IDMEF alarms going from client to manager sporadically not sent

Added by Sebastian K 11 months ago

I have an issue with missing alarms on the manager side. My setup includes a manager (v4.1.1, newer version did not work at the time for some reason) and a client (v4.1.0). I use the C API of libprelude on the client side to send IDMEF alarms to the manager if an error is detected. All relevant information is filled into the message form and sent. For safety reasons, I also locally track when I sent an alarm on the client side. The code which does this:

write_client_history();    ## local alarm log

idmef_message_t *idmef;

ret = idmef_message_new(&idmef);
if(ret < 0)
    prelude_perror(ret, "ERROR: Unable to create IDMEF message");
    return -1;

idmef_message_set_string(idmef, "alert.classification.text", "CustomAlarm");
idmef_message_set_string(idmef, "alert.assessment.impact.severity", "high");

idmef_message_set_string(idmef, "alert.additional_data(1).type", "integer");
idmef_message_set_string(idmef, "alert.additional_data(1).meaning", "CustomID");
idmef_message_set_number(idmef, "alert.additional_data(1).data", customData);
idmef_message_set_string(idmef, "alert.additional_data(2).type", "real");
idmef_message_set_string(idmef, "alert.additional_data(2).meaning", "Error");
idmef_message_set_number(idmef, "alert.additional_data(2).data", Error);

prelude_client_send_idmef(client, idmef);

After testing the executable for a set interval, I checked how many alarm have been sent to the manager and also, how many alarms I recorded on the client side. Out of the ~2500 alarms on the client side, I only get about 1380 on the manager side. The alarms that are on both machines do contain the same plausible values, but the manager misses almost half of the total number of alarms.

The application is a watchdog which may send an alarm every 500 ms if needed. My question is: is there a silent overflow going on that discards alarms which cannot be sent in time? Or what other reason could cause this behavior? The generation of the alarm and the local log file are written within the same branch of an if-statement, so they should be totally equal.

Thanks in advance for your input!

Replies (2)

RE: IDMEF alarms going from client to manager sporadically not sent - Added by Antoine LUONG 10 months ago


This behavior may be caused by the thresholding feature in the manager, did you check the /etc/prelude-manager/prelude-manager.conf file?


RE: IDMEF alarms going from client to manager sporadically not sent - Added by Sebastian K 10 months ago


thanks for the hint. I checked the config file and uncommented the following lines:

sched-priority = high:100 medium:50 low:20

sched-buffer-size = 1M

That resulted in all alarms being shown in the manager. By any chance, is there a rule of thumb of how much memory I have to allocate per alarms per second?

I tested my setup with 50 Megabyte, but I do not know if this is a reasonable number or not.