[IntelMQ-users] where can I see data gathered by intelmq?

Thu Mar 11 09:43:14 CET 2021

Greetings Moto,

In order to check "what is going on" inside your IntelMQ botnet, you could use the following commands:
"sudo -u <intelmq_user_account> intelmqctl status" -> this one checks which bots are running, which are stopped and which are disabled.
"sudo -u <intelmq_user_account> intelmqctl list queues" -> this one displays the current amount of messages stored in the internal or external bots queues. (use "-q" at the end if you want to hide queues with 0 messages)
"cat /var/log/intelmq/<bot_name>.log" will display the bot output (by default only info and error messages are shown, debug message are hidden -> am I right?)
Finally, you can check the output of the botnet (your DB, a MISP instance, whatever you have) to make sure that what your bots have collected has been processed properly.

You could also manually run your bots with "sudo -u <intelmq_user_account> intelmqctl run <bot_name> -l DEBUG" so you can check what the bot is doing in real time.

Best regards,
Jonathan

--
Jonathan SCOUPREMAN | jscoupreman at excellium-services.lu | PGP Key ID: 0xAD971C07
CERT-XLM | cert at excellium-services.com | PGP Key ID: 0xD74E5AC0
CERT-XLM Incident Handler @ excellium-services.com
Excellium Services S.A. | 5 rue Goell L-5326 Contern
Mobile: +352 691 982 790
Emergency: +352 262 039 64 708 | emergency at excellium-services.com | PGP Key ID: 0x42662EFE

-----Original Message-----
From: IntelMQ-users <intelmq-users-bounces at lists.cert.at> On Behalf Of moto kawasaki
Sent: jeudi 11 mars 2021 09:26
To: intelmq-users at lists.cert.at
Subject: [IntelMQ-users] where can I see data gathered by intelmq?

Dear intelmq-users list,

I've just installed intelmq 2.3.0 via pypi and run it via `intelmqctl
start`, and I can see several python processes are running with
intelmq user in top command.

Can I see some data that is collected by intelmq bots at this stage?
If yes, where should I find it?

Now I reckon intelmq-manager is the answer to the above question, and
I am trying to figure out how to use intelmq-manager web
interface. (pypi installation has done)

Any suggestions will be appreciated.
Thank you!

Best Regards.

--
moto kawasaki <moto at kawasaki3.org> +81-90-2464-8454

--
List settings:
 https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cert.at%2Fcgi-bin%2Fmailman%2Flistinfo%2Fintelmq-users&data=04%7C01%7Cjscoupreman%40excellium-services.lu%7Cf112b107300145834b2108d8e4677125%7C6fbe60251d0f498dae4423b34f048283%7C1%7C0%7C637510480791767369%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=GYQKJ6z5jJUIjBz89Tm812Eot8X8W9DfPbCO%2BHJIZNg%3D&reserved=0
IntelMQ Documentation: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fintelmq.readthedocs.io%2F&data=04%7C01%7Cjscoupreman%40excellium-services.lu%7Cf112b107300145834b2108d8e4677125%7C6fbe60251d0f498dae4423b34f048283%7C1%7C0%7C637510480791767369%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=6f%2BTf6sAiktzwAOBfcUgY%2FZSwegGOsrnp5qlD%2BYLIb4%3D&reserved=0
This email is confidential and may contain legally privileged information. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains, please e-mail the sender immediately and delete this message from your system. Note: e-mails are susceptible to corruption, interception and unauthorised amendment; we do not accept liability for any such changes, or for their consequences. You should be aware that we may monitor your e-mails and their content. Excellium Services SA.