Protocols Introduction

 

TCP/IP:

  1. What is TCP/IP?
    Basically, TCP/IP is a set of networking protocols that provide communications across interconnected networks made up of computers with diverse hardware architectures and various operating systems. Here, there are two layers of interests: IP and TCP. Additionally, it is useful to understand the concept of sockets.
    The IP layer is responsible for moving packet of data from node to node.
    The TCP layer is responsible for verifying the correct delivery of data from client to server. TCP adds support to detect errors or lost data and to trigger re-transmission until the data is correctly and completely received.
    The socket is the software abstraction used to represent the “terminals” of a connection between two machines.
    A pair of sockets uniquely identifies each TCP/IP connection.
    Practically, a TCP/IP based connection established between two applications provides a reliable byte-stream service.
    Information written to the socket by an application on one machine can be read by an application on a different machine, and vice versa.
  2. How has EventGnosis implemented TCP/IP?
    ECS has a source called ECS TCP Event Receiver and destination called ECS TCP Event Sender.
    TCP Event Receiver is a socket server. It listens on particular socket – a parameterized host interface/port -- accepts requests for a socket connection and makes the connection. Finally, through this established connection it receives ECS events.
    A single instance of this receiver is capable of handling multiple requests on the same socket and for multiple connections.
    The ECS TCP Event Sender is an implementation of a client side socket. It sends requests for a socket connection to another host/port and when the connection is established, sends ECS events to it.
  3. My TCP/IP is not working. How do I troubleshoot it?
    First, make sure your TCP/IP parameters are properly defined.
    If you have problems with incoming events from a receiver make sure that your particular socket connection is alive and the sending side of the connection is sending events, if possible.
    If you have problems with your sender, check to see if the connection is lost and if is there a target socket server on the other side waiting for a connection on your target socket at the configured host/port.
 

SNMP:

  1. What is SNMP?
    SNMP (Simple Network Management Protocol) is a generic network management tool. It is a part of the TCP/IP protocol suite. This protocol is used for management information exchange between network devices. An SNMP message is sent to and from a device to gather information or configure the device.
    In addition, managed devices send unsolicited reports (called Traps) back to the network-management systems when certain network activity occurs.
    Managed devices can be routers and access servers, switches and bridges, hubs, computer hosts, printers and more.
  2. How has EventGnosis implemented SNMP Senders/Receivers?
    Eventgnosis' ECS is capable of receiving and sending SNMP Traps. SNMP v1 and v2c versions are currently supported. This means you can receive SNMP traps, analyze them and perform meaningful action using filters and/or redirect them to any configured destination.
    Also, all events received by ECS-supported sources and modified or created by ECS filters can be sent as Eventgnosis ECS specific traps through the ECS' Trap Sender.
    The ECS is capable of binding its SNMP receivers to multiple network interfaces on the same port with no collisions.
  3. My SNMP is not working. How do I troubleshoot it?
    First, check that your ECA configuration has proper parameters for your SNMP sources and destinations. Be aware of the fact that the standard port for SNMP traps is (UDP) 162.
    Receiver: if you have proper values for the receiver's parameters and still have the problems with receiving messages, check out the port you use: it is probably already being used by another application or other ECS/ECA.
    Sender: Again, make sure your ECA parameters for a SNMP sender are properly defined. There should be no port collisions for senders.
 

Syslog:

  1. What is Syslog?
    Syslog is a protocol that allows a machine to send event notification messages across IP networks to event message collectors -- also known as Syslog Servers or Syslog Daemons.
    Since each process, application and operating system was written somewhat independently, there is little uniformity to the content of syslog messages. For this reason, no assumption is made upon the formatting or content of the messages. The protocol is simply designed to transport these event messages.
    Syslog messages are based on the User Datagram Protocol (UDP) type of Internet Protocol (IP) communications.
    Syslog messages are received on UDP port 514. Syslog message text is generally no more than 1024 bytes in length. Since the UDP type of communication is connectionless, UDP packets may get lost.
  2. How has EventGnosis implemented Syslog?
    Eventgnosis' ECS is capable of sending and receiving Syslog messages.
    This means you can receive Syslog messages, analyze them and perform some meaningful action using filters and/or redirect them to any configured destination.
    Also, events received by ECS-supported sources and modified, formatted or created by ECS filters can be sent as a Syslog message by ECS' Syslog Sender to a configured destination.
  3. My Syslog is not working. How do I troubleshoot it?
    First, make sure that your ECA configuration has proper parameters for each Syslog Source or Destination. Be aware of the fact the standard port for Syslog is (UDP) 514.
    Receiver: if you have proper values for receiver's parameters and still have problems with receiving, check out the port you are using: it is probably already being used by another application or other ECS.
    Sender: Just make sure your ECA parameters for a Syslog sender are properly defined. There should be no port collisions for senders.
 

Windows Events Logs:

  1. What are Windows Events Logs?
    Windows Events Logs are special windows files for keeping track of specific Windows events (monitoring application activities, keeping track of security issues, system component failures, etc.)
    What kind of Windows events will be recorded to Windows Logs depends on your Windows system settings.
    An Application for viewing events is the Windows Event Viewer (usually accessible by Windows Administrative Tools.)
  2. How does EventGnosis read Windows Events Logs?
    The ECS is capable of reading Windows Application, Security and System Events Logs.
    An ECS Windows Log Reader has a parameter to set up the type of Windows log you want to read. You can have up to one of each log type of Windows log reader configured simultaneously in a configuration.
  3. My ECS doesn't read Windows Log (s). How do I troubleshoot it?
    Sometimes it takes some time until an event occurs and is written to appropriate log. It depends on event types you have checked for recording to Windows logs in the administrative control panels. First, make sure that your windows or other applications actually write events to windows logs. Also, be aware that the ECS will only reading events that have occurred (written to Windows events logs) after the ECS service has been started. All pre-existing events are ignored.
 

Text Log:

  1. What is a Text Log?
    A text log file is a commonly used method of way to recording important messages used by many applications. The messages sent to a log file chronologically reveal the activities or status of the software itself or the system, and are very useful for diagnosing problems. The message types typically are: information, error, warning, trace, info.
    Also, many logs are plain text files but some applications utilize a special format.
  2. How has EventGnosis implemented Text Logs?
    The ECS has both a Text Log Reader and a Text Log Writer.
    The Text Log Reader is used as an ECS source for monitoring a particular file (via the FileName parameter) for new lines appended to the end of the file. The ECS ignores any lines that existed before it was started.
    The Text Log Writer writes message text lines to a file – the lines usually represents events passed to it or any other information you have constructed using ECS sources and filters.
  3. My Text Log is not working. How do I troubleshoot it?
    Text Log Reader: First, check out the FileName parameter. If the file name is missing, blank or invalid the receiver is probably disabled. Also, be sure that new lines have been added to your log file since the ECS service has started, since the Text Log Reader ignores lines that existed at start-up time.
 

Email:

  1. What is an Email?
    Everybody probably knows the answer. However, here are some additional facts:
    A large percentage of the total traffic over the Internet is Email. Do you have a problem with spam, unsolicited mails? Do you want to analyze or filter mail messages? Do you want to send some alert mails to notify you that some important event occurs? Email is one set of the protocols within the Transport Control Protocol/Internet Protocol (TCP/IP) suite of protocols. A popular protocol for sending Email is Simple Mail Transfer Protocol (SMTP) and a popular protocol for receiving it is Post Office Protocol 3 (POP3).
  2. How does EventGnosis ECS deal with Emails?
    ECS has an Email Receiver and an Email Sender.
    This means that the ECS is capable of receiving Email messages from a desired server for further processing (analyzing, filtering, deleting, etc.).
    You may also want to send an email as a result of some ECS event processing. This is easily accomplished by configuring the Email Sender.
  3. My ECS Email (Receiver or Sender) is not working. How do I troubleshoot it?
    Make sure you supplied valid parameters for your mail source or destination.
    Email Sender: if your SMTP server is not available the sender won't be able to send the messages. Sending will be disabled if you didn't supply valid email addresses or server parameters.