Troubleshooting common ActionServer problems
2 years ago
Originally Published: 2013-06-24
Article Number
000055794
Applies To
Export action
Syslog action

The syslog action is configured within SilverCat under ActionServer section. You need to specify following:

name: action name (it already defaults to syslog) 
facility: logging facility (the default should be user unless you have other logging facility you want to write to) 
priority: logging priority (defaults to INFO) 
format: AttrName:%(attribute.name)s AttrVal:%(attribute.value)s RuleAction:%(rule.action)s RuleName:%(rule.name)s Date:%(rule.date)s IP:%(ip)s User:%(username)s Page:%(pagename)s

:: Sample Rule Action :: 
syslog&flag

:: Sample Log Output :: 
Sep 12 11:55:19 ps-02 syslog[29813]: MainThread:INFO:Silver Tail Syslog Action Service version 3.0.1.1 
Sep 12 11:55:19 ps-02 /var/opt/silvertail/etc/actions/syslog: AttrName:ip AttrVal:65.65.65.6 RuleAction:syslog&flag RuleName:TEST_ACTION_ALERT_syslog Date:Wed Sep 12 18:55:06 2012 IP:65.65.65.6 User:Not Available Page:/info.php


Issue
Troubleshoot common ActionServer problems

Action Folder Watcher:INFO:Deleting alert
Action Folder Watcher:WARNING:No service found for Email.
Cause
Actions in rules are case sensitive and needs to match what is listed under /var/opt/silvertail/etc/actions folder.  An example error when the action name is not found:

Nov 12 09:17:25 ps-01 actionserver.py[32563]:Action Folder Watcher:WARNING:No service found for Email.

Nov 12 09:17:25 ps-01 actionserver.py[32563]:Action Folder Watcher:INFO:Deleting alert /var/opt/silvertail/data/alerts/1.kcEqz8.inprogress.alert.


Resolution
In summary, each additional parameter added to the take action line must begin with an ampersand (&) followed by an equal sign (=) then the parameter name preceded with an percent sign (%).
For example:
&something=%user

Notes
Export action

Attributes exported can be an attribute name, ARGS parameter name, or register names.  Attribute and ARGS parameters can be added by simply prefixing them with percent sign.  Registers can be added with percent register type colon and register name.  Any defined attributes or ARGS parameters are available for adding to registers (IN LOWERCASE) for export.  Each export value is separated by an ampersand and the statement end with an ampersand with the word flag.

Take action: export&args_email = %email&reg_ipcountry = %ip:exportipcountry&flag

The above rule when triggered will result in an alert file with contents like below:

# Rules Engine created alert
Rule = __TEST__export
Action = export&reg_host = %ip:exporthost&reg_ipcountry = %ip:exportipcountry&flag
balFlag = flag
handler = export
Date = Thu Dec 13 18:19:04 2012
BA = ip
BaValue = 21.101.135.107
IP = 21.101.135.107
User = user-corb8i0313910ujkkmcfup17f4
Page = /login
Timestamp = 2012-12-13 18:19:03.801
EngineContext = Mitigator
# Alert Context Data
args_email = gtam@silvertailsystems.com
reg_ipcountry = United States 

Note 1:
Unfortunately, you cannot simply add a rule function like ip.countrycode3() into the export take action line.  However; you can create a register based on the rule functions such as ip.countrycode3() and add the register name into the export take action line.
Here?s an example:
Take action: export&agent=%agent&ipaddr=%ip&reg_country=%ip:ctrycode3&flag
Set registers: ip ? name:ctrycode3 value: ip.countrycode3()
Note 2:
The variables added to the export take action line must contain an equal sign separator or else it causes an ActionServer.py parser error.
For example, the following &something%user will result in line ?somethingfirstlast-? within the alert file not commented out and without an equal sign separating the name and value pair.  This will result in error.
Take Action: export&agent=%agent&something%user&reg_country=%ip:where&flag
Results:
# Rules Engine created alert
Rule = ___TEST_EDS_UNIX__
Action = export&agent=%agent&something%user&reg_country=%ip:where&flag
balFlag = flag
handler = export
Date = Tue Mar  5 00:35:23 2013
BA = ip
BaValue = 65.65.65.71
IP = 65.65.65.71
User = firstlast-
Page = /login
Timestamp = 2013-03-05 00:35:22.093
EngineContext = Mitigator
# Alert Context Data
agent=curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 nss/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
somethingfirstlast-
reg_country=USA

SENDMAIL TROUBLESHOOTING
  • Start sendmail with `chkconfig sendmail on`
  • In some cases, /usr/lib/sendmail might be symlink to other mail applications. In the case of /usr/lib/sendmail is link to sendmail, sendmail does not need to be running.  However; a relay server definition is required in the /etc/mail/sendmail.cf for the DS line.  See below for examples.  (Normally, you would want to make changes to /etc/mail/sendmail.mc and use make to compile it into /etc/mail/sendmail.cf or if you know that sendmail.mc will never be compile just directly edit sendmail.cf.)

Example /etc/mail/sendmail.cf setting:

DSsmtp.domain.com

DS[10.1.1.5]


Don't see what you're looking for?