Skip to content

Comments

Minor updates to alarms#137

Closed
xychix wants to merge 1 commit intomasterfrom
Python-Alarm-Updates
Closed

Minor updates to alarms#137
xychix wants to merge 1 commit intomasterfrom
Python-Alarm-Updates

Conversation

@xychix
Copy link
Collaborator

@xychix xychix commented Jan 20, 2021

@lorenzo please do check if alarms.py matches with ones in your open PR. Further these are minor additions

Minor updates to alarms
abc7064 
@lorenzo please do check if alarms.py matches with ones in your open PR. Further these are minor additions
@github-actions github-actions bot added docker Related to docker container builds elkserver Related to RedELK server components labels Jan 20, 2021
xychix pushed a commit to xychix/RedELK that referenced this pull request Jan 20, 2021
Minor updates on alarms
bae222a 
Roughly equals  outflanknl#137 on the main RedELK branch of outflanknl
@MarcOverIP
Copy link
Member

MarcOverIP commented Mar 8, 2021

Should this be merged, or are we waiting for another commit?

fastlorenzo
fastlorenzo requested changes Mar 8, 2021
View reviewed changes
elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_httptraffic/module.py

def alarm_check(self):
# This check queries for IP's that aren't listed in any iplist* but do talk to c2* paths on redirectors\n
q = "NOT tags:iplist_* AND redir.backend.name:c2* AND tags:enriched_* AND NOT tags:%s"%(info['submodule'])
Copy link
Collaborator

@fastlorenzo fastlorenzo Jan 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be self.info and not info, that's the bug I think

Copy link
Collaborator Author

@xychix xychix Mar 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

info is fine, the dict is global.

elkserver/docker/redelk-base/redelkinstalldata/scripts/alarm.py
Comment on lines -21 to +25
LOG_LEVEL = logging.DEBUG
if localconfig.DEBUG:
LOG_LEVEL = logging.DEBUG
else:
LOG_LEVEL = logging.INFO
Copy link
Collaborator

@fastlorenzo fastlorenzo Jan 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add a loglevel variable in the config, so we can have more than just info and debug

Copy link
Collaborator

@fastlorenzo fastlorenzo Mar 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MarcOverIP this still needs to be addressed before merging

Copy link
Collaborator Author

@xychix xychix Mar 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree. let's implant a config.DEBUGLEVEL
This was just a quick fix to avoid disk from filling 100% in days

elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_dummy/module.py

def alarm_dummy(self):
q = "c2.log.type:ioc AND NOT tags:%s"%(info['submodule'])
q = "c2.log.type:ioc AND NOT tags:alarm_*"
Copy link
Collaborator

@fastlorenzo fastlorenzo Mar 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would keep the submodule name so it will alert for everything that has not been alerted by alarm_dummy before (to keep the behavior consistent with other alarms.

Copy link
Collaborator Author

@xychix xychix Mar 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

makes sense.

elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_useragent/module.py
qSub = qSub + ") "
#q = "%s AND redir.backendname:c2* AND tags:enrich_* AND NOT tags:alarm_* "%qSub
q = "%s AND redir.backend.name:c2* AND NOT tags:%s"%(qSub,info['submodule'])
q = "%s AND redir.backend.name:c2* AND NOT tags:alarm_useragent" % qSub
Copy link
Collaborator

@fastlorenzo fastlorenzo Mar 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use the submodule name instead of hardcoding alarm_useragent

Copy link
Collaborator Author

@xychix xychix Mar 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

true, likely has to be self.info as mentioned in some other item.

@fastlorenzo
Copy link
Collaborator

fastlorenzo commented Mar 8, 2021

@xychix what I can do is integrate your changes in #117

fastlorenzo added a commit to fastlorenzo/RedELK that referenced this pull request Mar 23, 2021
@fastlorenzo
Merged outflanknl#137 + pylint fixes
e03dcef 
Signed-off-by: fastlorenzo <git@bernardi.be>
@fastlorenzo
Copy link
Collaborator

fastlorenzo commented Mar 23, 2021

@xychix I've incorporated the changes from this to #117

@lorenzo
Copy link

lorenzo commented Mar 23, 2021

approved @xychix 🤣

@MarcOverIP
Copy link
Member

MarcOverIP commented Mar 31, 2021

Obsolete due to PR #117

@MarcOverIP MarcOverIP closed this Mar 31, 2021
@MarcOverIP MarcOverIP deleted the Python-Alarm-Updates branch June 23, 2021 12:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fastlorenzo fastlorenzo fastlorenzo requested changes

Assignees

No one assigned

Labels

docker Related to docker container builds elkserver Related to RedELK server components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@xychix @MarcOverIP @fastlorenzo @lorenzo