OSM

Post Reply
kernow
Junior Member
Posts: 26
Joined: 02 Apr 2010, 07:57

OSM

Post by kernow »

Couldn't find a specific forum for OSM so posting here.
Hi, You installed OSM for us as part of the cpanel services a few months ago. OSM has now sent us a mail report but does not say who the user account sending the mail is or what directory the mail script originated from. Are we missing something? Example:
WHM Report URL:
https://our-domain-name:2087/cgi/config ... 74438624_1

Report Date:

Fri Nov 22 16:03:44 2019

Report Message:

User logged 618 packet events in the last 300 seconds (Trigger Level 1 count = 100 for )


Report Actions:

Actions (email,store):

Email sent to root

Report data stored in /etc/osm/reports/report_1574438624_1


Report Settings Trigger:

default:trigger1:packet


Sample of Events (restricted to 5):
Event ID packet_1574438467_143
dst xxxxxxxxxx
src xxxxxxxxx
time Fri Nov 22 16:01:07 2019
type packet
Captain WInters
Junior Member
Posts: 4
Joined: 21 Nov 2017, 16:25

Re: OSM

Post by Captain WInters »

Hello,

This exact problem is happening to us, and considering there is no OSM section and only 10-20 OSM posts total across all boards, I thought it might be most prudent to add to the previously-existing thread on the matter.

Showing which user sent the e-mail and via what script is essentially the core feature of OSM. For that to be missing by design seems wrong, so I hope the user above and I are missing something here.

Does anyone happen to have experience with this issue and resolving it?
Sarah
Moderator
Posts: 921
Joined: 09 Dec 2006, 22:49

Re: OSM

Post by Sarah »

Osm cannot always detect the user associated with the packet activity. Osm uses pcap to detect outgoing connections with a desination port 25. Osm then looks it up in the /proc/net/tcp and /proc/net/tcp6 connection kernel files. If the connection is still active, it will get the user from that file. If the connection is no longer active, it cannot report a user for the packet/connection. ​ When the user is not reported, it can be assumed that the connection was no longer active when osm looked up the connection in the connection files.
Post Reply