Protocols Introduction
TCP/IP:
- What
is TCP/IP?
Basically, TCP/IP is a set of networking protocols that provide communications
across interconnected networks made up of computers with diverse hardware
architectures and various operating systems. Here, there are two layers
of interests: IP and TCP. Additionally, it is useful to understand the
concept of sockets.
The IP layer is responsible for moving packet of data from node to
node.
The TCP layer is responsible for verifying the correct delivery of
data from client to server. TCP adds support to detect errors or lost
data and to trigger re-transmission until the data is correctly and completely
received.
The socket is the software abstraction used to represent the “terminals”
of a connection between two machines.
A pair of sockets uniquely identifies each TCP/IP connection.
Practically, a TCP/IP based connection established between two applications
provides a reliable byte-stream service.
Information written to the socket by an application on one machine
can be read by an application on a different machine, and vice versa.
- How
has EventGnosis implemented TCP/IP?
ECS has a source called ECS TCP Event Receiver and destination called
ECS TCP Event Sender.
TCP Event Receiver is a socket server. It listens on particular socket
– a parameterized host interface/port -- accepts requests for a socket
connection and makes the connection. Finally, through this established
connection it receives ECS events.
A single instance of this receiver is capable of handling multiple
requests on the same socket and for multiple connections.
The ECS TCP Event Sender is an implementation of a client side socket.
It sends requests for a socket connection to another host/port and when
the connection is established, sends ECS events to it.
- My
TCP/IP is not working. How do I troubleshoot it?
First, make sure your TCP/IP parameters are properly defined.
If you have problems with incoming events from a receiver make sure
that your particular socket connection is alive and the sending side of
the connection is sending events, if possible.
If you have problems with your sender, check to see if the connection
is lost and if is there a target socket server on the other side waiting
for a connection on your target socket at the configured host/port.
SNMP:
- What
is SNMP?
SNMP (Simple Network Management Protocol) is a generic network management
tool. It is a part of the TCP/IP protocol suite. This protocol is used
for management information exchange between network devices. An SNMP message
is sent to and from a device to gather information or configure the device.
In addition, managed devices send unsolicited reports (called Traps)
back to the network-management systems when certain network activity occurs.
Managed devices can be routers and access servers, switches and bridges,
hubs, computer hosts, printers and more.
- How
has EventGnosis implemented SNMP Senders/Receivers?
Eventgnosis' ECS is capable of receiving and sending SNMP Traps. SNMP
v1 and v2c versions are currently supported. This means you can receive
SNMP traps, analyze them and perform meaningful action using filters and/or
redirect them to any configured destination.
Also, all events received by ECS-supported sources and modified or
created by ECS filters can be sent as Eventgnosis ECS specific traps through
the ECS' Trap Sender.
The ECS is capable of binding its SNMP receivers to multiple network
interfaces on the same port with no collisions.
- My
SNMP is not working. How do I troubleshoot it?
First, check that your ECA configuration has proper parameters for
your SNMP sources and destinations. Be aware of the fact that the standard
port for SNMP traps is (UDP) 162.
Receiver: if you have proper values for the receiver's parameters and
still have the problems with receiving messages, check out the port you
use: it is probably already being used by another application or other
ECS/ECA.
Sender: Again, make sure your ECA parameters for a SNMP sender are
properly defined. There should be no port collisions for senders.
Syslog:
- What
is Syslog?
Syslog is a protocol that allows a machine to send event notification
messages across IP networks to event message collectors -- also known
as Syslog Servers or Syslog Daemons.
Since each process, application and operating system was written somewhat
independently, there is little uniformity to the content of syslog messages.
For this reason, no assumption is made upon the formatting or content
of the messages. The protocol is simply designed to transport these event
messages.
Syslog messages are based on the User Datagram Protocol (UDP) type
of Internet Protocol (IP) communications.
Syslog messages are received on UDP port 514. Syslog message text is
generally no more than 1024 bytes in length. Since the UDP type of communication
is connectionless, UDP packets may get lost.
- How
has EventGnosis implemented Syslog?
Eventgnosis' ECS is capable of sending and receiving Syslog messages.
This means you can receive Syslog messages, analyze them and perform
some meaningful action using filters and/or redirect them to any configured
destination.
Also, events received by ECS-supported sources and modified, formatted
or created by ECS filters can be sent as a Syslog message by ECS' Syslog
Sender to a configured destination.
- My
Syslog is not working. How do I troubleshoot it?
First, make sure that your ECA configuration has proper parameters
for each Syslog Source or Destination. Be aware of the fact the standard
port for Syslog is (UDP) 514.
Receiver: if you have proper values for receiver's parameters and still
have problems with receiving, check out the port you are using: it is
probably already being used by another application or other ECS.
Sender: Just make sure your ECA parameters for a Syslog sender are
properly defined. There should be no port collisions for senders.
Windows Events Logs:
- What
are Windows Events Logs?
Windows Events Logs are special windows files for keeping track of
specific Windows events (monitoring application activities, keeping track
of security issues, system component failures, etc.)
What kind of Windows events will be recorded to Windows Logs depends
on your Windows system settings.
An Application for viewing events is the Windows Event Viewer (usually
accessible by Windows Administrative Tools.)
- How
does EventGnosis read Windows Events Logs?
The ECS is capable of reading Windows Application, Security and System
Events Logs.
An ECS Windows Log Reader has a parameter to set up the type of Windows
log you want to read. You can have up to one of each log type of Windows
log reader configured simultaneously in a configuration.
- My
ECS doesn't read Windows Log (s). How do I troubleshoot it?
Sometimes it takes some time until an event occurs and is written to
appropriate log. It depends on event types you have checked for recording
to Windows logs in the administrative control panels. First, make sure
that your windows or other applications actually write events to windows
logs. Also, be aware that the ECS will only reading events that have occurred
(written to Windows events logs) after the ECS service has been started.
All pre-existing events are ignored.
Text Log:
- What
is a Text Log?
A text log file is a commonly used method of way to recording important
messages used by many applications. The messages sent to a log file chronologically
reveal the activities or status of the software itself or the system,
and are very useful for diagnosing problems. The message types typically
are: information, error, warning, trace, info.
Also, many logs are plain text files but some applications utilize
a special format.
- How
has EventGnosis implemented Text Logs?
The ECS has both a Text Log Reader and a Text Log Writer.
The Text Log Reader is used as an ECS source for monitoring a particular
file (via the FileName parameter) for new lines appended to the end of
the file. The ECS ignores any lines that existed before it was started.
The Text Log Writer writes message text lines to a file – the lines
usually represents events passed to it or any other information you have
constructed using ECS sources and filters.
- My
Text Log is not working. How do I troubleshoot it?
Text Log Reader: First, check out the FileName parameter. If the file
name is missing, blank or invalid the receiver is probably disabled. Also,
be sure that new lines have been added to your log file since the ECS
service has started, since the Text Log Reader ignores lines that existed
at start-up time.
Email:
- What
is an Email?
Everybody probably knows the answer. However, here are some additional
facts:
A large percentage of the total traffic over the Internet is Email.
Do you have a problem with spam, unsolicited mails? Do you want to analyze
or filter mail messages? Do you want to send some alert mails to notify
you that some important event occurs? Email is one set of the protocols
within the Transport Control Protocol/Internet Protocol (TCP/IP) suite
of protocols. A popular protocol for sending Email is Simple Mail Transfer
Protocol (SMTP) and a popular protocol for receiving it is Post Office
Protocol 3 (POP3).
- How
does EventGnosis ECS deal with Emails?
ECS has an Email Receiver and an Email Sender.
This means that the ECS is capable of receiving Email messages from
a desired server for further processing (analyzing, filtering, deleting,
etc.).
You may also want to send an email as a result of some ECS event processing.
This is easily accomplished by configuring the Email Sender.
- My
ECS Email (Receiver or Sender) is not working. How do I troubleshoot it?
Make sure you supplied valid parameters for your mail source or destination.
Email Sender: if your SMTP server is not available the sender won't
be able to send the messages. Sending will be disabled if you didn't supply
valid email addresses or server parameters.