I need a single system message on any device insertion into the system. please any one tell which system message to use for example DBT_DEVICEARRIVAL but problem is that DBT_DEVICEARRIVAL does not give message on any non media device like network device or printer connection. DBT_DEVNODES_CHANGED gives multiple messages on insertion and removal but I need a single message just on insertion.
Related
Adjusting question:
SIEM is a management system that takes syslog and other types of log messages and allows an admin to search, combine, and report on logs in ways that helps them better understand what is going on. I am working with Splunk and sending Syslog (CEF) formatted messages to Splunk. When I send two messages to splunk, that appear in the same message as seen here.
<1286>Sep 16, 2014 2:07:38 PM dbrLnxRv CEF:0|MyCompany|MyApp|2.0|Malicious|6|FileName eicar.cab dname=www.csm-testcenter.org dst=10.204.64.137 dpt=8080 prot=HTTP src=10.204.82.168 spt=49809 suser="" xAuthenticatedUser="" requestMethod=GET requestClientApplication="" reason=0-1492-EICARFile.Detection_Test.Web.RTSS request=http://www.csm-testcenter.org/download/archives/cab/eicar.cab AnalysisType="" ThreatName=EICARFile ThreatReason=0-1492-EICARFile.Detection_Test.Web.RTSS Category=128 Direction=inbound Manual=1 TicketNumber=0 FileType=unknown FileHash=654ec5ae29c1718501af794822663da40aec51fc FileSize=168 Status=completed SessionId=79421 TransactionId=5
<1286>Sep 16, 2014 2:07:39 PM dbrLnxRv CEF:0|MyCompany|MyApp|2.0|Malicious|6|FileName eicar.cab dname=www.csm-testcenter.org dst=85.214.28.69 dpt=80 prot=HTTP src=10.204.64.137 spt=40378 suser="" xAuthenticatedUser="" requestMethod=GET requestClientApplication="" reason=0-1492-EICARFile.Detection_Test.Web.RTSS request=http://www.csm-testcenter.org/download/archives/cab/eicar.cab AnalysisType="" ThreatName=EICARFile ThreatReason=0-1492-EICARFile.Detection_Test.Web.RTSS Category=128 Direction=inbound Manual=1 TicketNumber=0 FileType=unknown FileHash=654ec5ae29c1718501af794822663da40aec51fc FileSize=168 Status=completed SessionId=79432 TransactionId=3
My questions is, how can I make them appear in separate blocks.
Currently have CR/LF between each message (verified by looking at the TCP transaction using Wireshark). Tried adding a NULL too, did not make a difference.
I know I am not down to the MS in the date/Time field, is that an issue?
Is there a message ID I am missing that will force Splunk to separate the messages?
Other ideas?
(When sending via UDP, the each event appears in it's own message)
Also tried disabling the nagle algo. and still same issue.
I created a custom C++ app to send SIEM messages from my data source to Splunk. If I send 6 SIEM messages over a socket at one time with each message is separated by a CR/LF (I also tried adding a NULL between the messages), Splunk puts them into one single event. What should I send to cause the messages to be in unique events? I've look everywhere for the spec on the SIEM protocol and have not found and binary base documents on the actual protocol.
TCP is 'stream' protocol and not message oriented. It does not maintain message boundaries. What one sends is not guaranteed to be read in the same way. It is upto the applications above TCP to interpret the bytes and form 'messages'
UDP on the hand maintains message boundaries. One sendto of X bytes will translate to recvfrom of X bytes. Though UDP will not gurantee that the message will reach the receiver.
The above stated reason is what you are witnessing. Multiple sends translating to single recv and in UDP the opposite.
Got it working
The protocol uses a basic /r/n to terminate the stream, which I had tried in the past. The real trick lies with the Splunk configuration. One needs to create a config files called props.conf and included the following line
SHOULD_LINEMERGE=false
Then everything works fine.
Is there a way to trigger the USB Device Discovery of Windows, such that removed devices are detected faster?
I have a USB Serial modem that I unplug (the USB plug, not the serial one). I want to detect the DBT_DEVICEREMOVECOMPLETE event which is sent as soon as the unplugging is detected (That's what I assume). The detection of the Event works as desired, it is sent sometimes 1s after removal, sometimes several minutes after removal.
Is there a way to decrease the refresh interval, or another way to make this event getting sent faster?
Well, the problem here is that DBT_DEVICEREMOVECOMPLETE is sent after Windows decides it has detected the removal, and you can't influence that, at least not in the general case. There are various things that make Windows do this faster or slower (type of device, current "data flow" with the device, the device itself), and it also varies between OS versions. What I found helps to some degree in some of cases is to remove, from the Registry, references to USB devices that were plugged into that USB port before (there are various utilities for this).
At the extreme, since this is a Windows Broadcast message (non-queued), there will not be another one sent in until the previous is processed. Thus, you may not receive it at all! To solve that, keep message handling fast and simple and don't set a breakpoint there while debugging.
Also, having a separate Windows and Thread for the specific purpose of handling USB device arrival/removal notifications may help.
But, from my experience, polling will not help, as the main problems seems to be in the criteria Windows uses to detect the removal. The time from that event until you receive the message is small. Of course, in your case this may not be true - to find out, use a tool like SysInternals Process Monitor. Depending on what you see going on there, there may be something you can do to make it faster.
I need a broker-less pattern for reading and writing messages between nodes without remove any message from queues until some monitor system accept removing message.
Can i do this with zeromq?, in zmq if one publisher node die the message queued on network is gone too? how can i save this queue in network!!!
(
i want send a message with publisher and subscribers read message but don't delete that from queue until my Qos monitor remove that from array. and if my publisher die message queue created with it should not be deleted.
Can i implement these functionality with current patterns in zmq?
)
You'll have to build that level of redundancy/reliability into your app, rather than rely on ZMQ to provide it.
What this means is that you'll have to keep track of all your messages at the publisher node, and then a subscriber node should be able to communicate back that it has received the message, allowing the publisher node to delete it's cache. This means multiple sockets, most likely, unless you really want to try and get XPUB/XSUB to communicate in this way, but it seems probably not the ideal choice.
If you need something more directly supported in your communication library, then ZMQ isn't going to cut it for you... but I doubt you'll find anything else that will, either.
I've got a two controllers one with uclinux, second without any os. They are connected by serial port. I check that new message received with select function. Message length might be different and controller without os sends message per bytes. So, there is a possibility that one controller does not send whole message and select function returns that new message is available. After that I will receive incorrect message.
How I can prevent this situation?
The select function will only tell you that you can read at least one byte without blocking. The message sent on the serial port needs to either have a predefined header that contains the total length of the message, or a special end-of-message marker.
When select says you can read, you read as many bytes as you can and put them in a buffer. If the message is not complete you go back to wait for more data with select. When more data arrives you continue append to the buffer. When a complete message is received you process it.
I'm searching for different options for implementing communication between a service and other services/applications.
What I would like to do:
I have a service that is constantly running, polling a device connected to a serial port. At certain points, this service should send a message to interested clients containing data retrieved from the device. Data is uncomplicated, most likely just a single string.
Ideally, the clients would not have to subscribe to receive these messages, which leads me to some sort of event 'broadcast' setup (similar to Windows events). The message sending process should not block, and does not need a response from any clients (or that there even are any clients for that matter).
I've been reading about IPC (COM in particular) and windows events, but am yet to come across something that really fits with what I want to do.
So is this possible? If so, what technologies should I be using? If not, what are some viable communication alternatives?
Here's the particulars of the setup:
Windows 2000/XP environments
'Server' service is a windows service, using VC++2005
Clients would vary, but always be in the windows environment (usual clients would be VC++6 windows services, VB6 applications)
Any help would be appreciated!
Windows supports broadcasting messages, check here. You can SendMessage to HWND_BROADCAST from the service, and receive it in each client.
There are a number of ways to do a broadcast system, but you'll have to either give up reliability (ie, some messages must be lost) or use a proper subscription system.
If you're willing to give up reliability, you can create a shared memory segment and named manual-reset event object. When a new message arrives, write it to the shared memory segment, signal the event object, then close the event object and create a new one with a different name (the name should be in the shmem segment somewhere). Clients open the shmem segment, find the current event object, wait for it to be signaled, then read off the message and new event segment.
In this option, you must be careful to deal with the case of a client reading at the same time as the shmem segment is updated properly. One way to do this is to have two sequence number fields in the shmem segment - one is updated before the new message is written, one after. Clients read the second sequence number prior to reading the message, then re-read both sequence numbers after, and check that they are all equal (and discard the message and retry after a delay if they are not). Be sure to place memory barriers around accesses to these sequence numbers to ensure the compiler does not reorder them!
Of course, this is all a bit hairy. Named pipes are a lot simpler, but a subscription (of a sort) is required. The server calls CreateNamedPipe, then accepts connections with ConnectNamedPipe. Clients use CreateFile to connect to the server's pipe. The server then just loops to send data (using WriteFile) to all of its clients. Note that you will need to create addititonal instance of the pipe using CreateNamedPipe each time you accept a connection. An example of a named pipe server can be found here: http://msdn.microsoft.com/en-us/library/aa365588(v=vs.85).aspx