Since the upgrade from 1.6.x to 2.1.0p31 the “time of last occurrance” time is always in the past, also there is some number added at the beginning of the message for syslog messages from our firewall.
For example:
The time of last occurrance of the event is shown as 2023-08-18 08:28:01 although the date in the syslog message is different. The “<186>” in the beginning is added from checkmk I think (that was not there before)?
This happens to all events from this host, also on other EC rules, the timestamp is always the same “2023-08-18 08:28:01”
If I look at an older already archived event, the last occurrance timestamp is the same as the timestamp in the syslog message
I did take a look but did not find anything I can pin to that behaviour.
I just tested it a bit and I think it has nothing to do with the ruleset. I deactivated the ruleset and created a simple catch-all rule and it shows the same behaviour.
If I go to the Event Rule Set and generate the event manually everything is fine
I enabled the debug mode for a short time and catched an logon error event.
It looks like there is some error in event.py but I dont know if this is relevant to that?
2023-08-22 15:57:42,361 [20] [cmk.mkeventd.EventServer] processing message from host ip.253, port 15190: "<185>date=2023-08-22 time=15:57:42 devname="FGT" devid="FGT" eventtime=1692712662363374008 tz="+0200" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="testerei" ui=
"https(ip.103)" method="https" srcip=ip.103 dstip=ip.253 action="login" status="failed" reason="name_invalid" msg="Administrator testerei login failed from https(103) because of invalid user name""
2023-08-22 15:57:42,361 [40] [cmk.mkeventd.EventServer] could not parse message "<185>date=2023-08-22 time=15:57:42 devname="FGT" devid="FGT" eventtime=1692712
662363374008 tz="+0200" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="testerei" ui="https(ip.103)" method="h
ttps" srcip=ip.103 dstip=ip.253 action="login" status="failed" reason="name_invalid" msg="Administrator testerei login failed from https(ip.103) because of invalid use
r name"" ('date=2023-08-22')
Traceback (most recent call last):
File "/omd/sites/name/lib/python3/cmk/ec/event.py", line 79, in create_event_from_line
event = parse_message(line, ipaddress)
File "/omd/sites/name/lib/python3/cmk/ec/event.py", line 227, in parse_message
month = _MONTH_NAMES[month_name]
KeyError: 'date=2023-08-22'
2023-08-22 15:57:42,362 [20] [cmk.mkeventd.EventServer] parsed message:
application:
core_host: None
facility: 1
host:
host_in_downtime: False
ipaddress: ip.253
pid: 0
priority: 0
text: <185>date=2023-08-22 time=15:57:42 devname="FGT" devid="FGT" eventtime=1692712662363374008 tz="+0200" logid="0100032002" type="event" subtyp
e="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="testerei" ui="https(ip.103)" method="https" srcip=ip.103 dstip=ip.253 action="login" statu
s="failed" reason="name_invalid" msg="Administrator testerei login failed from https(ip.103) because of invalid user name"
time: 1692340081.7687554
2023-08-22 15:57:42,362 [20] [cmk.mkeventd.EventServer] Rule would not match, but due to inverted matching does.
2023-08-22 15:57:42,362 [20] [cmk.mkeventd.EventServer] matching groups:
{}
2023-08-22 15:57:42,363 [20] [cmk.mkeventd.EventServer] skipping this rule pack (FW-FORWARD-1)
2023-08-22 15:57:42,363 [20] [cmk.mkeventd.EventServer] Rule would match, but due to inverted matching does not.
2023-08-22 15:57:42,364 [20] [cmk.mkeventd.EventServer] matching groups:
{'match_groups_message': ('Admin login failed',)}
2023-08-22 15:57:42,367 [20] [cmk.mkeventd] Event 88628: NEW// - <185>date=2023-08-22 time=15:57:42 devname="FGT" devid="FGT" eventtime=1692712662363374008 tz=
"+0200" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="testerei" ui="https(ip.103)" method="https" srcip=10.3
3.1.103 dstip=ip.253 action="login" status="failed" reason="name_invalid" msg="Administrator testerei login failed from https(ip.103) because of invalid user name"
We are experiencing the very same thing with EE 2.1.0p27. Interestingly it’s always the same time of the last occurance, even among different hosts. The pattern here seems to confirm that checkmk has again trouble communicating with Sophos firewalls or vice versa. We’ve tested it with a XG430, XG 310 and XGS3100 and all behave as described.
Before opening a ticket, I updated to 2.1.0p33 and that actually did the trick. I also set up a test environment with 2.2.0.p10, and it also works there. So it looks like the bug, if it was one, has already been fixed.
