can I put enadis into debug mode?
list John Rothlisberger
We are having issues with acknowledge.sh & enadis.sh since upgrading to 4.3.29 and then to 4.3.30 on Ubuntu 16.04. For enadis.sh we do get the following error in the apache log: 2019-09-11 16:34:23.901080 Enadis POST that is not coming from self or svcstatus (referer=https://xymonserver/xymon-seccgi/enadis.sh). Ignoring. How can we enable debugging on enadis and have that dump to a file? Thanks, John Upcoming PTO: John Rothlisberger IT Strategy, Infrastructure & Security - Technology Growth Platform TGP for Business Process Outsourcing Accenture XXX.XXX.XXXX office This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. www.accenture.com
list Japheth Cleaver
▸
On Wed, September 11, 2019 8:38 am, Rothlisberger, John R. wrote:
We are having issues with acknowledge.sh & enadis.sh since upgrading to 4.3.29 and then to 4.3.30 on Ubuntu 16.04. For enadis.sh we do get the following error in the apache log: 2019-09-11 16:34:23.901080 Enadis POST that is not coming from self or svcstatus (referer=https://xymonserver/xymon-seccgi/enadis.sh). Ignoring. How can we enable debugging on enadis and have that dump to a file?
Unfortunately, it's not quite as easy as it used to be when we were using shell-based wrappers about the C programs. You can pass "--debug" as an option to the CGI_ENADIS_OPTS variable in /etc/xymon/cgioptions.cfg , however. If the error appears to be happening early in the CGI process (before headers are generated), you can also set CGIDEBUG=1 For the issue in question, it seems like the XSS checking is not working properly or the referer information is somehow being stripped. Are there any unusual CSP changes in your apache configuration, or do you have mod_security enabled by any chance? -jc
list René Vermare
Are you behind a (reverse) proxy-server?
I had also a problem with it, my solution was this (small) patch;
--- a/web/enadis.c 2019-07-23 17:29:06.000000000 +0200
+++ b/web/enadis.c 2019-09-11 01:06:33.283642013 +0200
@@ -332,7 +332,8 @@
int argi, i;
char *username = getenv("REMOTE_USER");
char *userhost = getenv("REMOTE_HOST");
- char *userip = getenv("REMOTE_ADDR");
+ char *userip = getenv("HTTP_X_FORWARDED_FOR");
+ if (userip == NULL) userip = getenv("REMOTE_ADDR");
SBUF_DEFINE(fullmsg);
char *envarea = NULL;
int obeycookies = 1;
--- a/web/acknowledge.c 2019-07-23 17:29:06.000000000 +0200
+++ b/web/acknowledge.c 2019-09-11 01:01:55.493676233 +0200
@@ -374,7 +374,8 @@
parse_query();
if (getenv("REMOTE_USER")) {
- char *remaddr = getenv("REMOTE_ADDR");
+ char *remaddr = getenv("HTTP_X_FORWARDED_FOR");
+ if (remaddr == NULL) remaddr =
getenv("REMOTE_ADDR");
SBUF_MALLOC(acking_user, 1024 +
strlen(getenv("REMOTE_USER")) + (remaddr ? strlen(remaddr) : 0));
snprintf(acking_user, acking_user_buflen,
"\nAcked by: %s", getenv("REMOTE_USER"));
Ciao,
Ren?
Op woensdag 11-09-2019 om 15:23 uur [tijdzone -0700], schreef J.C.
Cleaver:▸
On Wed, September 11, 2019 8:38 am, Rothlisberger, John R. wrote:We are having issues with acknowledge.sh & enadis.sh since upgrading to 4.3.29 and then to 4.3.30 on Ubuntu 16.04. For enadis.sh we do get the following error in the apache log: 2019-09-11 16:34:23.901080 Enadis POST that is not coming from self or svcstatus (referer=https://xymonserver/xymon-seccgi/enadis.sh). Ignoring. How can we enable debugging on enadis and have that dump to a file?Unfortunately, it's not quite as easy as it used to be when we were using shell-based wrappers about the C programs. You can pass "--debug" as an option to the CGI_ENADIS_OPTS variable in /etc/xymon/cgioptions.cfg , however. If the error appears to be happening early in the CGI process (before headers are generated), you can also set CGIDEBUG=1 For the issue in question, it seems like the XSS checking is not working properly or the referer information is somehow being stripped. Are there any unusual CSP changes in your apache configuration, or do you have mod_security enabled by any chance? -jc
Dit bericht is gescand op virussen d.m.v. ClamAV @vermare.net
list John Rothlisberger
Yes, this server is behind a reverse proxy. I applied the patches but still can't get either of them to work. Thanks, John -----Original Message----- From: Ren? Vermare <user-7b955ca225e6@xymon.invalid> Sent: Wednesday, September 11, 2019 5:31 PM To: J.C. Cleaver <user-87556346d4af@xymon.invalid> Cc: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; xymon at xymon.com Subject: [External] Re: [Xymon] can I put enadis into debug mode? This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.
▸
Are you behind a (reverse) proxy-server?
I had also a problem with it, my solution was this (small) patch;
--- a/web/enadis.c 2019-07-23 17:29:06.000000000 +0200
+++ b/web/enadis.c 2019-09-11 01:06:33.283642013 +0200
@@ -332,7 +332,8 @@
int argi, i;
char *username = getenv("REMOTE_USER");
char *userhost = getenv("REMOTE_HOST");
- char *userip = getenv("REMOTE_ADDR");
+ char *userip = getenv("HTTP_X_FORWARDED_FOR");
+ if (userip == NULL) userip = getenv("REMOTE_ADDR");
SBUF_DEFINE(fullmsg);
char *envarea = NULL;
int obeycookies = 1;
--- a/web/acknowledge.c 2019-07-23 17:29:06.000000000 +0200
+++ b/web/acknowledge.c 2019-09-11 01:01:55.493676233 +0200
@@ -374,7 +374,8 @@
parse_query();
if (getenv("REMOTE_USER")) {
- char *remaddr = getenv("REMOTE_ADDR");
+ char *remaddr = getenv("HTTP_X_FORWARDED_FOR");
+ if (remaddr == NULL) remaddr =
getenv("REMOTE_ADDR");
SBUF_MALLOC(acking_user, 1024 +
strlen(getenv("REMOTE_USER")) + (remaddr ? strlen(remaddr) : 0));
snprintf(acking_user, acking_user_buflen,
"\nAcked by: %s", getenv("REMOTE_USER"));
Ciao,
Ren?
Op woensdag 11-09-2019 om 15:23 uur [tijdzone -0700], schreef J.C.
Cleaver:
On Wed, September 11, 2019 8:38 am, Rothlisberger, John R. wrote:
We are having issues with acknowledge.sh & enadis.sh since upgrading to
4.3.29 and then to 4.3.30 on Ubuntu 16.04.
For enadis.sh we do get the following error in the apache log:
2019-09-11 16:34:23.901080 Enadis POST that is not coming from self or
svcstatus (referer=https://urldefense.proofpoint.com/v2/url?u=https-3A__xymonserver_xymon-2Dseccgi_enadis.sh&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=47_Fg2P5NnCXjeGZ91uSE0ewHpC0t5NqqX7jlLgzfCA&s=J0cuUTaz0-BmSTtX5xqLeSToSiypwAAC96As47W7POw&e= ). Ignoring.
▸
How can we enable debugging on enadis and have that dump to a file?
Unfortunately, it's not quite as easy as it used to be when we were using
shell-based wrappers about the C programs.
You can pass "--debug" as an option to the CGI_ENADIS_OPTS variable in
/etc/xymon/cgioptions.cfg , however. If the error appears to be happening
early in the CGI process (before headers are generated), you can also set
CGIDEBUG=1
For the issue in question, it seems like the XSS checking is not working
properly or the referer information is somehow being stripped. Are there
any unusual CSP changes in your apache configuration, or do you have
mod_security enabled by any chance?
-jc
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=47_Fg2P5NnCXjeGZ91uSE0ewHpC0t5NqqX7jlLgzfCA&s=z70877tsNZQ12zdYLp9eQxmXGmHW6DlKsTHrQePbsQU&e=
▸
Dit bericht is gescand op virussen d.m.v. ClamAV @vermare.net This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. www.accenture.com
list Japheth Cleaver
So this turned out to be a bit of a pain on systemd/PrivateTmp systems, but this *should* work for you in at least figuring out what's going on here. In /etc/xymon/cgioptions.cfg, add: ??? XYMONCGILOGDIR=/tmp/ and set: ??? CGI_ENADIS_OPTS="--env=$XYMONENV --debug" On a reload of your enable/disable submission, you should be able to find a (probably empty) cgierror.log and a enadis.dbg file inside something like /tmp/systemd-private-<UUID>-httpd.service-<random>/tmp/ Inside enadis.dbg, look for a line that says 'checking if referer is OK'. That should give some info into what we're seeing. HTH, -jc
▸
On 9/12/2019 8:08 AM, Rothlisberger, John R. wrote:Yes, this server is behind a reverse proxy. I applied the patches but still can't get either of them to work. Thanks, John -----Original Message----- From: Ren? Vermare <user-7b955ca225e6@xymon.invalid> Sent: Wednesday, September 11, 2019 5:31 PM To: J.C. Cleaver <user-87556346d4af@xymon.invalid> Cc: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; xymon at xymon.com Subject: [External] Re: [Xymon] can I put enadis into debug mode? This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments. Are you behind a (reverse) proxy-server? I had also a problem with it, my solution was this (small) patch; --- a/web/enadis.c 2019-07-23 17:29:06.000000000 +0200 +++ b/web/enadis.c 2019-09-11 01:06:33.283642013 +0200 @@ -332,7 +332,8 @@ int argi, i; char *username = getenv("REMOTE_USER"); char *userhost = getenv("REMOTE_HOST"); - char *userip = getenv("REMOTE_ADDR"); + char *userip = getenv("HTTP_X_FORWARDED_FOR"); + if (userip == NULL) userip = getenv("REMOTE_ADDR"); SBUF_DEFINE(fullmsg); char *envarea = NULL; int obeycookies = 1; --- a/web/acknowledge.c 2019-07-23 17:29:06.000000000 +0200 +++ b/web/acknowledge.c 2019-09-11 01:01:55.493676233 +0200 @@ -374,7 +374,8 @@ parse_query(); if (getenv("REMOTE_USER")) { - char *remaddr = getenv("REMOTE_ADDR"); + char *remaddr = getenv("HTTP_X_FORWARDED_FOR"); + if (remaddr == NULL) remaddr = getenv("REMOTE_ADDR"); SBUF_MALLOC(acking_user, 1024 + strlen(getenv("REMOTE_USER")) + (remaddr ? strlen(remaddr) : 0)); snprintf(acking_user, acking_user_buflen, "\nAcked by: %s", getenv("REMOTE_USER")); Ciao, Ren? Op woensdag 11-09-2019 om 15:23 uur [tijdzone -0700], schreef J.C. Cleaver:On Wed, September 11, 2019 8:38 am, Rothlisberger, John R. wrote:We are having issues with acknowledge.sh & enadis.sh since upgrading to 4.3.29 and then to 4.3.30 on Ubuntu 16.04. For enadis.sh we do get the following error in the apache log: 2019-09-11 16:34:23.901080 Enadis POST that is not coming from self or svcstatus (referer=https://urldefense.proofpoint.com/v2/url?u=https-3A__xymonserver_xymon-2Dseccgi_enadis.sh&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=47_Fg2P5NnCXjeGZ91uSE0ewHpC0t5NqqX7jlLgzfCA&s=J0cuUTaz0-BmSTtX5xqLeSToSiypwAAC96As47W7POw&e= ). Ignoring. How can we enable debugging on enadis and have that dump to a file?Unfortunately, it's not quite as easy as it used to be when we were using shell-based wrappers about the C programs. You can pass "--debug" as an option to the CGI_ENADIS_OPTS variable in /etc/xymon/cgioptions.cfg , however. If the error appears to be happening early in the CGI process (before headers are generated), you can also set CGIDEBUG=1 For the issue in question, it seems like the XSS checking is not working properly or the referer information is somehow being stripped. Are there any unusual CSP changes in your apache configuration, or do you have mod_security enabled by any chance? -jc https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=47_Fg2P5NnCXjeGZ91uSE0ewHpC0t5NqqX7jlLgzfCA&s=z70877tsNZQ12zdYLp9eQxmXGmHW6DlKsTHrQePbsQU&e=Dit bericht is gescand op virussen d.m.v. ClamAV @vermare.net This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. www.accenture.com
list John Rothlisberger
That worked for debugging - can at least see where the error is coming from: 76996 2019-09-12 22:42:29.566819 - checking if referer is OK (http_referer: https://our.domain.com/xymon-seccgi/enadis.sh, http_host: 10.20.30.40, xymonwebhost: https://our.domain.com, checkstr: /xymon-seccgi/enadis 76996 2019-09-12 22:42:29.566832 Disallowed request due to unexpected referer 'our.domain.com/xymon-seccgi/enadis.sh', wanted '10.20.30.40/xymon-seccgi/enadis' (originally '/xymon-seccgi/enadis') http_host is the IP of the Xymon server - but not the same as the URL used for our system (we have several and use a reverse proxy to get to all of them). Without taking too many wild guesses at which setting defines http_host (can't find it in man pages) - how do I change that? Thanks, John
▸
-----Original Message-----
From: Japheth Cleaver <user-87556346d4af@xymon.invalid>
Sent: Thursday, September 12, 2019 2:04 PM
To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; user-7b955ca225e6@xymon.invalid
Cc: xymon at xymon.com
Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode?
So this turned out to be a bit of a pain on systemd/PrivateTmp systems, but this *should* work for you in at least figuring out what's going on here.
In /etc/xymon/cgioptions.cfg, add:
??? XYMONCGILOGDIR=/tmp/
and set:
??? CGI_ENADIS_OPTS="--env=$XYMONENV --debug"
On a reload of your enable/disable submission, you should be able to find a (probably empty) cgierror.log and a enadis.dbg file inside something like /tmp/systemd-private-<UUID>-httpd.service-<random>/tmp/
Inside enadis.dbg, look for a line that says 'checking if referer is OK'. That should give some info into what we're seeing.
HTH,
-jc
On 9/12/2019 8:08 AM, Rothlisberger, John R. wrote:Yes, this server is behind a reverse proxy. I applied the patches but still can't get either of them to work. Thanks, John -----Original Message----- From: Ren? Vermare <user-7b955ca225e6@xymon.invalid> Sent: Wednesday, September 11, 2019 5:31 PM To: J.C. Cleaver <user-87556346d4af@xymon.invalid> Cc: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; Subject: [External] Re: [Xymon] can I put enadis into debug mode? This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments. Are you behind a (reverse) proxy-server? I had also a problem with it, my solution was this (small) patch; --- a/web/enadis.c 2019-07-23 17:29:06.000000000 +0200 +++ b/web/enadis.c 2019-09-11 01:06:33.283642013 +0200 @@ -332,7 +332,8 @@ int argi, i; char *username = getenv("REMOTE_USER"); char *userhost = getenv("REMOTE_HOST"); - char *userip = getenv("REMOTE_ADDR"); + char *userip = getenv("HTTP_X_FORWARDED_FOR"); + if (userip == NULL) userip = getenv("REMOTE_ADDR"); SBUF_DEFINE(fullmsg); char *envarea = NULL; int obeycookies = 1; --- a/web/acknowledge.c 2019-07-23 17:29:06.000000000 +0200 +++ b/web/acknowledge.c 2019-09-11 01:01:55.493676233 +0200 @@ -374,7 +374,8 @@ parse_query(); if (getenv("REMOTE_USER")) { - char *remaddr = getenv("REMOTE_ADDR"); + char *remaddr = + getenv("HTTP_X_FORWARDED_FOR"); + if (remaddr == NULL) remaddr = getenv("REMOTE_ADDR"); SBUF_MALLOC(acking_user, 1024 + strlen(getenv("REMOTE_USER")) + (remaddr ? strlen(remaddr) : 0)); snprintf(acking_user, acking_user_buflen, "\nAcked by: %s", getenv("REMOTE_USER")); Ciao, Ren? Op woensdag 11-09-2019 om 15:23 uur [tijdzone -0700], schreef J.C. Cleaver:On Wed, September 11, 2019 8:38 am, Rothlisberger, John R. wrote:We are having issues with acknowledge.sh & enadis.sh since upgrading to 4.3.29 and then to 4.3.30 on Ubuntu 16.04. For enadis.sh we do get the following error in the apache log: 2019-09-11 16:34:23.901080 Enadis POST that is not coming from self or svcstatus (referer=https://urldefense.proofpoint.com/v2/url?u=https-3A__xymonserver_xymon-2Dseccgi_enadis.sh&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=47_Fg2P5NnCXjeGZ91uSE0ewHpC0t5NqqX7jlLgzfCA&s=J0cuUTaz0-BmSTtX5xqLeSToSiypwAAC96As47W7POw&e= ). Ignoring. How can we enable debugging on enadis and have that dump to a file?Unfortunately, it's not quite as easy as it used to be when we were using shell-based wrappers about the C programs. You can pass "--debug" as an option to the CGI_ENADIS_OPTS variable in /etc/xymon/cgioptions.cfg , however. If the error appears to be happening early in the CGI process (before headers are generated), you can also set CGIDEBUG=1 For the issue in question, it seems like the XSS checking is not working properly or the referer information is somehow being stripped. Are there any unusual CSP changes in your apache configuration, or do you have mod_security enabled by any chance? -jc
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_m ailman_listinfo_xymon&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8Irw NKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0N MJtuq&m=47_Fg2P5NnCXjeGZ91uSE0ewHpC0t5NqqX7jlLgzfCA&s=z70877tsNZQ12zd YLp9eQxmXGmHW6DlKsTHrQePbsQU&e=
▸
Dit bericht is gescand op virussen d.m.v. ClamAV @vermare.net This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. www.accenture.com
list Japheth Cleaver
▸
On 9/12/2019 2:58 PM, Rothlisberger, John R. wrote:
That worked for debugging - can at least see where the error is coming from: 76996 2019-09-12 22:42:29.566819 - checking if referer is OK (http_referer: https://our.domain.com/xymon-seccgi/enadis.sh, http_host: 10.20.30.40, xymonwebhost: https://our.domain.com, checkstr: /xymon-seccgi/enadis 76996 2019-09-12 22:42:29.566832 Disallowed request due to unexpected referer 'our.domain.com/xymon-seccgi/enadis.sh', wanted '10.20.30.40/xymon-seccgi/enadis' (originally '/xymon-seccgi/enadis') http_host is the IP of the Xymon server - but not the same as the URL used for our system (we have several and use a reverse proxy to get to all of them). Without taking too many wild guesses at which setting defines http_host (can't find it in man pages) - how do I change that?
HTTP_HOST is actually going to be set by the client. However the check can be overridden by setting $XYMONSERVERWWWNAME (technically $XYMONWEBHOST is what's used) in xymonserver.cfg to what you're expecting the client to be using. Depending on current .cfg settings, something may be specifying the basic IP there. HTH, -jc
list Japheth Cleaver
▸
On 9/12/2019 3:45 PM, Japheth Cleaver wrote:
HTTP_HOST is actually going to be set by the client. However the check can be overridden by setting $XYMONSERVERWWWNAME (technically $XYMONWEBHOST is what's used) in xymonserver.cfg to what you're expecting the client to be using.
To clarify, HTTP_HOST is part of the CGI spec based on the incoming request. -jc
list Zak Beck
Hi JC
Maybe I'm misreading it, but to me it looks like XYMONWEBHOST is only used if HTTP_HOST is not available, and in John's case, HTTP_HOST is available...
lib/cgi.c:305
httphost = getenv("HTTP_HOST");
if (!httphost) {
if (strcmp(xgetenv("XYMONWEBHOST"), "http://localhost";) != 0) {
Cheers
Zak
▸
-----Original Message-----
From: Xymon <xymon-bounces at xymon.com> On Behalf Of Japheth Cleaver
Sent: Thursday, 12 September 2019 23:48
To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; user-7b955ca225e6@xymon.invalid
Cc: xymon at xymon.com
Subject: Re: [Xymon] [External] Re: can I put enadis into debug mode?
This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.
On 9/12/2019 3:45 PM, Japheth Cleaver wrote:
HTTP_HOST is actually going to be set by the client. However the check
can be overridden by setting $XYMONSERVERWWWNAME (technically
$XYMONWEBHOST is what's used) in xymonserver.cfg to what you're
expecting the client to be using.
To clarify, HTTP_HOST is part of the CGI spec based on the incoming request. -jc
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=1jQAktCJg1hdVChOROme2Tdf3B5SNZoebvwHQ9Gd2To&s=Rsj3hEj1HOOd7vkozOHwP4WnRtpWQ9QHXHRiWcdtjeg&e=
▸
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. www.accenture.com
list John Rothlisberger
These are actually set already: XYMONSERVERWWWNAME="our.domain.com" XYMONWEBHOST="https://our.domain.com"; XYMONWEBHOSTURL="https://our.domain.com/xymon";
▸
Thanks,
John
-----Original Message-----
From: Japheth Cleaver <user-87556346d4af@xymon.invalid>
Sent: Thursday, September 12, 2019 5:45 PM
To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; user-7b955ca225e6@xymon.invalid
Cc: xymon at xymon.com
Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode?
This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.
On 9/12/2019 2:58 PM, Rothlisberger, John R. wrote:
That worked for debugging - can at least see where the error is coming from:
76996 2019-09-12 22:42:29.566819 - checking if referer is OK (http_referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_xymon-2Dseccgi_enadis.sh&d=DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=bRahvPMUFYb204VPoQl7be5NB_ddal_nzGb2JBHaABg&s=HpwRnnzanaIWULrjFb04HysWuBn92I2_d7Ms7pmSiK8&e= , http_host: 10.20.30.40, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&d=DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=bRahvPMUFYb204VPoQl7be5NB_ddal_nzGb2JBHaABg&s=ik1nvxSgFr0cOhbiWRUQbpQ8u_Vq7hDK4hnkeaMqQsE&e= , checkstr: /xymon-seccgi/enadis
▸
76996 2019-09-12 22:42:29.566832 Disallowed request due to unexpected referer 'our.domain.com/xymon-seccgi/enadis.sh', wanted '10.20.30.40/xymon-seccgi/enadis' (originally '/xymon-seccgi/enadis')
http_host is the IP of the Xymon server - but not the same as the URL used for our system (we have several and use a reverse proxy to get to all of them).
Without taking too many wild guesses at which setting defines http_host (can't find it in man pages) - how do I change that?
HTTP_HOST is actually going to be set by the client. However the check can be overridden by setting $XYMONSERVERWWWNAME (technically $XYMONWEBHOST is what's used) in xymonserver.cfg to what you're expecting the client to be using. Depending on current .cfg settings, something may be specifying the basic IP there. HTH, -jc This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. www.accenture.com
list John Rothlisberger
I was able to set HTTP_HOST within cgioptions.cfg: And now, it appears as though enadis works - but its not disabling the test... Cgioptions.cfg: HTTP_HOST=aoc.accenture.com 11428 2019-09-13 22:43:31.789838 Opening file /home/xymon/server/etc/xymonmenu.cfg 11428 2019-09-13 22:43:31.793320 Trying header/footer file '/home/xymon/server/web/maint_footer' 11479 2019-09-13 22:43:45.424949 CGI: Request method='POST', data='hostname=serverA&disabletest=lupdate&hostpattern=serverA&pagepattern=&ippattern=&classpattern=&cause=test+disable&go2=Disable+for&duration=4&scale=60&endmonth=9&endday=13&endyear=2019&endhour=22&endminute=43&go=Disable+now&month=9&day=13&year=2019&hour=22&minute=43' 11479 2019-09-13 22:43:45.425092 CSP return is Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Webkit-CSP: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; 11479 2019-09-13 22:43:45.425124 - checking if referer is OK (http_referer: https://our.domain.com/xymon-seccgi/enadis.sh, http_host: our.domain.com, xymonwebhost: https://our.domain.com, checkstr: /xymon-seccgi/enadis 11479 2019-09-13 22:43:45.425212 Trying header/footer file '/home/xymon/server/web/maintact_header' 11479 2019-09-13 22:43:45.425354 Opening file /home/xymon/server/etc/xymonmenu.cfg 11479 2019-09-13 22:43:45.425549 Action = disable 11479 2019-09-13 22:43:45.425564 Tests = 11479 2019-09-13 22:43:45.425574 Duration = 4, scale = 60 11479 2019-09-13 22:43:45.425582 Cause = test disable 11479 2019-09-13 22:43:45.425608 Trying header/footer file '/home/xymon/server/web/maintact_footer' 11482 2019-09-13 22:43:49.112970 CGI: Request method='GET', data='' 11482 2019-09-13 22:43:49.113120 Transport setup is: 11482 2019-09-13 22:43:49.113138 xymondportnumber = 1984 11482 2019-09-13 22:43:49.113147 xymonproxyhost = NONE 11482 2019-09-13 22:43:49.113156 xymonproxyport = 0 11482 2019-09-13 22:43:49.113164 Recipient listed as '127.0.0.1' 11482 2019-09-13 22:43:49.113173 Standard protocol on port 1984 11482 2019-09-13 22:43:49.113194 Will connect to address 127.0.0.1 port 1984 11482 2019-09-13 22:43:49.113328 Connect status is 0 11482 2019-09-13 22:43:49.113373 Sent 16 bytes Unbuntu 16.04LTS Xymon 4.3.30
▸
Thanks,
John
-----Original Message-----
From: Japheth Cleaver <user-87556346d4af@xymon.invalid>
Sent: Thursday, September 12, 2019 5:45 PM
To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; user-7b955ca225e6@xymon.invalid
Cc: xymon at xymon.com
Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode?
This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.
On 9/12/2019 2:58 PM, Rothlisberger, John R. wrote:
That worked for debugging - can at least see where the error is coming from:
76996 2019-09-12 22:42:29.566819 - checking if referer is OK (http_referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_xymon-2Dseccgi_enadis.sh&d=DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=bRahvPMUFYb204VPoQl7be5NB_ddal_nzGb2JBHaABg&s=HpwRnnzanaIWULrjFb04HysWuBn92I2_d7Ms7pmSiK8&e= , http_host: 10.20.30.40, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&d=DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=bRahvPMUFYb204VPoQl7be5NB_ddal_nzGb2JBHaABg&s=ik1nvxSgFr0cOhbiWRUQbpQ8u_Vq7hDK4hnkeaMqQsE&e= , checkstr: /xymon-seccgi/enadis
76996 2019-09-12 22:42:29.566832 Disallowed request due to unexpected referer 'our.domain.com/xymon-seccgi/enadis.sh', wanted '10.20.30.40/xymon-seccgi/enadis' (originally '/xymon-seccgi/enadis')
http_host is the IP of the Xymon server - but not the same as the URL used for our system (we have several and use a reverse proxy to get to all of them).
Without taking too many wild guesses at which setting defines http_host (can't find it in man pages) - how do I change that?
HTTP_HOST is actually going to be set by the client. However the check can be overridden by setting $XYMONSERVERWWWNAME (technically $XYMONWEBHOST is what's used) in xymonserver.cfg to what you're expecting the client to be using. Depending on current .cfg settings, something may be specifying the basic IP there. HTH, -jc This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. www.accenture.com
list Japheth Cleaver
▸
On 9/13/2019 3:55 AM, Beck, Zak wrote:
Hi JC
Maybe I'm misreading it, but to me it looks like XYMONWEBHOST is only used if HTTP_HOST is not available, and in John's case, HTTP_HOST is available...
lib/cgi.c:305
httphost = getenv("HTTP_HOST");
if (!httphost) {
if (strcmp(xgetenv("XYMONWEBHOST"), "http://localhost";) != 0) {Ahh... Yes, my mistake, indeed I did misread this. I suppose this covers the situation where the CGI is tested on the command line without a full CGI call, but it does feel a bit odd here. John: Is the load balancer making an HTTP call directly to the backend by IP or is it still sending the original Host: header in the traffic? -jc
list John Rothlisberger
Any ideas? This causing us issues because we are unable to acknowledge or disable alerts from the webpapge. Thanks, John
▸
-----Original Message-----
From: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>
Sent: Friday, September 13, 2019 4:54 PM
To: Japheth Cleaver <user-87556346d4af@xymon.invalid>; user-7b955ca225e6@xymon.invalid; xymon at xymon.com
Subject: RE: [External] Re: [Xymon] can I put enadis into debug mode?
I was able to set HTTP_HOST within cgioptions.cfg:
And now, it appears as though enadis works - but its not disabling the test...
Cgioptions.cfg:
HTTP_HOST=aoc.accenture.com
11428 2019-09-13 22:43:31.789838 Opening file /home/xymon/server/etc/xymonmenu.cfg
11428 2019-09-13 22:43:31.793320 Trying header/footer file '/home/xymon/server/web/maint_footer'
11479 2019-09-13 22:43:45.424949 CGI: Request method='POST', data='hostname=serverA&disabletest=lupdate&hostpattern=serverA&pagepattern=&ippattern=&classpattern=&cause=test+disable&go2=Disable+for&duration=4&scale=60&endmonth=9&endday=13&endyear=2019&endhour=22&endminute=43&go=Disable+now&month=9&day=13&year=2019&hour=22&minute=43'
11479 2019-09-13 22:43:45.425092 CSP return is Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups;
X-Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups;
X-Webkit-CSP: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups;11479 2019-09-13 22:43:45.425124 - checking if referer is OK (http_referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_xymon-2Dseccgi_enadis.sh&d=DwIGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=hUp7xV6fRA2n12I55P6JyeCMauvA190vp8c5SkV-sNE&s=d4ROtciks3XZkuyjqLv1pL1srjNjhp2WASy5jFUDRJo&e= , http_host: our.domain.com, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&d=DwIGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=hUp7xV6fRA2n12I55P6JyeCMauvA190vp8c5SkV-sNE&s=1dukM_LrvEB24reV8YMIm6JDvfrBojPwjn3kI6zoHTo&e= , checkstr: /xymon-seccgi/enadis
▸
11479 2019-09-13 22:43:45.425212 Trying header/footer file '/home/xymon/server/web/maintact_header'
11479 2019-09-13 22:43:45.425354 Opening file /home/xymon/server/etc/xymonmenu.cfg
11479 2019-09-13 22:43:45.425549 Action = disable
11479 2019-09-13 22:43:45.425564 Tests = 11479 2019-09-13 22:43:45.425574 Duration = 4, scale = 60
11479 2019-09-13 22:43:45.425582 Cause = test disable
11479 2019-09-13 22:43:45.425608 Trying header/footer file '/home/xymon/server/web/maintact_footer'
11482 2019-09-13 22:43:49.112970 CGI: Request method='GET', data=''
11482 2019-09-13 22:43:49.113120 Transport setup is:
11482 2019-09-13 22:43:49.113138 xymondportnumber = 1984
11482 2019-09-13 22:43:49.113147 xymonproxyhost = NONE
11482 2019-09-13 22:43:49.113156 xymonproxyport = 0
11482 2019-09-13 22:43:49.113164 Recipient listed as '127.0.0.1'
11482 2019-09-13 22:43:49.113173 Standard protocol on port 1984
11482 2019-09-13 22:43:49.113194 Will connect to address 127.0.0.1 port 1984
11482 2019-09-13 22:43:49.113328 Connect status is 0
11482 2019-09-13 22:43:49.113373 Sent 16 bytes
Unbuntu 16.04LTS
Xymon 4.3.30
Thanks,
John
-----Original Message-----
From: Japheth Cleaver <user-87556346d4af@xymon.invalid>
Sent: Thursday, September 12, 2019 5:45 PM
To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; user-7b955ca225e6@xymon.invalid
Cc: xymon at xymon.com
Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode?
This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.
On 9/12/2019 2:58 PM, Rothlisberger, John R. wrote:
That worked for debugging - can at least see where the error is coming from:
76996 2019-09-12 22:42:29.566819 - checking if referer is OK (http_referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_xymon-2Dseccgi_enadis.sh&d=DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=bRahvPMUFYb204VPoQl7be5NB_ddal_nzGb2JBHaABg&s=HpwRnnzanaIWULrjFb04HysWuBn92I2_d7Ms7pmSiK8&e= , http_host: 10.20.30.40, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&d=DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=bRahvPMUFYb204VPoQl7be5NB_ddal_nzGb2JBHaABg&s=ik1nvxSgFr0cOhbiWRUQbpQ8u_Vq7hDK4hnkeaMqQsE&e= , checkstr: /xymon-seccgi/enadis
76996 2019-09-12 22:42:29.566832 Disallowed request due to unexpected referer 'our.domain.com/xymon-seccgi/enadis.sh', wanted '10.20.30.40/xymon-seccgi/enadis' (originally '/xymon-seccgi/enadis')
http_host is the IP of the Xymon server - but not the same as the URL used for our system (we have several and use a reverse proxy to get to all of them).
Without taking too many wild guesses at which setting defines http_host (can't find it in man pages) - how do I change that?
HTTP_HOST is actually going to be set by the client. However the check can be overridden by setting $XYMONSERVERWWWNAME (technically $XYMONWEBHOST is what's used) in xymonserver.cfg to what you're expecting the client to be using. Depending on current .cfg settings, something may be specifying the basic IP there. HTH, -jc This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
http://www.accenture.com
list Japheth Cleaver
Based on the connectivity information below, it looks like the message (or at least A message) is making back into xymond OK. Can you send -USR2 to xymond and hit it again? Were there any changes to your '--admin-senders' option concurrently? -jc
▸
On 9/16/2019 5:31 PM, Rothlisberger, John R. wrote:Any ideas? This causing us issues because we are unable to acknowledge or disable alerts from the webpapge. Thanks, John -----Original Message----- From: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid> Sent: Friday, September 13, 2019 4:54 PM To: Japheth Cleaver <user-87556346d4af@xymon.invalid>; user-7b955ca225e6@xymon.invalid; xymon at xymon.com Subject: RE: [External] Re: [Xymon] can I put enadis into debug mode? I was able to set HTTP_HOST within cgioptions.cfg: And now, it appears as though enadis works - but its not disabling the test... Cgioptions.cfg: HTTP_HOST=aoc.accenture.com 11428 2019-09-13 22:43:31.789838 Opening file /home/xymon/server/etc/xymonmenu.cfg 11428 2019-09-13 22:43:31.793320 Trying header/footer file '/home/xymon/server/web/maint_footer' 11479 2019-09-13 22:43:45.424949 CGI: Request method='POST', data='hostname=serverA&disabletest=lupdate&hostpattern=serverA&pagepattern=&ippattern=&classpattern=&cause=test+disable&go2=Disable+for&duration=4&scale=60&endmonth=9&endday=13&endyear=2019&endhour=22&endminute=43&go=Disable+now&month=9&day=13&year=2019&hour=22&minute=43' 11479 2019-09-13 22:43:45.425092 CSP return is Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Webkit-CSP: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; 11479 2019-09-13 22:43:45.425124 - checking if referer is OK (http_referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_xymon-2Dseccgi_enadis.sh&d=DwIGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=hUp7xV6fRA2n12I55P6JyeCMauvA190vp8c5SkV-sNE&s=d4ROtciks3XZkuyjqLv1pL1srjNjhp2WASy5jFUDRJo&e= , http_host: our.domain.com, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&d=DwIGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=hUp7xV6fRA2n12I55P6JyeCMauvA190vp8c5SkV-sNE&s=1dukM_LrvEB24reV8YMIm6JDvfrBojPwjn3kI6zoHTo&e= , checkstr: /xymon-seccgi/enadis 11479 2019-09-13 22:43:45.425212 Trying header/footer file '/home/xymon/server/web/maintact_header' 11479 2019-09-13 22:43:45.425354 Opening file /home/xymon/server/etc/xymonmenu.cfg 11479 2019-09-13 22:43:45.425549 Action = disable 11479 2019-09-13 22:43:45.425564 Tests = 11479 2019-09-13 22:43:45.425574 Duration = 4, scale = 60 11479 2019-09-13 22:43:45.425582 Cause = test disable 11479 2019-09-13 22:43:45.425608 Trying header/footer file '/home/xymon/server/web/maintact_footer' 11482 2019-09-13 22:43:49.112970 CGI: Request method='GET', data='' 11482 2019-09-13 22:43:49.113120 Transport setup is: 11482 2019-09-13 22:43:49.113138 xymondportnumber = 1984 11482 2019-09-13 22:43:49.113147 xymonproxyhost = NONE 11482 2019-09-13 22:43:49.113156 xymonproxyport = 0 11482 2019-09-13 22:43:49.113164 Recipient listed as '127.0.0.1' 11482 2019-09-13 22:43:49.113173 Standard protocol on port 1984 11482 2019-09-13 22:43:49.113194 Will connect to address 127.0.0.1 port 1984 11482 2019-09-13 22:43:49.113328 Connect status is 0 11482 2019-09-13 22:43:49.113373 Sent 16 bytes Unbuntu 16.04LTS Xymon 4.3.30 Thanks, John -----Original Message----- From: Japheth Cleaver <user-87556346d4af@xymon.invalid> Sent: Thursday, September 12, 2019 5:45 PM To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; user-7b955ca225e6@xymon.invalid Cc: xymon at xymon.com Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode? This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments. On 9/12/2019 2:58 PM, Rothlisberger, John R. wrote:That worked for debugging - can at least see where the error is coming from: 76996 2019-09-12 22:42:29.566819 - checking if referer is OK (http_referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_xymon-2Dseccgi_enadis.sh&d=DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=bRahvPMUFYb204VPoQl7be5NB_ddal_nzGb2JBHaABg&s=HpwRnnzanaIWULrjFb04HysWuBn92I2_d7Ms7pmSiK8&e= , http_host: 10.20.30.40, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&d=DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=bRahvPMUFYb204VPoQl7be5NB_ddal_nzGb2JBHaABg&s=ik1nvxSgFr0cOhbiWRUQbpQ8u_Vq7hDK4hnkeaMqQsE&e= , checkstr: /xymon-seccgi/enadis 76996 2019-09-12 22:42:29.566832 Disallowed request due to unexpected referer 'our.domain.com/xymon-seccgi/enadis.sh', wanted '10.20.30.40/xymon-seccgi/enadis' (originally '/xymon-seccgi/enadis') http_host is the IP of the Xymon server - but not the same as the URL used for our system (we have several and use a reverse proxy to get to all of them). Without taking too many wild guesses at which setting defines http_host (can't find it in man pages) - how do I change that?HTTP_HOST is actually going to be set by the client. However the check can be overridden by setting $XYMONSERVERWWWNAME (technically $XYMONWEBHOST is what's used) in xymonserver.cfg to what you're expecting the client to be using. Depending on current .cfg settings, something may be specifying the basic IP there. HTH, -jc This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. http://www.accenture.com
list John Rothlisberger
I have made changes to --admin-senders but only in an attempt to fix the issues at hand. That being said, it was either set to it's own IP or 127.0.0.1,$XYMONSERVERIP I am unsure how or where you want me to use -USR2 (sorry brain fade) Here is with debug enabled and captured in enadis.log: 99801 2019-09-17 21:13:15.091517 CGI: Request method='GET', data='' 99801 2019-09-17 21:13:15.091663 Transport setup is: 99801 2019-09-17 21:13:15.091674 xymondportnumber = 1984 99801 2019-09-17 21:13:15.091683 xymonproxyhost = NONE 99801 2019-09-17 21:13:15.091691 xymonproxyport = 0 99801 2019-09-17 21:13:15.091699 Recipient listed as '127.0.0.1' 99801 2019-09-17 21:13:15.091708 Standard protocol on port 1984 99801 2019-09-17 21:13:15.091727 Will connect to address 127.0.0.1 port 1984 99801 2019-09-17 21:13:15.091871 Connect status is 0 99801 2019-09-17 21:13:15.091912 Sent 16 bytes 99801 2019-09-17 21:13:15.150989 Read 32767 bytes 99801 2019-09-17 21:13:15.151183 Read 32767 bytes 99801 2019-09-17 21:13:15.151311 Read 32767 bytes 99801 2019-09-17 21:13:15.151537 Read 32767 bytes 99801 2019-09-17 21:13:15.151608 Read 32767 bytes 99801 2019-09-17 21:13:15.151708 Read 32767 bytes 99801 2019-09-17 21:13:15.151775 Read 32767 bytes 99801 2019-09-17 21:13:15.151849 Read 32767 bytes 99801 2019-09-17 21:13:15.151916 Read 32767 bytes 99801 2019-09-17 21:13:15.151984 Read 32767 bytes 99801 2019-09-17 21:13:15.152057 Read 32767 bytes 99801 2019-09-17 21:13:15.152138 Read 32767 bytes 99801 2019-09-17 21:13:15.152206 Read 32767 bytes 99801 2019-09-17 21:13:15.152290 Read 32767 bytes 99801 2019-09-17 21:13:15.152470 Read 32767 bytes 99801 2019-09-17 21:13:15.152594 Read 32767 bytes 99801 2019-09-17 21:13:15.152668 Read 32767 bytes 99801 2019-09-17 21:13:15.152737 Read 32767 bytes 99801 2019-09-17 21:13:15.152823 Read 32767 bytes 99801 2019-09-17 21:13:15.152898 Read 32767 bytes 99801 2019-09-17 21:13:15.152968 Read 32767 bytes 99801 2019-09-17 21:13:15.153042 Read 32767 bytes 99801 2019-09-17 21:13:15.153109 Read 672 bytes 99801 2019-09-17 21:13:15.153157 Closing connection 99801 2019-09-17 21:13:15.165423 Trying header/footer file '/home/xymon/server/web/maint_header' 99801 2019-09-17 21:13:15.165475 Recipient listed as '127.0.0.1' 99801 2019-09-17 21:13:15.165485 Standard protocol on port 1984 99801 2019-09-17 21:13:15.165489 Will connect to address 127.0.0.1 port 1984 99801 2019-09-17 21:13:15.165543 Connect status is 0 99801 2019-09-17 21:13:15.165561 Sent 55 bytes 99801 2019-09-17 21:13:15.182312 Read 32767 bytes 99801 2019-09-17 21:13:15.182391 Read 11009 bytes 99801 2019-09-17 21:13:15.182851 Read 32767 bytes 99801 2019-09-17 21:13:15.183039 Read 32767 bytes 99801 2019-09-17 21:13:15.183149 Read 32767 bytes 99801 2019-09-17 21:13:15.183241 Read 32767 bytes 99801 2019-09-17 21:13:15.183317 Read 32767 bytes 99801 2019-09-17 21:13:15.183395 Read 32767 bytes 99801 2019-09-17 21:13:15.183470 Read 32767 bytes 99801 2019-09-17 21:13:15.183551 Read 32767 bytes 99801 2019-09-17 21:13:15.183627 Read 32767 bytes 99801 2019-09-17 21:13:15.183716 Read 32767 bytes 99801 2019-09-17 21:13:15.183799 Read 32767 bytes 99801 2019-09-17 21:13:15.183873 Read 32767 bytes 99801 2019-09-17 21:13:15.183950 Read 32767 bytes 99801 2019-09-17 21:13:15.184053 Read 32767 bytes 99801 2019-09-17 21:13:15.184135 Read 32767 bytes 99801 2019-09-17 21:13:15.184210 Read 32767 bytes 99801 2019-09-17 21:13:15.184284 Read 32767 bytes 99801 2019-09-17 21:13:15.184359 Read 32767 bytes 99801 2019-09-17 21:13:15.184458 Read 32767 bytes 99801 2019-09-17 21:13:15.184578 Read 32767 bytes 99801 2019-09-17 21:13:15.184657 Read 32767 bytes 99801 2019-09-17 21:13:15.184734 Read 32767 bytes 99801 2019-09-17 21:13:15.184826 Read 32767 bytes 99801 2019-09-17 21:13:15.184903 Read 32767 bytes 99801 2019-09-17 21:13:15.185013 Read 32767 bytes 99801 2019-09-17 21:13:15.186451 Read 32767 bytes 99801 2019-09-17 21:13:15.186535 Read 32767 bytes 99801 2019-09-17 21:13:15.186645 Read 32767 bytes 99801 2019-09-17 21:13:15.186727 Read 32767 bytes 99801 2019-09-17 21:13:15.186805 Read 32767 bytes 99801 2019-09-17 21:13:15.186882 Read 32767 bytes 99801 2019-09-17 21:13:15.186959 Read 32767 bytes 99801 2019-09-17 21:13:15.187033 Read 491 bytes 99801 2019-09-17 21:13:15.187062 Closing connection 99801 2019-09-17 21:13:15.205359 Recipient listed as '127.0.0.1' 99801 2019-09-17 21:13:15.205376 Standard protocol on port 1984 99801 2019-09-17 21:13:15.205380 Will connect to address 127.0.0.1 port 1984 99801 2019-09-17 21:13:15.205438 Connect status is 0 99801 2019-09-17 21:13:15.205456 Sent 8 bytes 99801 2019-09-17 21:13:15.205607 Closing connection 99801 2019-09-17 21:13:15.309349 Opening file /home/xymon/server/etc/xymonmenu.cfg 99801 2019-09-17 21:13:15.313554 Trying header/footer file '/home/xymon/server/web/maint_footer' 99879 2019-09-17 21:13:44.381310 CGI: Request method='POST', data='hostname=servera&disabletest=disk&hostpattern=&pagepattern=&ippattern=&classpattern=&cause=test+disable&go2=Disable+for&duration=1&scale=60&endmonth=9&endday=17&endyear=2019&endhour=21&endminute=13&go=Disable+now&month=9&day=17&year=2019&hour=21&minute=13' 99879 2019-09-17 21:13:44.381480 CSP return is Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups;
▸
X-Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups;
X-Webkit-CSP: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups;99879 2019-09-17 21:13:44.381511 - checking if referer is OK (http_referer: https://our.domain.com/xymon-seccgi/enadis.sh, http_host: our.domain.com, xymonwebhost: https://our.domain.com, checkstr: /xymon-seccgi/enadis 99879 2019-09-17 21:13:44.381597 Trying header/footer file '/home/xymon/server/web/maintact_header' 99879 2019-09-17 21:13:44.381724 Opening file /home/xymon/server/etc/xymonmenu.cfg 99879 2019-09-17 21:13:44.381891 Action = disable 99879 2019-09-17 21:13:44.381902 Tests = 99879 2019-09-17 21:13:44.381911 Duration = 1, scale = 60 99879 2019-09-17 21:13:44.381919 Cause = test disable 99879 2019-09-17 21:13:44.381939 Trying header/footer file '/home/xymon/server/web/maintact_footer'
▸
Thanks,
John
-----Original Message-----
From: Japheth Cleaver <user-87556346d4af@xymon.invalid>
Sent: Tuesday, September 17, 2019 12:41 PM
To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; xymon at xymon.com
Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode?
Based on the connectivity information below, it looks like the message (or at least A message) is making back into xymond OK.
Can you send -USR2 to xymond and hit it again? Were there any changes to your '--admin-senders' option concurrently?
-jc
On 9/16/2019 5:31 PM, Rothlisberger, John R. wrote:Any ideas? This causing us issues because we are unable to acknowledge or disable alerts from the webpapge. Thanks, John -----Original Message----- From: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid> Sent: Friday, September 13, 2019 4:54 PM To: Japheth Cleaver <user-87556346d4af@xymon.invalid>; user-7b955ca225e6@xymon.invalid; Subject: RE: [External] Re: [Xymon] can I put enadis into debug mode? I was able to set HTTP_HOST within cgioptions.cfg: And now, it appears as though enadis works - but its not disabling the test... Cgioptions.cfg: HTTP_HOST=aoc.accenture.com 11428 2019-09-13 22:43:31.789838 Opening file /home/xymon/server/etc/xymonmenu.cfg 11428 2019-09-13 22:43:31.793320 Trying header/footer file '/home/xymon/server/web/maint_footer' 11479 2019-09-13 22:43:45.424949 CGI: Request method='POST', data='hostname=serverA&disabletest=lupdate&hostpattern=serverA&pagepattern=&ippattern=&classpattern=&cause=test+disable&go2=Disable+for&duration=4&scale=60&endmonth=9&endday=13&endyear=2019&endhour=22&endminute=43&go=Disable+now&month=9&day=13&year=2019&hour=22&minute=43' 11479 2019-09-13 22:43:45.425092 CSP return is Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Webkit-CSP: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; 11479 2019-09-13 22:43:45.425124 - checking if referer is OK (http_referer:
https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_xy mon-2Dseccgi_enadis.sh&d=DwIGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8Irw NKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NM Jtuq&m=hUp7xV6fRA2n12I55P6JyeCMauvA190vp8c5SkV-sNE&s=d4ROtciks3XZkuyjq Lv1pL1srjNjhp2WASy5jFUDRJo&e= , http_host: our.domain.com, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&d= DwIGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-Ab gJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=hUp7xV6fRA2n12I55P 6JyeCMauvA190vp8c5SkV-sNE&s=1dukM_LrvEB24reV8YMIm6JDvfrBojPwjn3kI6zoHT o&e= , checkstr: /xymon-seccgi/enadis
▸
11479 2019-09-13 22:43:45.425212 Trying header/footer file '/home/xymon/server/web/maintact_header' 11479 2019-09-13 22:43:45.425354 Opening file /home/xymon/server/etc/xymonmenu.cfg 11479 2019-09-13 22:43:45.425549 Action = disable 11479 2019-09-13 22:43:45.425564 Tests = 11479 2019-09-13 22:43:45.425574 Duration = 4, scale = 60 11479 2019-09-13 22:43:45.425582 Cause = test disable 11479 2019-09-13 22:43:45.425608 Trying header/footer file '/home/xymon/server/web/maintact_footer' 11482 2019-09-13 22:43:49.112970 CGI: Request method='GET', data='' 11482 2019-09-13 22:43:49.113120 Transport setup is: 11482 2019-09-13 22:43:49.113138 xymondportnumber = 1984 11482 2019-09-13 22:43:49.113147 xymonproxyhost = NONE 11482 2019-09-13 22:43:49.113156 xymonproxyport = 0 11482 2019-09-13 22:43:49.113164 Recipient listed as '127.0.0.1' 11482 2019-09-13 22:43:49.113173 Standard protocol on port 1984 11482 2019-09-13 22:43:49.113194 Will connect to address 127.0.0.1 port 1984 11482 2019-09-13 22:43:49.113328 Connect status is 0 11482 2019-09-13 22:43:49.113373 Sent 16 bytes Unbuntu 16.04LTS Xymon 4.3.30 Thanks, John -----Original Message----- From: Japheth Cleaver <user-87556346d4af@xymon.invalid> Sent: Thursday, September 12, 2019 5:45 PM To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; user-7b955ca225e6@xymon.invalid Cc: xymon at xymon.com Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode? This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments. On 9/12/2019 2:58 PM, Rothlisberger, John R. wrote:That worked for debugging - can at least see where the error is coming from: 76996 2019-09-12 22:42:29.566819 - checking if referer is OK (http_referer:
https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_x ymon-2Dseccgi_enadis.sh&d=DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8I rwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k 0NMJtuq&m=bRahvPMUFYb204VPoQl7be5NB_ddal_nzGb2JBHaABg&s=HpwRnnzanaIWU LrjFb04HysWuBn92I2_d7Ms7pmSiK8&e= , http_host: 10.20.30.40, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&d =DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN- AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=bRahvPMUFYb204V PoQl7be5NB_ddal_nzGb2JBHaABg&s=ik1nvxSgFr0cOhbiWRUQbpQ8u_Vq7hDK4hnkea MqQsE&e= , checkstr: /xymon-seccgi/enadis
▸
76996 2019-09-12 22:42:29.566832 Disallowed request due to unexpected referer 'our.domain.com/xymon-seccgi/enadis.sh', wanted '10.20.30.40/xymon-seccgi/enadis' (originally '/xymon-seccgi/enadis') http_host is the IP of the Xymon server - but not the same as the URL used for our system (we have several and use a reverse proxy to get to all of them). Without taking too many wild guesses at which setting defines http_host (can't find it in man pages) - how do I change that?HTTP_HOST is actually going to be set by the client. However the check can be overridden by setting $XYMONSERVERWWWNAME (technically $XYMONWEBHOST is what's used) in xymonserver.cfg to what you're expecting the client to be using. Depending on current .cfg settings, something may be specifying the basic IP there. HTH, -jc This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. http://www.accenture.com
list Japheth Cleaver
killall -USR2 xymond, to enable debugging on the fly. At that point, go ahead and use enadis.sh to submit the request. You should see a disable (or enable) message in /var/log/xymon/xymond.log for the host in question -- either correctly or incorrectly. We should be able to see what's happening from there. If it does make it through textually correct, then we've verified that it's no longer being blocked by the original problem. HTH, -jc
▸
On 9/17/2019 1:19 PM, Rothlisberger, John R. wrote:I have made changes to --admin-senders but only in an attempt to fix the issues at hand. That being said, it was either set to it's own IP or 127.0.0.1,$XYMONSERVERIP I am unsure how or where you want me to use -USR2 (sorry brain fade) Here is with debug enabled and captured in enadis.log: 99801 2019-09-17 21:13:15.091517 CGI: Request method='GET', data='' 99801 2019-09-17 21:13:15.091663 Transport setup is: 99801 2019-09-17 21:13:15.091674 xymondportnumber = 1984 99801 2019-09-17 21:13:15.091683 xymonproxyhost = NONE 99801 2019-09-17 21:13:15.091691 xymonproxyport = 0 99801 2019-09-17 21:13:15.091699 Recipient listed as '127.0.0.1' 99801 2019-09-17 21:13:15.091708 Standard protocol on port 1984 99801 2019-09-17 21:13:15.091727 Will connect to address 127.0.0.1 port 1984 99801 2019-09-17 21:13:15.091871 Connect status is 0 99801 2019-09-17 21:13:15.091912 Sent 16 bytes 99801 2019-09-17 21:13:15.150989 Read 32767 bytes 99801 2019-09-17 21:13:15.151183 Read 32767 bytes 99801 2019-09-17 21:13:15.151311 Read 32767 bytes 99801 2019-09-17 21:13:15.151537 Read 32767 bytes 99801 2019-09-17 21:13:15.151608 Read 32767 bytes 99801 2019-09-17 21:13:15.151708 Read 32767 bytes 99801 2019-09-17 21:13:15.151775 Read 32767 bytes 99801 2019-09-17 21:13:15.151849 Read 32767 bytes 99801 2019-09-17 21:13:15.151916 Read 32767 bytes 99801 2019-09-17 21:13:15.151984 Read 32767 bytes 99801 2019-09-17 21:13:15.152057 Read 32767 bytes 99801 2019-09-17 21:13:15.152138 Read 32767 bytes 99801 2019-09-17 21:13:15.152206 Read 32767 bytes 99801 2019-09-17 21:13:15.152290 Read 32767 bytes 99801 2019-09-17 21:13:15.152470 Read 32767 bytes 99801 2019-09-17 21:13:15.152594 Read 32767 bytes 99801 2019-09-17 21:13:15.152668 Read 32767 bytes 99801 2019-09-17 21:13:15.152737 Read 32767 bytes 99801 2019-09-17 21:13:15.152823 Read 32767 bytes 99801 2019-09-17 21:13:15.152898 Read 32767 bytes 99801 2019-09-17 21:13:15.152968 Read 32767 bytes 99801 2019-09-17 21:13:15.153042 Read 32767 bytes 99801 2019-09-17 21:13:15.153109 Read 672 bytes 99801 2019-09-17 21:13:15.153157 Closing connection 99801 2019-09-17 21:13:15.165423 Trying header/footer file '/home/xymon/server/web/maint_header' 99801 2019-09-17 21:13:15.165475 Recipient listed as '127.0.0.1' 99801 2019-09-17 21:13:15.165485 Standard protocol on port 1984 99801 2019-09-17 21:13:15.165489 Will connect to address 127.0.0.1 port 1984 99801 2019-09-17 21:13:15.165543 Connect status is 0 99801 2019-09-17 21:13:15.165561 Sent 55 bytes 99801 2019-09-17 21:13:15.182312 Read 32767 bytes 99801 2019-09-17 21:13:15.182391 Read 11009 bytes 99801 2019-09-17 21:13:15.182851 Read 32767 bytes 99801 2019-09-17 21:13:15.183039 Read 32767 bytes 99801 2019-09-17 21:13:15.183149 Read 32767 bytes 99801 2019-09-17 21:13:15.183241 Read 32767 bytes 99801 2019-09-17 21:13:15.183317 Read 32767 bytes 99801 2019-09-17 21:13:15.183395 Read 32767 bytes 99801 2019-09-17 21:13:15.183470 Read 32767 bytes 99801 2019-09-17 21:13:15.183551 Read 32767 bytes 99801 2019-09-17 21:13:15.183627 Read 32767 bytes 99801 2019-09-17 21:13:15.183716 Read 32767 bytes 99801 2019-09-17 21:13:15.183799 Read 32767 bytes 99801 2019-09-17 21:13:15.183873 Read 32767 bytes 99801 2019-09-17 21:13:15.183950 Read 32767 bytes 99801 2019-09-17 21:13:15.184053 Read 32767 bytes 99801 2019-09-17 21:13:15.184135 Read 32767 bytes 99801 2019-09-17 21:13:15.184210 Read 32767 bytes 99801 2019-09-17 21:13:15.184284 Read 32767 bytes 99801 2019-09-17 21:13:15.184359 Read 32767 bytes 99801 2019-09-17 21:13:15.184458 Read 32767 bytes 99801 2019-09-17 21:13:15.184578 Read 32767 bytes 99801 2019-09-17 21:13:15.184657 Read 32767 bytes 99801 2019-09-17 21:13:15.184734 Read 32767 bytes 99801 2019-09-17 21:13:15.184826 Read 32767 bytes 99801 2019-09-17 21:13:15.184903 Read 32767 bytes 99801 2019-09-17 21:13:15.185013 Read 32767 bytes 99801 2019-09-17 21:13:15.186451 Read 32767 bytes 99801 2019-09-17 21:13:15.186535 Read 32767 bytes 99801 2019-09-17 21:13:15.186645 Read 32767 bytes 99801 2019-09-17 21:13:15.186727 Read 32767 bytes 99801 2019-09-17 21:13:15.186805 Read 32767 bytes 99801 2019-09-17 21:13:15.186882 Read 32767 bytes 99801 2019-09-17 21:13:15.186959 Read 32767 bytes 99801 2019-09-17 21:13:15.187033 Read 491 bytes 99801 2019-09-17 21:13:15.187062 Closing connection 99801 2019-09-17 21:13:15.205359 Recipient listed as '127.0.0.1' 99801 2019-09-17 21:13:15.205376 Standard protocol on port 1984 99801 2019-09-17 21:13:15.205380 Will connect to address 127.0.0.1 port 1984 99801 2019-09-17 21:13:15.205438 Connect status is 0 99801 2019-09-17 21:13:15.205456 Sent 8 bytes 99801 2019-09-17 21:13:15.205607 Closing connection 99801 2019-09-17 21:13:15.309349 Opening file /home/xymon/server/etc/xymonmenu.cfg 99801 2019-09-17 21:13:15.313554 Trying header/footer file '/home/xymon/server/web/maint_footer' 99879 2019-09-17 21:13:44.381310 CGI: Request method='POST', data='hostname=servera&disabletest=disk&hostpattern=&pagepattern=&ippattern=&classpattern=&cause=test+disable&go2=Disable+for&duration=1&scale=60&endmonth=9&endday=17&endyear=2019&endhour=21&endminute=13&go=Disable+now&month=9&day=17&year=2019&hour=21&minute=13' 99879 2019-09-17 21:13:44.381480 CSP return is Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Webkit-CSP: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; 99879 2019-09-17 21:13:44.381511 - checking if referer is OK (http_referer: https://our.domain.com/xymon-seccgi/enadis.sh, http_host: our.domain.com, xymonwebhost: https://our.domain.com, checkstr: /xymon-seccgi/enadis 99879 2019-09-17 21:13:44.381597 Trying header/footer file '/home/xymon/server/web/maintact_header' 99879 2019-09-17 21:13:44.381724 Opening file /home/xymon/server/etc/xymonmenu.cfg 99879 2019-09-17 21:13:44.381891 Action = disable 99879 2019-09-17 21:13:44.381902 Tests = 99879 2019-09-17 21:13:44.381911 Duration = 1, scale = 60 99879 2019-09-17 21:13:44.381919 Cause = test disable 99879 2019-09-17 21:13:44.381939 Trying header/footer file '/home/xymon/server/web/maintact_footer' Thanks, John -----Original Message----- From: Japheth Cleaver <user-87556346d4af@xymon.invalid> Sent: Tuesday, September 17, 2019 12:41 PM To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; xymon at xymon.com Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode? Based on the connectivity information below, it looks like the message (or at least A message) is making back into xymond OK. Can you send -USR2 to xymond and hit it again? Were there any changes to your '--admin-senders' option concurrently? -jc On 9/16/2019 5:31 PM, Rothlisberger, John R. wrote:Any ideas? This causing us issues because we are unable to acknowledge or disable alerts from the webpapge. Thanks, John -----Original Message----- From: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid> Sent: Friday, September 13, 2019 4:54 PM To: Japheth Cleaver <user-87556346d4af@xymon.invalid>; user-7b955ca225e6@xymon.invalid; Subject: RE: [External] Re: [Xymon] can I put enadis into debug mode? I was able to set HTTP_HOST within cgioptions.cfg: And now, it appears as though enadis works - but its not disabling the test... Cgioptions.cfg: HTTP_HOST=aoc.accenture.com 11428 2019-09-13 22:43:31.789838 Opening file /home/xymon/server/etc/xymonmenu.cfg 11428 2019-09-13 22:43:31.793320 Trying header/footer file '/home/xymon/server/web/maint_footer' 11479 2019-09-13 22:43:45.424949 CGI: Request method='POST', data='hostname=serverA&disabletest=lupdate&hostpattern=serverA&pagepattern=&ippattern=&classpattern=&cause=test+disable&go2=Disable+for&duration=4&scale=60&endmonth=9&endday=13&endyear=2019&endhour=22&endminute=43&go=Disable+now&month=9&day=13&year=2019&hour=22&minute=43' 11479 2019-09-13 22:43:45.425092 CSP return is Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Webkit-CSP: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; 11479 2019-09-13 22:43:45.425124 - checking if referer is OK (http_referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_xy mon-2Dseccgi_enadis.sh&d=DwIGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8Irw NKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NM Jtuq&m=hUp7xV6fRA2n12I55P6JyeCMauvA190vp8c5SkV-sNE&s=d4ROtciks3XZkuyjq Lv1pL1srjNjhp2WASy5jFUDRJo&e= , http_host: our.domain.com, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&d= DwIGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-Ab gJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=hUp7xV6fRA2n12I55P 6JyeCMauvA190vp8c5SkV-sNE&s=1dukM_LrvEB24reV8YMIm6JDvfrBojPwjn3kI6zoHT o&e= , checkstr: /xymon-seccgi/enadis 11479 2019-09-13 22:43:45.425212 Trying header/footer file '/home/xymon/server/web/maintact_header' 11479 2019-09-13 22:43:45.425354 Opening file /home/xymon/server/etc/xymonmenu.cfg 11479 2019-09-13 22:43:45.425549 Action = disable 11479 2019-09-13 22:43:45.425564 Tests = 11479 2019-09-13 22:43:45.425574 Duration = 4, scale = 60 11479 2019-09-13 22:43:45.425582 Cause = test disable 11479 2019-09-13 22:43:45.425608 Trying header/footer file '/home/xymon/server/web/maintact_footer' 11482 2019-09-13 22:43:49.112970 CGI: Request method='GET', data='' 11482 2019-09-13 22:43:49.113120 Transport setup is: 11482 2019-09-13 22:43:49.113138 xymondportnumber = 1984 11482 2019-09-13 22:43:49.113147 xymonproxyhost = NONE 11482 2019-09-13 22:43:49.113156 xymonproxyport = 0 11482 2019-09-13 22:43:49.113164 Recipient listed as '127.0.0.1' 11482 2019-09-13 22:43:49.113173 Standard protocol on port 1984 11482 2019-09-13 22:43:49.113194 Will connect to address 127.0.0.1 port 1984 11482 2019-09-13 22:43:49.113328 Connect status is 0 11482 2019-09-13 22:43:49.113373 Sent 16 bytes Unbuntu 16.04LTS Xymon 4.3.30 Thanks, John -----Original Message----- From: Japheth Cleaver <user-87556346d4af@xymon.invalid> Sent: Thursday, September 12, 2019 5:45 PM To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; user-7b955ca225e6@xymon.invalid Cc: xymon at xymon.com Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode? This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments. On 9/12/2019 2:58 PM, Rothlisberger, John R. wrote:That worked for debugging - can at least see where the error is coming from: 76996 2019-09-12 22:42:29.566819 - checking if referer is OK (http_referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_x ymon-2Dseccgi_enadis.sh&d=DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8I rwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k 0NMJtuq&m=bRahvPMUFYb204VPoQl7be5NB_ddal_nzGb2JBHaABg&s=HpwRnnzanaIWU LrjFb04HysWuBn92I2_d7Ms7pmSiK8&e= , http_host: 10.20.30.40, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&d =DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN- AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=bRahvPMUFYb204V PoQl7be5NB_ddal_nzGb2JBHaABg&s=ik1nvxSgFr0cOhbiWRUQbpQ8u_Vq7hDK4hnkea MqQsE&e= , checkstr: /xymon-seccgi/enadis 76996 2019-09-12 22:42:29.566832 Disallowed request due to unexpected referer 'our.domain.com/xymon-seccgi/enadis.sh', wanted '10.20.30.40/xymon-seccgi/enadis' (originally '/xymon-seccgi/enadis') http_host is the IP of the Xymon server - but not the same as the URL used for our system (we have several and use a reverse proxy to get to all of them). Without taking too many wild guesses at which setting defines http_host (can't find it in man pages) - how do I change that?HTTP_HOST is actually going to be set by the client. However the check can be overridden by setting $XYMONSERVERWWWNAME (technically $XYMONWEBHOST is what's used) in xymonserver.cfg to what you're expecting the client to be using. Depending on current .cfg settings, something may be specifying the basic IP there. HTH, -jc This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. http://www.accenture.com
list John Rothlisberger
There is nothing that shows up in xymond.log for enadis.sh - the debug is running also.
▸
Thanks,
John
-----Original Message-----
From: Japheth Cleaver <user-87556346d4af@xymon.invalid>
Sent: Tuesday, September 17, 2019 4:45 PM
To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; xymon at xymon.com
Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode?
killall -USR2 xymond, to enable debugging on the fly.
At that point, go ahead and use enadis.sh to submit the request. You should see a disable (or enable) message in /var/log/xymon/xymond.log for the host in question -- either correctly or incorrectly. We should be able to see what's happening from there.
If it does make it through textually correct, then we've verified that it's no longer being blocked by the original problem.
HTH,
-jc
On 9/17/2019 1:19 PM, Rothlisberger, John R. wrote:I have made changes to --admin-senders but only in an attempt to fix the issues at hand. That being said, it was either set to it's own IP or 127.0.0.1,$XYMONSERVERIP I am unsure how or where you want me to use -USR2 (sorry brain fade) Here is with debug enabled and captured in enadis.log: 99801 2019-09-17 21:13:15.091517 CGI: Request method='GET', data='' 99801 2019-09-17 21:13:15.091663 Transport setup is: 99801 2019-09-17 21:13:15.091674 xymondportnumber = 1984 99801 2019-09-17 21:13:15.091683 xymonproxyhost = NONE 99801 2019-09-17 21:13:15.091691 xymonproxyport = 0 99801 2019-09-17 21:13:15.091699 Recipient listed as '127.0.0.1' 99801 2019-09-17 21:13:15.091708 Standard protocol on port 1984 99801 2019-09-17 21:13:15.091727 Will connect to address 127.0.0.1 port 1984 99801 2019-09-17 21:13:15.091871 Connect status is 0 99801 2019-09-17 21:13:15.091912 Sent 16 bytes 99801 2019-09-17 21:13:15.150989 Read 32767 bytes 99801 2019-09-17 21:13:15.151183 Read 32767 bytes 99801 2019-09-17 21:13:15.151311 Read 32767 bytes 99801 2019-09-17 21:13:15.151537 Read 32767 bytes 99801 2019-09-17 21:13:15.151608 Read 32767 bytes 99801 2019-09-17 21:13:15.151708 Read 32767 bytes 99801 2019-09-17 21:13:15.151775 Read 32767 bytes 99801 2019-09-17 21:13:15.151849 Read 32767 bytes 99801 2019-09-17 21:13:15.151916 Read 32767 bytes 99801 2019-09-17 21:13:15.151984 Read 32767 bytes 99801 2019-09-17 21:13:15.152057 Read 32767 bytes 99801 2019-09-17 21:13:15.152138 Read 32767 bytes 99801 2019-09-17 21:13:15.152206 Read 32767 bytes 99801 2019-09-17 21:13:15.152290 Read 32767 bytes 99801 2019-09-17 21:13:15.152470 Read 32767 bytes 99801 2019-09-17 21:13:15.152594 Read 32767 bytes 99801 2019-09-17 21:13:15.152668 Read 32767 bytes 99801 2019-09-17 21:13:15.152737 Read 32767 bytes 99801 2019-09-17 21:13:15.152823 Read 32767 bytes 99801 2019-09-17 21:13:15.152898 Read 32767 bytes 99801 2019-09-17 21:13:15.152968 Read 32767 bytes 99801 2019-09-17 21:13:15.153042 Read 32767 bytes 99801 2019-09-17 21:13:15.153109 Read 672 bytes 99801 2019-09-17 21:13:15.153157 Closing connection 99801 2019-09-17 21:13:15.165423 Trying header/footer file '/home/xymon/server/web/maint_header' 99801 2019-09-17 21:13:15.165475 Recipient listed as '127.0.0.1' 99801 2019-09-17 21:13:15.165485 Standard protocol on port 1984 99801 2019-09-17 21:13:15.165489 Will connect to address 127.0.0.1 port 1984 99801 2019-09-17 21:13:15.165543 Connect status is 0 99801 2019-09-17 21:13:15.165561 Sent 55 bytes 99801 2019-09-17 21:13:15.182312 Read 32767 bytes 99801 2019-09-17 21:13:15.182391 Read 11009 bytes 99801 2019-09-17 21:13:15.182851 Read 32767 bytes 99801 2019-09-17 21:13:15.183039 Read 32767 bytes 99801 2019-09-17 21:13:15.183149 Read 32767 bytes 99801 2019-09-17 21:13:15.183241 Read 32767 bytes 99801 2019-09-17 21:13:15.183317 Read 32767 bytes 99801 2019-09-17 21:13:15.183395 Read 32767 bytes 99801 2019-09-17 21:13:15.183470 Read 32767 bytes 99801 2019-09-17 21:13:15.183551 Read 32767 bytes 99801 2019-09-17 21:13:15.183627 Read 32767 bytes 99801 2019-09-17 21:13:15.183716 Read 32767 bytes 99801 2019-09-17 21:13:15.183799 Read 32767 bytes 99801 2019-09-17 21:13:15.183873 Read 32767 bytes 99801 2019-09-17 21:13:15.183950 Read 32767 bytes 99801 2019-09-17 21:13:15.184053 Read 32767 bytes 99801 2019-09-17 21:13:15.184135 Read 32767 bytes 99801 2019-09-17 21:13:15.184210 Read 32767 bytes 99801 2019-09-17 21:13:15.184284 Read 32767 bytes 99801 2019-09-17 21:13:15.184359 Read 32767 bytes 99801 2019-09-17 21:13:15.184458 Read 32767 bytes 99801 2019-09-17 21:13:15.184578 Read 32767 bytes 99801 2019-09-17 21:13:15.184657 Read 32767 bytes 99801 2019-09-17 21:13:15.184734 Read 32767 bytes 99801 2019-09-17 21:13:15.184826 Read 32767 bytes 99801 2019-09-17 21:13:15.184903 Read 32767 bytes 99801 2019-09-17 21:13:15.185013 Read 32767 bytes 99801 2019-09-17 21:13:15.186451 Read 32767 bytes 99801 2019-09-17 21:13:15.186535 Read 32767 bytes 99801 2019-09-17 21:13:15.186645 Read 32767 bytes 99801 2019-09-17 21:13:15.186727 Read 32767 bytes 99801 2019-09-17 21:13:15.186805 Read 32767 bytes 99801 2019-09-17 21:13:15.186882 Read 32767 bytes 99801 2019-09-17 21:13:15.186959 Read 32767 bytes 99801 2019-09-17 21:13:15.187033 Read 491 bytes 99801 2019-09-17 21:13:15.187062 Closing connection 99801 2019-09-17 21:13:15.205359 Recipient listed as '127.0.0.1' 99801 2019-09-17 21:13:15.205376 Standard protocol on port 1984 99801 2019-09-17 21:13:15.205380 Will connect to address 127.0.0.1 port 1984 99801 2019-09-17 21:13:15.205438 Connect status is 0 99801 2019-09-17 21:13:15.205456 Sent 8 bytes 99801 2019-09-17 21:13:15.205607 Closing connection 99801 2019-09-17 21:13:15.309349 Opening file /home/xymon/server/etc/xymonmenu.cfg 99801 2019-09-17 21:13:15.313554 Trying header/footer file '/home/xymon/server/web/maint_footer' 99879 2019-09-17 21:13:44.381310 CGI: Request method='POST', data='hostname=servera&disabletest=disk&hostpattern=&pagepattern=&ippattern=&classpattern=&cause=test+disable&go2=Disable+for&duration=1&scale=60&endmonth=9&endday=17&endyear=2019&endhour=21&endminute=13&go=Disable+now&month=9&day=17&year=2019&hour=21&minute=13' 99879 2019-09-17 21:13:44.381480 CSP return is Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Webkit-CSP: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; 99879 2019-09-17 21:13:44.381511 - checking if referer is OK (http_referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_xy
mon-2Dseccgi_enadis.sh&d=DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8Irw NKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NM Jtuq&m=ZUUgPRbrRXrf6v9iK_IYMgdM6skatcaFWp9MfwwoR6A&s=Ca_BDatt9fV_6-hnE rKzruPVe3Arga8WJdTolYDibMU&e= , http_host: our.domain.com, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&d= DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-Ab gJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=ZUUgPRbrRXrf6v9iK_ IYMgdM6skatcaFWp9MfwwoR6A&s=1PkWq1uFfsXaAP-oHT24OhAovO3g-jsYt3IfNjPfJB o&e= , checkstr: /xymon-seccgi/enadis
▸
99879 2019-09-17 21:13:44.381597 Trying header/footer file '/home/xymon/server/web/maintact_header' 99879 2019-09-17 21:13:44.381724 Opening file /home/xymon/server/etc/xymonmenu.cfg 99879 2019-09-17 21:13:44.381891 Action = disable 99879 2019-09-17 21:13:44.381902 Tests = 99879 2019-09-17 21:13:44.381911 Duration = 1, scale = 60 99879 2019-09-17 21:13:44.381919 Cause = test disable 99879 2019-09-17 21:13:44.381939 Trying header/footer file '/home/xymon/server/web/maintact_footer' Thanks, John -----Original Message----- From: Japheth Cleaver <user-87556346d4af@xymon.invalid> Sent: Tuesday, September 17, 2019 12:41 PM To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode? Based on the connectivity information below, it looks like the message (or at least A message) is making back into xymond OK. Can you send -USR2 to xymond and hit it again? Were there any changes to your '--admin-senders' option concurrently? -jc On 9/16/2019 5:31 PM, Rothlisberger, John R. wrote:Any ideas? This causing us issues because we are unable to acknowledge or disable alerts from the webpapge. Thanks, John -----Original Message----- From: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid> Sent: Friday, September 13, 2019 4:54 PM To: Japheth Cleaver <user-87556346d4af@xymon.invalid>; user-7b955ca225e6@xymon.invalid; Subject: RE: [External] Re: [Xymon] can I put enadis into debug mode? I was able to set HTTP_HOST within cgioptions.cfg: And now, it appears as though enadis works - but its not disabling the test... Cgioptions.cfg: HTTP_HOST=aoc.accenture.com 11428 2019-09-13 22:43:31.789838 Opening file /home/xymon/server/etc/xymonmenu.cfg 11428 2019-09-13 22:43:31.793320 Trying header/footer file '/home/xymon/server/web/maint_footer' 11479 2019-09-13 22:43:45.424949 CGI: Request method='POST', data='hostname=serverA&disabletest=lupdate&hostpattern=serverA&pagepattern=&ippattern=&classpattern=&cause=test+disable&go2=Disable+for&duration=4&scale=60&endmonth=9&endday=13&endyear=2019&endhour=22&endminute=43&go=Disable+now&month=9&day=13&year=2019&hour=22&minute=43' 11479 2019-09-13 22:43:45.425092 CSP return is Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Webkit-CSP: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; 11479 2019-09-13 22:43:45.425124 - checking if referer is OK (http_referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_x
y mon-2Dseccgi_enadis.sh&d=DwIGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8Ir w NKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0N M Jtuq&m=hUp7xV6fRA2n12I55P6JyeCMauvA190vp8c5SkV-sNE&s=d4ROtciks3XZkuyj q Lv1pL1srjNjhp2WASy5jFUDRJo&e= , http_host: our.domain.com, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&d = DwIGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-A b gJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=hUp7xV6fRA2n12I55 P 6JyeCMauvA190vp8c5SkV-sNE&s=1dukM_LrvEB24reV8YMIm6JDvfrBojPwjn3kI6zoH T o&e= , checkstr: /xymon-seccgi/enadis
▸
11479 2019-09-13 22:43:45.425212 Trying header/footer file '/home/xymon/server/web/maintact_header' 11479 2019-09-13 22:43:45.425354 Opening file /home/xymon/server/etc/xymonmenu.cfg 11479 2019-09-13 22:43:45.425549 Action = disable 11479 2019-09-13 22:43:45.425564 Tests = 11479 2019-09-13 22:43:45.425574 Duration = 4, scale = 60 11479 2019-09-13 22:43:45.425582 Cause = test disable 11479 2019-09-13 22:43:45.425608 Trying header/footer file '/home/xymon/server/web/maintact_footer' 11482 2019-09-13 22:43:49.112970 CGI: Request method='GET', data='' 11482 2019-09-13 22:43:49.113120 Transport setup is: 11482 2019-09-13 22:43:49.113138 xymondportnumber = 1984 11482 2019-09-13 22:43:49.113147 xymonproxyhost = NONE 11482 2019-09-13 22:43:49.113156 xymonproxyport = 0 11482 2019-09-13 22:43:49.113164 Recipient listed as '127.0.0.1' 11482 2019-09-13 22:43:49.113173 Standard protocol on port 1984 11482 2019-09-13 22:43:49.113194 Will connect to address 127.0.0.1 port 1984 11482 2019-09-13 22:43:49.113328 Connect status is 0 11482 2019-09-13 22:43:49.113373 Sent 16 bytes Unbuntu 16.04LTS Xymon 4.3.30 Thanks, John -----Original Message----- From: Japheth Cleaver <user-87556346d4af@xymon.invalid> Sent: Thursday, September 12, 2019 5:45 PM To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; user-7b955ca225e6@xymon.invalid Cc: xymon at xymon.com Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode? This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments. On 9/12/2019 2:58 PM, Rothlisberger, John R. wrote:That worked for debugging - can at least see where the error is coming from: 76996 2019-09-12 22:42:29.566819 - checking if referer is OK (http_referer:
https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_ x ymon-2Dseccgi_enadis.sh&d=DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8 I rwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6 k 0NMJtuq&m=bRahvPMUFYb204VPoQl7be5NB_ddal_nzGb2JBHaABg&s=HpwRnnzanaIW U LrjFb04HysWuBn92I2_d7Ms7pmSiK8&e= , http_host: 10.20.30.40, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&; d =DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN • AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=bRahvPMUFYb204 V PoQl7be5NB_ddal_nzGb2JBHaABg&s=ik1nvxSgFr0cOhbiWRUQbpQ8u_Vq7hDK4hnke a MqQsE&e= , checkstr: /xymon-seccgi/enadis
▸
76996 2019-09-12 22:42:29.566832 Disallowed request due to unexpected referer 'our.domain.com/xymon-seccgi/enadis.sh', wanted '10.20.30.40/xymon-seccgi/enadis' (originally '/xymon-seccgi/enadis') http_host is the IP of the Xymon server - but not the same as the URL used for our system (we have several and use a reverse proxy to get to all of them). Without taking too many wild guesses at which setting defines http_host (can't find it in man pages) - how do I change that?HTTP_HOST is actually going to be set by the client. However the check can be overridden by setting $XYMONSERVERWWWNAME (technically $XYMONWEBHOST is what's used) in xymonserver.cfg to what you're expecting the client to be using. Depending on current .cfg settings, something may be specifying the basic IP there. HTH, -jc This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. _ http://www.accenture.com
list Japheth Cleaver
*sigh* This was a bit tricky to track down, but it turns out --debug enables "Preview mode" in enadis.sh, so the adding of "--debug" to $CGI_ENADIS_OPTS in /etc/xymon/cgioptions.cfg would keep the message from actually being transmitted back. I'm not entirely sure if this is a feature, but it does point to a need for a more verbose logging option here that still performs a real execution of the command. Remove that and re-submit, and you should see a "disable" message of some type in the xymond log. It would look something like this:
1503 2019-09-18 16:28:40.424777 -> do_message/2 (can respond) (98 bytes): disable rhel6-x86-64,build.ftps 240
HTH -jc
▸
On 9/18/2019 5:37 AM, Rothlisberger, John R. wrote:There is nothing that shows up in xymond.log for enadis.sh - the debug is running also. Thanks, John -----Original Message----- From: Japheth Cleaver <user-87556346d4af@xymon.invalid> Sent: Tuesday, September 17, 2019 4:45 PM To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; xymon at xymon.com Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode? killall -USR2 xymond, to enable debugging on the fly. At that point, go ahead and use enadis.sh to submit the request. You should see a disable (or enable) message in /var/log/xymon/xymond.log for the host in question -- either correctly or incorrectly. We should be able to see what's happening from there. If it does make it through textually correct, then we've verified that it's no longer being blocked by the original problem. HTH, -jc On 9/17/2019 1:19 PM, Rothlisberger, John R. wrote:I have made changes to --admin-senders but only in an attempt to fix the issues at hand. That being said, it was either set to it's own IP or 127.0.0.1,$XYMONSERVERIP I am unsure how or where you want me to use -USR2 (sorry brain fade) Here is with debug enabled and captured in enadis.log: 99801 2019-09-17 21:13:15.091517 CGI: Request method='GET', data='' 99801 2019-09-17 21:13:15.091663 Transport setup is: 99801 2019-09-17 21:13:15.091674 xymondportnumber = 1984 99801 2019-09-17 21:13:15.091683 xymonproxyhost = NONE 99801 2019-09-17 21:13:15.091691 xymonproxyport = 0 99801 2019-09-17 21:13:15.091699 Recipient listed as '127.0.0.1' 99801 2019-09-17 21:13:15.091708 Standard protocol on port 1984 99801 2019-09-17 21:13:15.091727 Will connect to address 127.0.0.1 port 1984 99801 2019-09-17 21:13:15.091871 Connect status is 0 99801 2019-09-17 21:13:15.091912 Sent 16 bytes 99801 2019-09-17 21:13:15.150989 Read 32767 bytes 99801 2019-09-17 21:13:15.151183 Read 32767 bytes 99801 2019-09-17 21:13:15.151311 Read 32767 bytes 99801 2019-09-17 21:13:15.151537 Read 32767 bytes 99801 2019-09-17 21:13:15.151608 Read 32767 bytes 99801 2019-09-17 21:13:15.151708 Read 32767 bytes 99801 2019-09-17 21:13:15.151775 Read 32767 bytes 99801 2019-09-17 21:13:15.151849 Read 32767 bytes 99801 2019-09-17 21:13:15.151916 Read 32767 bytes 99801 2019-09-17 21:13:15.151984 Read 32767 bytes 99801 2019-09-17 21:13:15.152057 Read 32767 bytes 99801 2019-09-17 21:13:15.152138 Read 32767 bytes 99801 2019-09-17 21:13:15.152206 Read 32767 bytes 99801 2019-09-17 21:13:15.152290 Read 32767 bytes 99801 2019-09-17 21:13:15.152470 Read 32767 bytes 99801 2019-09-17 21:13:15.152594 Read 32767 bytes 99801 2019-09-17 21:13:15.152668 Read 32767 bytes 99801 2019-09-17 21:13:15.152737 Read 32767 bytes 99801 2019-09-17 21:13:15.152823 Read 32767 bytes 99801 2019-09-17 21:13:15.152898 Read 32767 bytes 99801 2019-09-17 21:13:15.152968 Read 32767 bytes 99801 2019-09-17 21:13:15.153042 Read 32767 bytes 99801 2019-09-17 21:13:15.153109 Read 672 bytes 99801 2019-09-17 21:13:15.153157 Closing connection 99801 2019-09-17 21:13:15.165423 Trying header/footer file '/home/xymon/server/web/maint_header' 99801 2019-09-17 21:13:15.165475 Recipient listed as '127.0.0.1' 99801 2019-09-17 21:13:15.165485 Standard protocol on port 1984 99801 2019-09-17 21:13:15.165489 Will connect to address 127.0.0.1 port 1984 99801 2019-09-17 21:13:15.165543 Connect status is 0 99801 2019-09-17 21:13:15.165561 Sent 55 bytes 99801 2019-09-17 21:13:15.182312 Read 32767 bytes 99801 2019-09-17 21:13:15.182391 Read 11009 bytes 99801 2019-09-17 21:13:15.182851 Read 32767 bytes 99801 2019-09-17 21:13:15.183039 Read 32767 bytes 99801 2019-09-17 21:13:15.183149 Read 32767 bytes 99801 2019-09-17 21:13:15.183241 Read 32767 bytes 99801 2019-09-17 21:13:15.183317 Read 32767 bytes 99801 2019-09-17 21:13:15.183395 Read 32767 bytes 99801 2019-09-17 21:13:15.183470 Read 32767 bytes 99801 2019-09-17 21:13:15.183551 Read 32767 bytes 99801 2019-09-17 21:13:15.183627 Read 32767 bytes 99801 2019-09-17 21:13:15.183716 Read 32767 bytes 99801 2019-09-17 21:13:15.183799 Read 32767 bytes 99801 2019-09-17 21:13:15.183873 Read 32767 bytes 99801 2019-09-17 21:13:15.183950 Read 32767 bytes 99801 2019-09-17 21:13:15.184053 Read 32767 bytes 99801 2019-09-17 21:13:15.184135 Read 32767 bytes 99801 2019-09-17 21:13:15.184210 Read 32767 bytes 99801 2019-09-17 21:13:15.184284 Read 32767 bytes 99801 2019-09-17 21:13:15.184359 Read 32767 bytes 99801 2019-09-17 21:13:15.184458 Read 32767 bytes 99801 2019-09-17 21:13:15.184578 Read 32767 bytes 99801 2019-09-17 21:13:15.184657 Read 32767 bytes 99801 2019-09-17 21:13:15.184734 Read 32767 bytes 99801 2019-09-17 21:13:15.184826 Read 32767 bytes 99801 2019-09-17 21:13:15.184903 Read 32767 bytes 99801 2019-09-17 21:13:15.185013 Read 32767 bytes 99801 2019-09-17 21:13:15.186451 Read 32767 bytes 99801 2019-09-17 21:13:15.186535 Read 32767 bytes 99801 2019-09-17 21:13:15.186645 Read 32767 bytes 99801 2019-09-17 21:13:15.186727 Read 32767 bytes 99801 2019-09-17 21:13:15.186805 Read 32767 bytes 99801 2019-09-17 21:13:15.186882 Read 32767 bytes 99801 2019-09-17 21:13:15.186959 Read 32767 bytes 99801 2019-09-17 21:13:15.187033 Read 491 bytes 99801 2019-09-17 21:13:15.187062 Closing connection 99801 2019-09-17 21:13:15.205359 Recipient listed as '127.0.0.1' 99801 2019-09-17 21:13:15.205376 Standard protocol on port 1984 99801 2019-09-17 21:13:15.205380 Will connect to address 127.0.0.1 port 1984 99801 2019-09-17 21:13:15.205438 Connect status is 0 99801 2019-09-17 21:13:15.205456 Sent 8 bytes 99801 2019-09-17 21:13:15.205607 Closing connection 99801 2019-09-17 21:13:15.309349 Opening file /home/xymon/server/etc/xymonmenu.cfg 99801 2019-09-17 21:13:15.313554 Trying header/footer file '/home/xymon/server/web/maint_footer' 99879 2019-09-17 21:13:44.381310 CGI: Request method='POST', data='hostname=servera&disabletest=disk&hostpattern=&pagepattern=&ippattern=&classpattern=&cause=test+disable&go2=Disable+for&duration=1&scale=60&endmonth=9&endday=17&endyear=2019&endhour=21&endminute=13&go=Disable+now&month=9&day=17&year=2019&hour=21&minute=13' 99879 2019-09-17 21:13:44.381480 CSP return is Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Webkit-CSP: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; 99879 2019-09-17 21:13:44.381511 - checking if referer is OK (http_referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_xy mon-2Dseccgi_enadis.sh&d=DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8Irw NKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NM Jtuq&m=ZUUgPRbrRXrf6v9iK_IYMgdM6skatcaFWp9MfwwoR6A&s=Ca_BDatt9fV_6-hnE rKzruPVe3Arga8WJdTolYDibMU&e= , http_host: our.domain.com, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&d= DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-Ab gJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=ZUUgPRbrRXrf6v9iK_ IYMgdM6skatcaFWp9MfwwoR6A&s=1PkWq1uFfsXaAP-oHT24OhAovO3g-jsYt3IfNjPfJB o&e= , checkstr: /xymon-seccgi/enadis 99879 2019-09-17 21:13:44.381597 Trying header/footer file '/home/xymon/server/web/maintact_header' 99879 2019-09-17 21:13:44.381724 Opening file /home/xymon/server/etc/xymonmenu.cfg 99879 2019-09-17 21:13:44.381891 Action = disable 99879 2019-09-17 21:13:44.381902 Tests = 99879 2019-09-17 21:13:44.381911 Duration = 1, scale = 60 99879 2019-09-17 21:13:44.381919 Cause = test disable 99879 2019-09-17 21:13:44.381939 Trying header/footer file '/home/xymon/server/web/maintact_footer' Thanks, John -----Original Message----- From: Japheth Cleaver <user-87556346d4af@xymon.invalid> Sent: Tuesday, September 17, 2019 12:41 PM To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode? Based on the connectivity information below, it looks like the message (or at least A message) is making back into xymond OK. Can you send -USR2 to xymond and hit it again? Were there any changes to your '--admin-senders' option concurrently? -jc On 9/16/2019 5:31 PM, Rothlisberger, John R. wrote:Any ideas? This causing us issues because we are unable to acknowledge or disable alerts from the webpapge. Thanks, John -----Original Message----- From: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid> Sent: Friday, September 13, 2019 4:54 PM To: Japheth Cleaver <user-87556346d4af@xymon.invalid>; user-7b955ca225e6@xymon.invalid; Subject: RE: [External] Re: [Xymon] can I put enadis into debug mode? I was able to set HTTP_HOST within cgioptions.cfg: And now, it appears as though enadis works - but its not disabling the test... Cgioptions.cfg: HTTP_HOST=aoc.accenture.com 11428 2019-09-13 22:43:31.789838 Opening file /home/xymon/server/etc/xymonmenu.cfg 11428 2019-09-13 22:43:31.793320 Trying header/footer file '/home/xymon/server/web/maint_footer' 11479 2019-09-13 22:43:45.424949 CGI: Request method='POST', data='hostname=serverA&disabletest=lupdate&hostpattern=serverA&pagepattern=&ippattern=&classpattern=&cause=test+disable&go2=Disable+for&duration=4&scale=60&endmonth=9&endday=13&endyear=2019&endhour=22&endminute=43&go=Disable+now&month=9&day=13&year=2019&hour=22&minute=43' 11479 2019-09-13 22:43:45.425092 CSP return is Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Webkit-CSP: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; 11479 2019-09-13 22:43:45.425124 - checking if referer is OK (http_referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_x y mon-2Dseccgi_enadis.sh&d=DwIGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8Ir w NKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0N M Jtuq&m=hUp7xV6fRA2n12I55P6JyeCMauvA190vp8c5SkV-sNE&s=d4ROtciks3XZkuyj q Lv1pL1srjNjhp2WASy5jFUDRJo&e= , http_host: our.domain.com, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&d = DwIGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-A b gJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=hUp7xV6fRA2n12I55 P 6JyeCMauvA190vp8c5SkV-sNE&s=1dukM_LrvEB24reV8YMIm6JDvfrBojPwjn3kI6zoH T o&e= , checkstr: /xymon-seccgi/enadis 11479 2019-09-13 22:43:45.425212 Trying header/footer file '/home/xymon/server/web/maintact_header' 11479 2019-09-13 22:43:45.425354 Opening file /home/xymon/server/etc/xymonmenu.cfg 11479 2019-09-13 22:43:45.425549 Action = disable 11479 2019-09-13 22:43:45.425564 Tests = 11479 2019-09-13 22:43:45.425574 Duration = 4, scale = 60 11479 2019-09-13 22:43:45.425582 Cause = test disable 11479 2019-09-13 22:43:45.425608 Trying header/footer file '/home/xymon/server/web/maintact_footer' 11482 2019-09-13 22:43:49.112970 CGI: Request method='GET', data='' 11482 2019-09-13 22:43:49.113120 Transport setup is: 11482 2019-09-13 22:43:49.113138 xymondportnumber = 1984 11482 2019-09-13 22:43:49.113147 xymonproxyhost = NONE 11482 2019-09-13 22:43:49.113156 xymonproxyport = 0 11482 2019-09-13 22:43:49.113164 Recipient listed as '127.0.0.1' 11482 2019-09-13 22:43:49.113173 Standard protocol on port 1984 11482 2019-09-13 22:43:49.113194 Will connect to address 127.0.0.1 port 1984 11482 2019-09-13 22:43:49.113328 Connect status is 0 11482 2019-09-13 22:43:49.113373 Sent 16 bytes Unbuntu 16.04LTS Xymon 4.3.30 Thanks, John -----Original Message----- From: Japheth Cleaver <user-87556346d4af@xymon.invalid> Sent: Thursday, September 12, 2019 5:45 PM To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; user-7b955ca225e6@xymon.invalid Cc: xymon at xymon.com Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode? This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments. On 9/12/2019 2:58 PM, Rothlisberger, John R. wrote:That worked for debugging - can at least see where the error is coming from: 76996 2019-09-12 22:42:29.566819 - checking if referer is OK (http_referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_ x ymon-2Dseccgi_enadis.sh&d=DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8 I rwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6 k 0NMJtuq&m=bRahvPMUFYb204VPoQl7be5NB_ddal_nzGb2JBHaABg&s=HpwRnnzanaIW U LrjFb04HysWuBn92I2_d7Ms7pmSiK8&e= , http_host: 10.20.30.40, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&; d =DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN • AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=bRahvPMUFYb204 V PoQl7be5NB_ddal_nzGb2JBHaABg&s=ik1nvxSgFr0cOhbiWRUQbpQ8u_Vq7hDK4hnke a MqQsE&e= , checkstr: /xymon-seccgi/enadis 76996 2019-09-12 22:42:29.566832 Disallowed request due to unexpected referer 'our.domain.com/xymon-seccgi/enadis.sh', wanted '10.20.30.40/xymon-seccgi/enadis' (originally '/xymon-seccgi/enadis') http_host is the IP of the Xymon server - but not the same as the URL used for our system (we have several and use a reverse proxy to get to all of them). Without taking too many wild guesses at which setting defines http_host (can't find it in man pages) - how do I change that?HTTP_HOST is actually going to be set by the client. However the check can be overridden by setting $XYMONSERVERWWWNAME (technically $XYMONWEBHOST is what's used) in xymonserver.cfg to what you're expecting the client to be using. Depending on current .cfg settings, something may be specifying the basic IP there. HTH, -jc This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. _ http://www.accenture.com
list John Rothlisberger
I removed "--debug" from cgioptions.cfg. Ok, so here is where I am at - acknowledges started working yesterday (not sure why) and now enadis is working as expected. I wish I could even guess what went wrong - fingers crossed that is the last time it happens. Thank you for all of your help!
▸
Thanks,
John
-----Original Message-----
From: Japheth Cleaver <user-87556346d4af@xymon.invalid>
Sent: Wednesday, September 18, 2019 6:47 PM
To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; xymon at xymon.com
Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode?
*sigh*
This was a bit tricky to track down, but it turns out --debug enables "Preview mode" in enadis.sh, so the adding of "--debug" to $CGI_ENADIS_OPTS in /etc/xymon/cgioptions.cfg would keep the message from actually being transmitted back. I'm not entirely sure if this is a feature, but it does point to a need for a more verbose logging option here that still performs a real execution of the command.
Remove that and re-submit, and you should see a "disable" message of some type in the xymond log. It would look something like this:
1503 2019-09-18 16:28:40.424777 -> do_message/2 (can respond) (98 bytes): disable rhel6-x86-64,build.ftps 240
HTH -jc On 9/18/2019 5:37 AM, Rothlisberger, John R. wrote:
There is nothing that shows up in xymond.log for enadis.sh - the debug is running also. Thanks, John -----Original Message----- From: Japheth Cleaver <user-87556346d4af@xymon.invalid> Sent: Tuesday, September 17, 2019 4:45 PM To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode? killall -USR2 xymond, to enable debugging on the fly. At that point, go ahead and use enadis.sh to submit the request. You should see a disable (or enable) message in /var/log/xymon/xymond.log for the host in question -- either correctly or incorrectly. We should be able to see what's happening from there. If it does make it through textually correct, then we've verified that it's no longer being blocked by the original problem. HTH, -jc On 9/17/2019 1:19 PM, Rothlisberger, John R. wrote:I have made changes to --admin-senders but only in an attempt to fix the issues at hand. That being said, it was either set to it's own IP or 127.0.0.1,$XYMONSERVERIP I am unsure how or where you want me to use -USR2 (sorry brain fade) Here is with debug enabled and captured in enadis.log: 99801 2019-09-17 21:13:15.091517 CGI: Request method='GET', data='' 99801 2019-09-17 21:13:15.091663 Transport setup is: 99801 2019-09-17 21:13:15.091674 xymondportnumber = 1984 99801 2019-09-17 21:13:15.091683 xymonproxyhost = NONE 99801 2019-09-17 21:13:15.091691 xymonproxyport = 0 99801 2019-09-17 21:13:15.091699 Recipient listed as '127.0.0.1' 99801 2019-09-17 21:13:15.091708 Standard protocol on port 1984 99801 2019-09-17 21:13:15.091727 Will connect to address 127.0.0.1 port 1984 99801 2019-09-17 21:13:15.091871 Connect status is 0 99801 2019-09-17 21:13:15.091912 Sent 16 bytes 99801 2019-09-17 21:13:15.150989 Read 32767 bytes 99801 2019-09-17 21:13:15.151183 Read 32767 bytes 99801 2019-09-17 21:13:15.151311 Read 32767 bytes 99801 2019-09-17 21:13:15.151537 Read 32767 bytes 99801 2019-09-17 21:13:15.151608 Read 32767 bytes 99801 2019-09-17 21:13:15.151708 Read 32767 bytes 99801 2019-09-17 21:13:15.151775 Read 32767 bytes 99801 2019-09-17 21:13:15.151849 Read 32767 bytes 99801 2019-09-17 21:13:15.151916 Read 32767 bytes 99801 2019-09-17 21:13:15.151984 Read 32767 bytes 99801 2019-09-17 21:13:15.152057 Read 32767 bytes 99801 2019-09-17 21:13:15.152138 Read 32767 bytes 99801 2019-09-17 21:13:15.152206 Read 32767 bytes 99801 2019-09-17 21:13:15.152290 Read 32767 bytes 99801 2019-09-17 21:13:15.152470 Read 32767 bytes 99801 2019-09-17 21:13:15.152594 Read 32767 bytes 99801 2019-09-17 21:13:15.152668 Read 32767 bytes 99801 2019-09-17 21:13:15.152737 Read 32767 bytes 99801 2019-09-17 21:13:15.152823 Read 32767 bytes 99801 2019-09-17 21:13:15.152898 Read 32767 bytes 99801 2019-09-17 21:13:15.152968 Read 32767 bytes 99801 2019-09-17 21:13:15.153042 Read 32767 bytes 99801 2019-09-17 21:13:15.153109 Read 672 bytes 99801 2019-09-17 21:13:15.153157 Closing connection 99801 2019-09-17 21:13:15.165423 Trying header/footer file '/home/xymon/server/web/maint_header' 99801 2019-09-17 21:13:15.165475 Recipient listed as '127.0.0.1' 99801 2019-09-17 21:13:15.165485 Standard protocol on port 1984 99801 2019-09-17 21:13:15.165489 Will connect to address 127.0.0.1 port 1984 99801 2019-09-17 21:13:15.165543 Connect status is 0 99801 2019-09-17 21:13:15.165561 Sent 55 bytes 99801 2019-09-17 21:13:15.182312 Read 32767 bytes 99801 2019-09-17 21:13:15.182391 Read 11009 bytes 99801 2019-09-17 21:13:15.182851 Read 32767 bytes 99801 2019-09-17 21:13:15.183039 Read 32767 bytes 99801 2019-09-17 21:13:15.183149 Read 32767 bytes 99801 2019-09-17 21:13:15.183241 Read 32767 bytes 99801 2019-09-17 21:13:15.183317 Read 32767 bytes 99801 2019-09-17 21:13:15.183395 Read 32767 bytes 99801 2019-09-17 21:13:15.183470 Read 32767 bytes 99801 2019-09-17 21:13:15.183551 Read 32767 bytes 99801 2019-09-17 21:13:15.183627 Read 32767 bytes 99801 2019-09-17 21:13:15.183716 Read 32767 bytes 99801 2019-09-17 21:13:15.183799 Read 32767 bytes 99801 2019-09-17 21:13:15.183873 Read 32767 bytes 99801 2019-09-17 21:13:15.183950 Read 32767 bytes 99801 2019-09-17 21:13:15.184053 Read 32767 bytes 99801 2019-09-17 21:13:15.184135 Read 32767 bytes 99801 2019-09-17 21:13:15.184210 Read 32767 bytes 99801 2019-09-17 21:13:15.184284 Read 32767 bytes 99801 2019-09-17 21:13:15.184359 Read 32767 bytes 99801 2019-09-17 21:13:15.184458 Read 32767 bytes 99801 2019-09-17 21:13:15.184578 Read 32767 bytes 99801 2019-09-17 21:13:15.184657 Read 32767 bytes 99801 2019-09-17 21:13:15.184734 Read 32767 bytes 99801 2019-09-17 21:13:15.184826 Read 32767 bytes 99801 2019-09-17 21:13:15.184903 Read 32767 bytes 99801 2019-09-17 21:13:15.185013 Read 32767 bytes 99801 2019-09-17 21:13:15.186451 Read 32767 bytes 99801 2019-09-17 21:13:15.186535 Read 32767 bytes 99801 2019-09-17 21:13:15.186645 Read 32767 bytes 99801 2019-09-17 21:13:15.186727 Read 32767 bytes 99801 2019-09-17 21:13:15.186805 Read 32767 bytes 99801 2019-09-17 21:13:15.186882 Read 32767 bytes 99801 2019-09-17 21:13:15.186959 Read 32767 bytes 99801 2019-09-17 21:13:15.187033 Read 491 bytes 99801 2019-09-17 21:13:15.187062 Closing connection 99801 2019-09-17 21:13:15.205359 Recipient listed as '127.0.0.1' 99801 2019-09-17 21:13:15.205376 Standard protocol on port 1984 99801 2019-09-17 21:13:15.205380 Will connect to address 127.0.0.1 port 1984 99801 2019-09-17 21:13:15.205438 Connect status is 0 99801 2019-09-17 21:13:15.205456 Sent 8 bytes 99801 2019-09-17 21:13:15.205607 Closing connection 99801 2019-09-17 21:13:15.309349 Opening file /home/xymon/server/etc/xymonmenu.cfg 99801 2019-09-17 21:13:15.313554 Trying header/footer file '/home/xymon/server/web/maint_footer' 99879 2019-09-17 21:13:44.381310 CGI: Request method='POST', data='hostname=servera&disabletest=disk&hostpattern=&pagepattern=&ippattern=&classpattern=&cause=test+disable&go2=Disable+for&duration=1&scale=60&endmonth=9&endday=17&endyear=2019&endhour=21&endminute=13&go=Disable+now&month=9&day=17&year=2019&hour=21&minute=13' 99879 2019-09-17 21:13:44.381480 CSP return is Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Webkit-CSP: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; 99879 2019-09-17 21:13:44.381511 - checking if referer is OK (http_referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_x y
mon-2Dseccgi_enadis.sh&d=DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8Ir w NKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0N M Jtuq&m=ZUUgPRbrRXrf6v9iK_IYMgdM6skatcaFWp9MfwwoR6A&s=Ca_BDatt9fV_6-hn E rKzruPVe3Arga8WJdTolYDibMU&e= , http_host: our.domain.com, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&d = DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-A b gJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=ZUUgPRbrRXrf6v9iK _ IYMgdM6skatcaFWp9MfwwoR6A&s=1PkWq1uFfsXaAP-oHT24OhAovO3g-jsYt3IfNjPfJ B o&e= , checkstr: /xymon-seccgi/enadis
▸
99879 2019-09-17 21:13:44.381597 Trying header/footer file '/home/xymon/server/web/maintact_header' 99879 2019-09-17 21:13:44.381724 Opening file /home/xymon/server/etc/xymonmenu.cfg 99879 2019-09-17 21:13:44.381891 Action = disable 99879 2019-09-17 21:13:44.381902 Tests = 99879 2019-09-17 21:13:44.381911 Duration = 1, scale = 60 99879 2019-09-17 21:13:44.381919 Cause = test disable 99879 2019-09-17 21:13:44.381939 Trying header/footer file '/home/xymon/server/web/maintact_footer' Thanks, John -----Original Message----- From: Japheth Cleaver <user-87556346d4af@xymon.invalid> Sent: Tuesday, September 17, 2019 12:41 PM To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode? Based on the connectivity information below, it looks like the message (or at least A message) is making back into xymond OK. Can you send -USR2 to xymond and hit it again? Were there any changes to your '--admin-senders' option concurrently? -jc On 9/16/2019 5:31 PM, Rothlisberger, John R. wrote:Any ideas? This causing us issues because we are unable to acknowledge or disable alerts from the webpapge. Thanks, John -----Original Message----- From: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid> Sent: Friday, September 13, 2019 4:54 PM To: Japheth Cleaver <user-87556346d4af@xymon.invalid>; user-7b955ca225e6@xymon.invalid; Subject: RE: [External] Re: [Xymon] can I put enadis into debug mode? I was able to set HTTP_HOST within cgioptions.cfg: And now, it appears as though enadis works - but its not disabling the test... Cgioptions.cfg: HTTP_HOST=aoc.accenture.com 11428 2019-09-13 22:43:31.789838 Opening file /home/xymon/server/etc/xymonmenu.cfg 11428 2019-09-13 22:43:31.793320 Trying header/footer file '/home/xymon/server/web/maint_footer' 11479 2019-09-13 22:43:45.424949 CGI: Request method='POST', data='hostname=serverA&disabletest=lupdate&hostpattern=serverA&pagepattern=&ippattern=&classpattern=&cause=test+disable&go2=Disable+for&duration=4&scale=60&endmonth=9&endday=13&endyear=2019&endhour=22&endminute=43&go=Disable+now&month=9&day=13&year=2019&hour=22&minute=43' 11479 2019-09-13 22:43:45.425092 CSP return is Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; X-Webkit-CSP: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin allow-modals allow-popups; 11479 2019-09-13 22:43:45.425124 - checking if referer is OK (http_referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com_ x
y mon-2Dseccgi_enadis.sh&d=DwIGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8I r w NKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0 N M Jtuq&m=hUp7xV6fRA2n12I55P6JyeCMauvA190vp8c5SkV-sNE&s=d4ROtciks3XZkuy j q Lv1pL1srjNjhp2WASy5jFUDRJo&e= , http_host: our.domain.com, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com&; d = DwIGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN- A b gJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=hUp7xV6fRA2n12I5 5 P 6JyeCMauvA190vp8c5SkV-sNE&s=1dukM_LrvEB24reV8YMIm6JDvfrBojPwjn3kI6zo H T o&e= , checkstr: /xymon-seccgi/enadis
▸
11479 2019-09-13 22:43:45.425212 Trying header/footer file '/home/xymon/server/web/maintact_header' 11479 2019-09-13 22:43:45.425354 Opening file /home/xymon/server/etc/xymonmenu.cfg 11479 2019-09-13 22:43:45.425549 Action = disable 11479 2019-09-13 22:43:45.425564 Tests = 11479 2019-09-13 22:43:45.425574 Duration = 4, scale = 60 11479 2019-09-13 22:43:45.425582 Cause = test disable 11479 2019-09-13 22:43:45.425608 Trying header/footer file '/home/xymon/server/web/maintact_footer' 11482 2019-09-13 22:43:49.112970 CGI: Request method='GET', data='' 11482 2019-09-13 22:43:49.113120 Transport setup is: 11482 2019-09-13 22:43:49.113138 xymondportnumber = 1984 11482 2019-09-13 22:43:49.113147 xymonproxyhost = NONE 11482 2019-09-13 22:43:49.113156 xymonproxyport = 0 11482 2019-09-13 22:43:49.113164 Recipient listed as '127.0.0.1' 11482 2019-09-13 22:43:49.113173 Standard protocol on port 1984 11482 2019-09-13 22:43:49.113194 Will connect to address 127.0.0.1 port 1984 11482 2019-09-13 22:43:49.113328 Connect status is 0 11482 2019-09-13 22:43:49.113373 Sent 16 bytes Unbuntu 16.04LTS Xymon 4.3.30 Thanks, John -----Original Message----- From: Japheth Cleaver <user-87556346d4af@xymon.invalid> Sent: Thursday, September 12, 2019 5:45 PM To: Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>; user-7b955ca225e6@xymon.invalid Cc: xymon at xymon.com Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode? This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments. On 9/12/2019 2:58 PM, Rothlisberger, John R. wrote:That worked for debugging - can at least see where the error is coming from: 76996 2019-09-12 22:42:29.566819 - checking if referer is OK (http_referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com _ x
ymon-2Dseccgi_enadis.sh&d=DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK 8 I rwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W 6 k 0NMJtuq&m=bRahvPMUFYb204VPoQl7be5NB_ddal_nzGb2JBHaABg&s=HpwRnnzanaI W U LrjFb04HysWuBn92I2_d7Ms7pmSiK8&e= , http_host: 10.20.30.40, xymonwebhost: https://urldefense.proofpoint.com/v2/url?u=https-3A__our.domain.com & d =DwICaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAe N • AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=bRahvPMUFYb20 4 V PoQl7be5NB_ddal_nzGb2JBHaABg&s=ik1nvxSgFr0cOhbiWRUQbpQ8u_Vq7hDK4hnk e a MqQsE&e= , checkstr: /xymon-seccgi/enadis
▸
76996 2019-09-12 22:42:29.566832 Disallowed request due to unexpected referer 'our.domain.com/xymon-seccgi/enadis.sh', wanted '10.20.30.40/xymon-seccgi/enadis' (originally '/xymon-seccgi/enadis') http_host is the IP of the Xymon server - but not the same as the URL used for our system (we have several and use a reverse proxy to get to all of them). Without taking too many wild guesses at which setting defines http_host (can't find it in man pages) - how do I change that?HTTP_HOST is actually going to be set by the client. However the check can be overridden by setting $XYMONSERVERWWWNAME (technically $XYMONWEBHOST is what's used) in xymonserver.cfg to what you're expecting the client to be using. Depending on current .cfg settings, something may be specifying the basic IP there. HTH, -jc This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. _ _ http://www.accenture.com