Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 10 replies
  • Subscribers 0 subscribers
  • Views 1884 views
  • Users 0 members are here
Options
Suggested

[7.180] no IM/P2P stats [OPEN]

gkemter
Under IM/P2P i cant see the stats. Only "No data is available for this report"
Today i tested ICQ with different settings, so there must be some data.....

Does IM/P2P use a separate logfile ? 

Gregor Kemter
Parents
  • 0
    Hi gkempter, 

    currently the im/p2p engine logs packets into the packetfilter log. 
    You need to look for entries with the fwrule="***xx"

    FWRULE table (category Instant Messaging (im))  FWRULE   Protocol   Description
    60100  irc  Internet Relay Chat (IRC)
    60101  msn  .NET Messenger Service
    60102  oscar  OSCAR protocol, used by ICQ and AOL Instant Messenger (AIM)
    60103  skype  Skype
    60104  tencent_qq  Tencent QQ
    60105  xmpp  XMPP protocol / Jabber Instant Messaging
    60106  yahoo  Yahoo! Messenger

    FWRULE table (category P2P/Filesharing (p2p)) FWRULE  Protocol  Description
    60200  applejuice  Applejuice
    60201  ares  Ares Galaxy
    60202  bittorrent  BitTorrent
    60203  direct_connect  Direct Connect
    60204  edonkey  eDonkey2000
    60205  fasttrack  FastTrack / Kazaa
    60206  freenet  Freenet
    60207  gnutella  Gnutella
    60208  imesh  IMesh
    60209  manolito  MANOLITO
    60210  mute  MUTE-net
    60211  soulseek  Soulseek
    60212  pando  Pando
    60213  winmx  WinMX
    60214  winny  WinNY
    60215  xdcc  XDCC (Xabi / eXtended DCC)

    also please take a look at the imp2p database located in /var/log/reporting/adbs/ there should  be a file called imp2p.dbl.

    how big is that file?

    thanks
    Gert
  • 0 in reply to Gert Hansen
    imp2p.dbl = 12288Bytes ,last update 10min ago.
  • 0 in reply to gkemter
    And does it still not show any statistics?
  • 0 in reply to gkemter
    now that is strange, can you please run the following code as root:

    sqlite3 /var/log/reporting/adbs/imp2p.dbl "PRAGMA integrity_check;"


    if it is ok please execude the following 

    sqlite3 /var/log/reporting/adbs/imp2p.dbl "SELECT * FROM data"


    this should show you the content of the database taht looks similar than this:


    |||||733128||184419322|LAN|1354803292|GB|im|skype|block|1
    |||||733128||184419322|LAN|1355017178|GB|im|skype|block|1
    |||||733128||184419322|LAN|1506372477|LV|im|skype|block|1
    |||||733128||184419322|LAN|1503621277|FR|im|skype|block|1
    |||||733128||184419322|LAN|1501829803|HU|im|skype|block|1
    |||||733128||1480985842|DE|184419297|LAN|im|skype|block|1
    |||||733128||1414047537|CH|184419297|LAN|im|skype|block|1


    thx Gert
  • 0 in reply to Gert Hansen
    1 und 2 returns OK

    the output from select: 


    2008|3|10|1|2008-11|733111|2008-03-10|3232280946|LAN|1074530429|US|im|aim|block_ft|6

    2008|3|10|1|2008-11|733111|2008-03-10|3232280946|LAN|1074530973|US|im|aim|block_ft|14

    2008|3|10|1|2008-11|733111|2008-03-10|3232280946|LAN|3451667325|US|im|aim|block_ft|6

    2008|3|10|1|2008-11|733111|2008-03-10|3232280948|LAN|1074532153|US|im|aim|block_ft|8

    2008|3|10|1|2008-11|733111|2008-03-10|3232280946|LAN|1074530397|US|im|aim|block_ft|6

    2008|3|10|1|2008-11|733111|2008-03-10|3232280948|LAN|1074530397|US|im|aim|block_ft|24

    2008|3|10|1|2008-11|733111|2008-03-10|3232280948|LAN|1074531129|US|im|aim|block_ft|24

    2008|3|10|1|2008-11|733111|2008-03-10|3232280948|LAN|1074530621|US|im|aim|block_ft|8

    2008|3|10|1|2008-11|733111|2008-03-10|3232280948|LAN|1074530909|US|im|aim|block_ft|16

    2008|3|10|1|2008-11|733111|2008-03-10|3232280946|LAN|1074531129|US|im|aim|block_ft|12

    2008|3|10|1|2008-11|733111|2008-03-10|3232280948|LAN|3451667261|US|im|aim|block_ft|16

    2008|3|10|1|2008-11|733111|2008-03-10|3232280946|LAN|3451669117|US|im|aim|block_ft|15

    2008|3|10|1|2008-11|733111|2008-03-10|3232280948|LAN|3451667197|US|im|aim|block_ft|16

    2008|3|10|1|2008-11|733111|2008-03-10|3232280946|LAN|1074530461|US|im|aim|block_ft|12

    2008|3|10|1|2008-11|733111|2008-03-10|3232280946|LAN|1074531037|US|im|aim|block_ft|17

    2008|3|10|1|2008-11|733111|2008-03-10|3232280946|LAN|1074531005|US|im|aim|block_ft|34

    2008|3|10|1|2008-11|733111|2008-03-10|3232280946|LAN|3451667197|US|im|aim|block_ft|6

    2008|3|10|1|2008-11|733111|2008-03-10|3232280948|LAN|3451669117|US|im|aim|block_ft|8

    2008|3|10|1|2008-11|733111|2008-03-10|3232280946|LAN|3451667037|US|im|aim|block_ft|18

    2008|3|10|1|2008-11|733111|2008-03-10|3232280946|LAN|3451667293|US|im|aim|block_ft|5

    2008|3|10|1|2008-11|733111|2008-03-10|3451652546|US|3232280946|LAN|im|aim|block_ft|3

    2008|3|10|1|2008-11|733111|2008-03-10|3232280946|LAN|1074532185|US|im|aim|block_ft|13

    2008|3|11|2|2008-11|733112|2008-03-11|3232280948|LAN|3451667677|US|im|aim|block_ft|8

    2008|3|11|2|2008-11|733112|2008-03-11|3232280948|LAN|3451667517|US|im|aim|block_ft|8

    2008|3|11|2|2008-11|733112|2008-03-11|3232280948|LAN|1074530461|US|im|aim|block_ft|8

    2008|3|12|3|2008-11|733113|2008-03-12|3232280946|LAN|3451667165|US|im|aim|block_ft|6

    2008|3|12|3|2008-11|733113|2008-03-12|3232280946|LAN|1074530941|US|im|aim|block_ft|6

    |||||733128||3232300694|LAN|3641053442|DE|p2p|winny|block|4

    |||||733128||3232300798|LAN|3232300694|LAN|p2p|winny|block|2

    |||||733129||3232300798|LAN|3232300743|LAN|im|tencent_qq|block|1

    |||||733129||3232300798|LAN|3232300694|LAN|p2p|winny|block|3

    |||||733129||3232300694|LAN|176531600|LAN|p2p|winny|block|1
  • 0 in reply to gkemter
    ok, the three last line are events recorded today for the usage of the WinNY and IM QQ protocol.

    do you use these two applications?

    please check the content of this file
    cat /var/log/reporting/inline/imp2p_security.ph

    this is the data source for the menu inline reporting.

    if this is nearly empty and no protocol is listed there, it seems that the process that analyzes the database content to write this file is somehow stuck. 

    Do you see a process in your process list called
    gen_inline_reporting_data.pl


    if not, just execute it and see what happens:
    ghansenfw:/root # gen_inline_reporting_data.pl


    after it is finished, the inline file should be filled. 

    Please be aware that only the files today are in there, as it is now close to midnight, you need to create new events that end up in the database. (there is a 15 min delay, beteen event occuranc and database insertion).

    regards
    Gert
  • 0 in reply to Gert Hansen
    i think my asg have some hdd problems: 


    

    borgqueen:/var/log/reporting/inline # cat imp2p_security.ph

    $VAR1 = {

              'top10_p2p_protocol' => {

                                        'top_count' => '0',

                                        'count_proto' => '0',

                                        'data' => []

                                      },

              'top10_im_srcip' => {

                                    'top_count' => '0',

                                    'data' => [],

                                    'count_srcip' => '0'

                                  },

              'top10_im_protocol' => {

                                       'top_count' => '0',

                                       'count_proto' => '0',

                                       'data' => []

                                     },

              'top10_p2p_srcip' => {

                                     'top_count' => '0',

                                     'data' => [],

                                     'count_srcip' => '0'

                                   }

            };

    borgqueen:/var/log/reporting/inline # gen_inline_reporting_data.pl

    Timeframe: today Debug: 0

    DBD::SQLite::st execute failed: database disk image is malformed(1) at dbdimp.c line 421 at /usr/local/bin/gen_inline_reporting_data.pl line 220.

    DBD::SQLite::st execute failed: database disk image is malformed(1) at dbdimp.c line 421 at /usr/local/bin/gen_inline_reporting_data.pl line 220.

    borgqueen:/var/log/reporting/inline #
  • 0 in reply to gkemter
    Ah ok, no that is not an harddisk issue, but one of the other database files seem to be corrupted, and therefore the process exits prior processing all the other databases. 
    As of line 220 this must be the accounting.dbl.
    Please check it with:
    sqlite3 /var/log/reporting/adbs/accounting.dbl  "PRAGMA integrity_check;"


    if the integrity is not ok, please do the following:

    mv /var/log/reporting/adbs/accounting.dbl /var/log/reporting/adbs/accounting.dbl-defect
    /etc/init.d/ulogd restart


    after that the gen_inline_reporting_data.pl should run through expected and you should also see the im/p2p stats.

    thanks
    gert
Reply
  • 0 in reply to gkemter
    Ah ok, no that is not an harddisk issue, but one of the other database files seem to be corrupted, and therefore the process exits prior processing all the other databases. 
    As of line 220 this must be the accounting.dbl.
    Please check it with:
    sqlite3 /var/log/reporting/adbs/accounting.dbl  "PRAGMA integrity_check;"


    if the integrity is not ok, please do the following:

    mv /var/log/reporting/adbs/accounting.dbl /var/log/reporting/adbs/accounting.dbl-defect
    /etc/init.d/ulogd restart


    after that the gen_inline_reporting_data.pl should run through expected and you should also see the im/p2p stats.

    thanks
    gert
Children
Unfiltered HTML