【返信完了】PASTE can't work properly with Trend Micro DDI
Dear Support:
I encounter a problem that PASTE can't work properly with Trend Micro DDI.
PASTE have received CEF syslog from Trend Micro DDI, but there is only empty folder under /var/pcap/<date>, no syslog txt and pcap file.
I have done a brief check:
I can manually use PSCLI on PASTE to get info and download pcap from Probe with no problem.
And the ntp service both on PASTE and Probe are OK.
Screenshot of config and local0.txt sample are attached.
How can I solve this problem?
Please help. Thank you.
| swatch config setting.png (558 KB) swatch config setting.png | |||
| Device ID.png (93.4 KB) Device ID.png | |||
| PASTE status.JPG (215 KB) PASTE status.JPG | |||
| [sample]local0.txt (641 Bytes) [sample]local0.txt |
返答 (3)
RE: PASTE can't work properly with Trend Micro DDI - komoriya が約7年前に追加
Hi zoelin:
PASTE has "show tech support" command.
And I enhanced the function on PASTE ver4.07.00.
Please give more information.
Please perform the following procedure.
- check release information (It is only Japanese information.)
http://tapas.terilogy.com/news/155 - check update steps (It is only Japanese information.)
http://tapas.terilogy.com/projects/paste/wiki/How_to_use_it#39-バージョンアップについて - download PASTE ver4.07.00
http://tapas.terilogy.com/attachments/download/1499/syslog_integration-4.07.00-20170905.tgz - update PASTE to ver4.07.00
- input some syslog messages to PASTE
- wait 2minutes
- execute show tech support command
/opt/momentum_client/bin/show_tech_support.sh - post the output file to forum of PASTE
The output sample of "show tech command" is as follows.
# /opt/momentum_client/bin/show_tech_support.sh [ show tech support information for PASTE ] filename : /root/paste_show_tech_support-20170906075021.tgz file size (bytes) : 23,825 #
RE: PASTE can't work properly with Trend Micro DDI - zoelin が約7年前に追加
Hi Komoriya,
Thank you for the instructions.
I've upgrade PASTE to the latest ver4.07.01.
Attached are the results of 'show_tech_support' srcript with and without iptables running.
I found the problem may be caused by iptables.
For security reasons, my customer use iptables on PASTE (not the default firewalld) to allow only a few traffic, and block all other connections.
Below is the traffic allowed by iptables:
- dst port SSH, HTTP, HTTPS from client PCs
- src port TCP 5100, TCP 5101 from momentum Probe
- dst port UDP 514 from Trand Micro DDI
- src port UDP 53 from DNS server
- src port UDP 123 from NTP server
PASTE cannot retrieve pcap after receiving syslog from Trend Micro DDI when iptables is running.
After stopping iptables, PASTE works fine then.
What are the iptables rules I should add?
And here is a new question about disk usage status in Web GUI:
Sometimes the graphic is blank. (Please refer to the attached screenshot.)
I have run in to this situation several times with ver4.07.00 and ver4.07.01.
How can I solve this problem?
Best Regards,
Zoe
RE: PASTE can't work properly with Trend Micro DDI - komoriya が約7年前に追加
Hi zoelin:
After stopping iptables, PASTE works fine then.
I was relieved.
If just ordinarily installing PASTE, I think that PASTE works fine.
You have to set iptables correctly.
How about using LOG option of iptables?
I hope that it works fine.
Sometimes the graphic is blank. (Please refer to the attached screenshot.)
When it's blank, please execute this perl script and post the result.
#!/usr/bin/perl
use Filesys::Df;
$pcappath = "/var/pcap";
$disk_info = df($pcappath);
$total_usage = $disk_info->{blocks};
$used = $disk_info->{used};
$etc_usage = $used - $disk_pcap_usage;
$etc_rate = int($etc_usage / $total_usage * 100);
$free_size = $disk_info->{bfree};
$free_rate = int($free_size / $total_usage * 100);
print "total_usage:[$total_usage]\n";
print "used :[$used]\n";
print "etc_usage :[$etc_usage]\n";
print "etc_rate :[$etc_rate]\n";
print "free_size :[$free_size]\n";
print "free_rate :[$free_rate]\n";
print "\n";
print `df`;