Testing of alert fails

ChrisF · June 26, 2020, 10:19am

Hi guys,
when i try to test the alert it only says;
Testing the notification Test_Splunk failed. Alert script failed.

The splunk configuration is correct, it doesn’t matter which method i am using;
send to, scp…

thank you for your help!

GVM versions

gsa: (‘gsad --version’)
Greenbone Security Assistant 9.0.1~git-f4a4658fb-gsa-9.0
gvm: (‘gvmd --version’)
Greenbone Vulnerability Manager 9.0.1~git-0aae9d25-gvmd-9.0
openvas-scanner: (‘openvassd --version’)
OpenVAS 7.0.1
gvm-libs:
gvm-libs 11.0.1

Environment

Operating system:
Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal

Kernel: (‘uname -a’)
5.4.0-33-generic

Installation method / source:

FarrisF6 · October 8, 2020, 9:27pm

I had to resolve this issue recently. I found that the cause was missing dependencies.

When testing the alerts from the alerts page, I found that while an indication that the alert had been tested appeared in gvmd.log, no corresponding error message appeared. However, when I went into Scans > Reports, selected a report and then “Trigger Alert” in the top left, I could run the alert from there with the selected report, and doing so seemed to produce the missing error message, similar to below:

event alert:MESSAGE:2020-10-08 20h18.22 UTC:176036: The alert Export Reports was triggered (Event: Task status changed to 'Done', Condition: Always)
GLib:CRITICAL:2020-10-08 20h18.23 UTC:176043: g_file_get_contents: assertion 'contents != NULL' failed
md manage:WARNING:2020-10-08 20h18.23 UTC:176036: alert_script_exec: child failed, /usr/share/gvm/gvmd/global_alert_methods/4a398d42-87c0-11e5-a1c0-28d24461215b/alert '192.168.1.57' '4343' /tmp/gvmd_alert_ofXITd/report > /dev/null 2> /tmp/gvmd_alert_ofXITd/error_AlGe6d

I took particular notice of the last line, which had a path to a script that controlled how the method being used, in this case Send To, functioned. Fortunately it was simply a short shell script,

cat $3 | socat -t 0 - TCP:$1:$2
EXIT_CODE=$?
exit $EXIT_CODE

I quickly found that socat was not installed on my machine. Running “apt install socat”, it immediately started to work, both from the Scans > Reports page and Configuration > Alerts page. I repeated this process with the SCP method, and found sshpass was missing in that case. Likewise after running “apt install sshpass”, that method began working as well.

cfi · October 9, 2020, 7:17am

While the error message handling of missing dependencies could be improved please note that such dependencies like “socat” and “sshpass” are listed for each alert at the following part of the install document:

github.com

greenbone/gvmd/blob/v20.8.0/INSTALL.md#prerequisites-for-optional-features

# INSTALLATION INSTRUCTIONS FOR GREENBONE VULNERABILITY MANAGER

Please note: The reference system used by most of the developers is Debian
GNU/Linux 'Buster' 10. The build might fail on any other system. Also, it is
necessary to install dependent development packages.

## Prerequisites for Greenbone Vulnerability Manager

Prerequisites:

* GCC (Debian package: gcc)
* cmake >= 3.0 (Debian package: cmake)
* glib-2.0 >= 2.42 (Debian package: libglib2.0-dev)
* gnutls >= 3.2.15 (Debian package: libgnutls28-dev)
* libgvm_base, libgvm_util, libgvm_osp, libgvm_gmp >= 20.08.0 ([gvm-libs](https://github.com/greenbone/gvm-libs/tree/gvm-libs-20.08) component)
* PostgreSQL database >= 9.6 (Debian packages: libpq-dev postgresql-server-dev-11)
* pkg-config (Debian package: pkg-config)
* libical >= 1.0.0 (Debian package: libical-dev)

Install these prerequisites on Debian GNU/Linux 'Buster' 10:

This file has been truncated. show original