IBM Security Guardium

 View Only
  • 1.  Guardium is Sending Blank Alerts on Syslog

    Posted Mon July 26, 2021 05:31 AM
    Dears,


    We have created policies in our Guardium setup. In the rules section , some rules are created to send an alert to syslog in case of any violation.

    On syslog server we are receiving files from our Guardium collectors . However, these log files are not showing any violations . Instead of a violation the log files are contains following data.

    Jul 26 08:58:16 ABCDE65805 init: ttyS0 (/dev/ttyS0) main process ended, respawning
    Jul 26 08:58:25 ABCDE65805 init: ttyS1 (/dev/ttyS1) main process (31623) terminated with status 1
    Jul 26 08:58:25 ABCDE65805 init: ttyS1 (/dev/ttyS1) main process ended, respawning
    Jul 26 08:58:26 ABCDE65805 init: ttyS0 (/dev/ttyS0) main process (31627) terminated with status 1
    Jul 26 08:58:26 ABCDE65805 init: ttyS0 (/dev/ttyS0) main process ended, respawning
    Jul 26 08:58:35 ABCDE65805 init: ttyS1 (/dev/ttyS1) main process (31631) terminated with status 1
    Jul 26 08:58:35 ABCDE65805 init: ttyS1 (/dev/ttyS1) main process ended, respawning
    Jul 26 08:58:36 ABCDE65805 init: ttyS0 (/dev/ttyS0) main process (31635) terminated with status 1
    Jul 26 08:58:36 ABCDE65805 init: ttyS0 (/dev/ttyS0) main process ended, respawning
    Jul 26 08:58:46 ABCDE65805 init: ttyS1 (/dev/ttyS1) main process (31639) terminated with status 1


    I would request that if anyone could help me to understand if I am missing something or how can I troubleshoot this issue..

    Due to this issue we are not getting any reports from Splunk server. Yours help is highly appreciated.

    With regards
    Baljinder

    ------------------------------
    Baljinder Kumar
    ------------------------------


  • 2.  RE: Guardium is Sending Blank Alerts on Syslog

    Posted Mon July 26, 2021 01:03 PM
    Baljinder,

    Have you configured the Guardium remotelog to send the syslog events to your event handler? Even if you specify that you want Guardium to send events to syslog in the policy rule, these events will not be forwarded to an event handler unless specified in the remotelog configuration. This can be done in the CLI. An IBM Support technote on how to configure this is here.

    ------------------------------
    Chase Walkup
    ------------------------------



  • 3.  RE: Guardium is Sending Blank Alerts on Syslog

    Posted Tue July 27, 2021 01:25 AM
    Thanks Chase Walkup for response.

    The remotelog is configured on all collectors. Even it is receiving files from all six collectors . However these files are not containing desired data. For example if in the policy I have configured a rule , on failed login attempt an alert should be generated for syslog. We are receiving files on syslog however the contents of the files are like this only.

    Jul 26 08:58:16 ABCDE65805 init: ttyS0 (/dev/ttyS0) main process ended, respawning
    Jul 26 08:58:25 ABCDE65805 init: ttyS1 (/dev/ttyS1) main process (31623) terminated with status 1
    Jul 26 08:58:25 ABCDE65805 init: ttyS1 (/dev/ttyS1) main process ended, respawning
    Jul 26 08:58:26 ABCDE65805 init: ttyS0 (/dev/ttyS0) main process (31627) terminated with status 1
    Jul 26 08:58:26 ABCDE65805 init: ttyS0 (/dev/ttyS0) main process ended, respawning
    Jul 26 08:58:35 ABCDE65805 init: ttyS1 (/dev/ttyS1) main process (31631) terminated with status 1
    Jul 26 08:58:35 ABCDE65805 init: ttyS1 (/dev/ttyS1) main process ended, respawning
    Jul 26 08:58:36 ABCDE65805 init: ttyS0 (/dev/ttyS0) main process (31635) terminated with status 1
    Jul 26 08:58:36 ABCDE65805 init: ttyS0 (/dev/ttyS0) main process ended, respawning
    Jul 26 08:58:46 ABCDE65805 init: ttyS1 (/dev/ttyS1) main process (31639) terminated with status 1

    It means it is not taking the right format to send the files on syslog. As per technote I have checked the syslog configuration on my collectors. It gives following output.

    XCVB56205.asdf.com> show remotelog
    USAGE: show remotelog <arg>, where arg is:
    ?, escape_control_characters_on_receive, host, max_message_size

    XCVB56205.gib.com> show remotelog host
    Remote syslog is in non-encrypted mode.
    Remote syslog format is default.
    *.* @10.1x.8.54:4514
    ok

    XCVB56205.asdf.com> show remotelog max_message_size
    10k
    ok

    XCVB56205.asdf.com> show remotelog escape_control_characters_on_receive
    Not configured.
    ok
    XCVB56205.asdf.com>

    Please suggest how we can troubleshoot this issue.

    With regards
    Baljinder

    ------------------------------
    Baljinder Kumar
    ------------------------------



  • 4.  RE: Guardium is Sending Blank Alerts on Syslog

    Posted Tue July 27, 2021 05:34 AM
    Baljinder
    check below article it might help you. 

    https://www.ibm.com/support/pages/guardium-sending-frequent-ttys0-ttys1-messages-siem


    ------------------------------
    Tehseen sarwar
    ------------------------------



  • 5.  RE: Guardium is Sending Blank Alerts on Syslog

    Posted Tue July 27, 2021 05:42 AM
    Thanks Tehseen,

     I read this article . However this article is for "How to stop frequent ttyS0 ttyS1 messages to SIEM" 

    It is not helping to troubleshoot blank messages sent to syslog.

    With regards
    Baljinder



    ------------------------------
    Baljinder Kumar
    ------------------------------



  • 6.  RE: Guardium is Sending Blank Alerts on Syslog

    Posted Wed July 28, 2021 08:52 AM
    Many versions ago we had to run the following command on our appliances.

    store system serialtty disable

    And then at some point we did have to get IBM to modify the configuration to have it stop as well.

    We don't see them in version 11.3.

    ------------------------------
    Jennifer Dodson
    ------------------------------



  • 7.  RE: Guardium is Sending Blank Alerts on Syslog

    Posted Thu July 29, 2021 02:07 AM
    Thanks for the response Jennifer

    The version my Guardium appliance is 10.6 . I have following links which suggests how to stop these unwanted messages in log files.

    https://www.ibm.com/support/pages/guardium-sending-frequent-ttys0-ttys1-messages-siem

    However , my concern is , I am not getting other alerts in these log files sent on syslog server for SIEM reporting.

    With regards
    Baljinder

    ------------------------------
    Baljinder Kumar
    ------------------------------