Multiple sensors about maltrail HOT 16 CLOSED

@unixfox but you already can do that. Can you please be more specific what you need/want.

from maltrail.

I want to analyse logs from multiple sensors in the main web interface (Server) but I didn't found any documentation about that.

from maltrail.

Are multiple sensors (e.g. one sensor per interface) being run on same machine or different? If on different, you can use the LOG_SERVER for setting the collecting address where sensors should send their data to. That should be the same machine as the server itself.

from maltrail.

Minor update:

1. LOG_SERVER should point to the collecting machine (same where server.py is being run)
2. UDP_ADDRESS should be the listening address (leave it to 0.0.0.0)

from maltrail.

Two sensor on two different machine and one main web interface on one machine.
I'll try, thank you !

from maltrail.

I'll most probably rename UDP_ADDRESS to something like: LOG_ADDRESS

from maltrail.

I tried to configure sensors and server but web interface returns null informations.
Chrome console returns me : Failed to load resource: the server responded with a status of 404 (Not Found) : https://x.x.x.x:8338/events?date=2015-12-18
Config file on the first machine (one sensor) : https://paste.unixfox.eu/ixegupuvob.
Config file on the second machine (with one sensor and the web interface) : https://paste.unixfox.eu/vetejumora.
What I have done wrong?

from maltrail.

Looks ok. That 404 just means that there are no events for that date.

Can you please do the test ping on the remote sensor (https://paste.unixfox.eu/ixegupuvob) and recheck the web interface on the server:

ping -c 1 136.161.101.53

from maltrail.

I've already tried it but the web interface don't find any event.
When I do cat /var/log/maltrail/$(date +"%Y-%m-%d").log, the terminal returns me strange logs :

"2015-12-17 19:09:42.923035" vps07 x.x.x.x 30640 x.x.x.x 25900 TCP IP x.x.x.x "potential port scanning" (heuristic)
"2015-12-17 19:09:43.019070" vps07 x.x.x.x 36626 x.x.x.x 25901 TCP IP x.x.x.x "potential port scanning" (heuristic)
"2015-12-17 19:09:42.843072" vps07 x.x.x.x 26071 x.x.x.x 25501 TCP IP x.x.x.x "potential port scanning" (heuristic)
My logs are full of false positives because the ip of the attacker comes from the machine hosting my second sensor.

from maltrail.

When you set up the remote sensor and server then the server's log files should be filled. I don't know in your case where did you find that /var/log/maltrail/$(date +"%Y-%m-%d").log. Also, the ping I've mentioned should produce the conficker warning at the server logs.

As of false positives, I am not sure that I understand what's going on in your case. From what I can see there are lots of connections on different ports going on in those logs

from maltrail.

Ok I found a strange bug, sensors are using UTC but python server is using default time zone (CEST) so when I visited the web interface returns it for me 2015-12-18 date.
Is it possible to whitelist an IP on the sensors ?

from maltrail.

whitelisting is possible. first please update to the latest revision.

there is a new option in maltrail.conf called USER_WHITELIST. just add the IPs there.

p.s. with the latest revision there should not be 404s any more for empty date event data

from maltrail.

@unixfox please update now (haven't pushed till this moment)

from maltrail.

@stamparm Okay I'll try new update !

from maltrail.

@unixfox ok now?

from maltrail.

@stamparm Everything is working good, thank you so much !

from maltrail.