike Zone?: False
[*] 00220019: All good
[*] 00220018: All good
[*] 00220017: All good
[*] 00220016: All good
[*] 00220015: All good
[*] 00220014: All good
[*] 00220013: All good
[*] 00220012: All good
[*] 00220011: All good
[*] 00220010: All good
[*] 00220022: All good
[*] 00220023: All good
[*] 00220020: All good
[*] 00220021: All good
[*] 00220008: All good
[*] 00220009: All good
[*] 00220004: Current event window is bigger than the backup one
Word of advice: A malfunctioning backup system may lead to a general failure. Please check the AlienVault backup configuration
[*] 00220005: All good
[*] 00220006: All good
[*] 00220007: All good
[*] 00220001: All good
[*] 00220002: All good
Plugin: 0023 Database status
Tests database health, searching for crashed processes or inefficient queries, among other issues.
[*] 00230005: All good
[*] 00230004: All good
[*] 00230001: All good
[*] 00230003: All good
[*] 00230002: All good
Plugin: 0024 Default mounted file systems
Checks the mounted file systems.
[*] 00240001: All good
Plugin: 0025 Default hardware
Checks the standard hardware.
In the Strike Zone?: True
[*] 00250001: All good
Plugin: 0026 Default repositories
Searches for the default repositories
In the Strike Zone?: True
[*] 00260002: All good
[*] 00260003: All good
[*] 00260004: All good
Plugin: 0027 Default server packages
Searches for the default packages in a Server profile.
In the Strike Zone?: False
[*] 00270001: Some packages do not match with the AlienVault default installation
Word of advice: AlienVault systems are designed to work with a well defined set of packages. Adding or deleting packages manually is not supported and may lead to unexpected results
[*] 00270003: All good
[*] 00270002: All good
[*] 00270004: All good
Plugin: 0028 Detailed network link status
Uses ethtool to check the network link status
[*] 00280001: All good
Plugin: 0029 Disk size
Checks the disk size
In the Strike Zone?: True
[*] 00290001: All good
Plugin: 0030 Disk usage
Checks the disk usage in AlienVault important partitions.
[*] 00300001: All good
[*] 00300002: All good
Plugin: 0031 Hosts configuration file
Parses the /etc/hosts file for inconsistencies
In the Strike Zone?: True
[*] 00310001: All good
[*] 00310002: All good
[*] 00310003: All good
Plugin: 0032 IO speed
Detects low IO speed.
[*] 00320001: All good
Plugin: 0033 Kernel configuration
Detects Kernel configuration changes.
In the Strike Zone?: True
[*] 00330001: All good
Plugin: 0034 MySQL history
Searches for anomalies in the root .mysql_history file.
In the Strike Zone?: True
[*] 00340001: All good
[*] 00340002: All good
Plugin: 0035 Network link status
Uses mii-tool to check the network link status
In the Strike Zone?: True
[*] 00350001: All good
[*] 00350002: All good
Plugin: 0036 Network services
Detects common network service related problems.
[*] 00360002: All good
[*] 00360001: All good
Plugin: 0037 Network routing
Parses the /etc/resolv.conf file for inconsistencies
In the Strike Zone?: True
[*] 00370001: All good
Plugin: 0041 Package checksum
Searches for modified files that originally belonged to a package.
In the Strike Zone?: True
[*] 00410001: All good
Plugin: 0042 Reachable systems
Checks for reachable systems using the API
[*] 00420001: All good
Plugin: 0043 Redis Health Status
Checks Health Status by pinging through redis-cli
[*] 00430001: All good
Plugin: 0044 Redis dump.rdb size
Checking Redis Health Status by computing /var/lib/redis/dump.rdb size
[*] 00440001: All good
Plugin: 0045 Domain nameservers configuration file
Parses the /etc/resolv.conf file to search for inconsistencies
In the Strike Zone?: True
[*] 00450001: All good
[*] 00450002: All good
Plugin: 0046 Backup restore process log
Parses the restore process log searching for potential issues.
[*] 00460002: All good
[*] 00460003: All good
[*] 00460001: All good
[*] 00460006: All good
[*] 00460007: All good
[*] 00460004: All good
[*] 00460014: All good
[*] 00460008: All good
[*] 00460005: All good
[*] 00460015: All good
[*] 00460013: All good
[*] 00460009: All good
[*] 00460011: All good
[*] 00460010: All good
[*] 00460012: All good
Plugin: 0047 Database schema version
Looks for compatibility problems between the DB schema deployed and the packages installed.
In the Strike Zone?: True
[*] 00470001: All good
Plugin: 0048 AlienVault Server profile connections
Analyzes the connections established to the AV Server
[*] 00480001: All good
[*] 00480002: Missing connections to the AV Forward
Word of advice: Some expected network connections to the AV Forward are not present. Please check your configuration and/or network status.
Plugin: 0049 Server log files
Searches for Server issues parsing its log file.
[*] 00490001: All good
[*] 00490002: All good
Plugin: 0051 Server statistics
Checks the server status by parsing statistics
[*] 00510004: All good
[*] 00510002: All good
[*] 00510003: All good
[*] 00510001: All good
Plugin: 0053 Supermicro SuperDoctor
[*] 00530004: All good
[*] 00530005: All good
[*] 00530006: All good
[*] 00530001: All good
[*] 00530002: All good
[*] 00530003: All good
Plugin: 0054 Unsupported Installations
Searches for unsupported installations
In the Strike Zone?: True
[*] 00540001: All good
Plugin: 0055 AlienVault Update log
Parses the Update log to search for errors.
[*] 00550001: All good
Plugin: 0056 VM requirements
Analyzes the deployment details in a virtual environment extracting the detailed information on the hardware configuration of the machine.
In the Strike Zone?: True
[*] 00560001: All good