Tuesday, October 15, 2013

Catching TrendNet "End-Of-Motion" Signals

Anyone using a CGI to grab notifications from a TrendNet IP camera will know that the TrendNet doesn't send a signal when all is clear - it simply sends repetitive "motion" signals.  It makes it difficult to receive an "all clear" without doing some fancy "touches", and you won't get it in any sort of real-time status.  So, how can you grab an "All Clear", and have it happen when the camera stops recording (meaning that you can configure a camera to record an extra 30 seconds, then get the "all clear" when the recording stops) ?  Well, it turns out it's simple, if you are using Samba.  Here's how I did it.

Configure Samba :

The later versions of Samba (e.g. 3.x) include "VFS" modules - or "Virtual File System" modules - which allow Samba to handle virtual tasks such as translating new lines on-the-fly, or checking new files for virus or malware.  There is are two included VFS module for auditing, and one will log messages when a file is closed.  The full_audit.so VFS module is the one we need.  It's included, so we simply need to enable it.  Open your /etc/samba/smb.conf, and in the [global] section :
    vfs objects = full_audit
    full_audit:prefix = %u|%I|%m|%S
    full_audit:success = close
    full_audit:failure = none
    full_audit:facility = local6
    full_audit:priority = DEBUG
    
If the priority is NOTICE, you will get the messages into /var/log/messages, so beware of your config.  I went with DEBUG, so that I can then restrict that to one destination (I'll talk about that later).

The secret is in the "full_audit:success" and "full_audit:failure" parameters.  These allow you to configure what system calls you want logged, either on failure or on success.  In the above configuration, I log nothing on failures, and I log "close" on successes.  This means that the syslog configuration will get a log message for every time a file is closed (whether being written to or just read from).  The log messages look like :
    Oct 15 22:44:01 localhost smbd[20487]: anne|10.0.0.73|mediacenter|movies|close|ok|disney/the_little_mermaid.mp4
    Oct 15 22:44:02 localhost smbd[20487]: secuser|10.0.0.41|tv-ip322p-0015f|camerashares|close|ok|path_to_storage/20131015/22/224315.mp4
    
So, since we will end up with all closings, you want to ensure either the username ("secuser" in the above messages) doing the writing or the hostname (tv-ip322p-0015f) that is writing to the Samba share is unique and you can filter out the rest of the stuff.  In my case, the host is "tv-ip322p-0015f", so I can easily just watch for those messages for closings from the camera(s) in question through logcheck, and have an instantaneous notification via e-mail when each camera clears itself and stops recording.  However, since we want the notification to enter our event server (e.g. Nagios), and... since full_audit already runs through syslog, it's simply a matter of setting up a named-pipe.

Named Pipe Creation :
  1. Create the named-pipe :

    mkdir /etc/syslog.pipes
    mknod /etc/syslog.pipes/sambaEvents p
    chmod 600 /etc/syslog.pipes/sambaEvents
    
    
  2. Next, configure syslog to write to that named pipe.  In your syslog config (e.g. /etc/rsyslog.conf), add a line such as (make sure it matches your customizations) :

    local6.* |/etc/syslog.pipes/sambaEvents
  3. Then, restart syslog :

    /etc/init.d/rsyslog restart
  4. Finally, you will have to write a tool that reads from your named-pipe.  In my case, I'm setting up an eventserver, and I'm using a plugin for that one.  For anyone else, you can do a cron (example http://svn.silverhawk.net/files/syslogSambaEvent.sh) such as :

    * * * * * /usr/local/bin/syslogSambaEvent.sh < /etc/syslog.pipes/sambaEvents

    That will run the job once a second looking for messages from the queue, and then e-mail them out if they match my tv-ip322p.
SELinux note :
    Oct 16 08:30:21 cottonwoodheights rsyslogd-2039: Could not open output pipe '/etc/syslog.pipes/sambaEvents' [try http://www.rsyslog.com/e/2039 ]
    Oct 16 08:30:24 cottonwoodheights setroubleshoot: SELinux is preventing /sbin/rsyslogd from 'read, write' accesses on the fifo_file sambaEvents. For complete SELinux messages. run sealert -l 0f6ad628-c737-452f-a4a2-fbf240519594
If you are running SELinux, you will probably see something like the above.  Simply run the sealert command it names, and follow the directions the command provides.  You may also find more messages in there for the script that reads from the named pipe.

Added Notifications :

Just a note, if you want other functions (for example, if the camera you are using doesn't have a "motion detected" notification method but does capture only the motion video, you can add the "open" to the full_audit:success line such as "full_audit:success = open,close"), I grabbed a list from the vfs_full_audit.c source, so these are things you can monitor if you really want, but beware things like "pwrite" are called multiple times in a file write, not just once for the entire file, so you could have a log inundated with verbose messages.
    aio_error
    aio_force
    aio_fsync
    aio_is_offline
    aio_read
    aio_set_offline
    aio_write
    brl_cancel_windows
    brl_lock_windows
    brl_unlock_windows
    chdir
    chflags
    chmod
    chmod_acl
    chown
    close
    closedir
    connect
    connectpath
    create_file
    disconnect
    disk_free
    fchmod
    fchmod_acl
    fchown
    fget_nt_acl
    fgetxattr
    file_id_create
    flistxattr
    fremovexattr
    fs_capabilities
    fset_nt_acl
    fsetxattr
    fstat
    fsync
    ftruncate
    get_alloc_size
    getlock
    get_nt_acl
    get_quota
    get_real_filename
    get_shadow_copy_data
    getwd
    getxattr
    init_search_op
    kernel_flock
    lchown
    lgetxattr
    link
    linux_setlease
    listxattr
    llistxattr
    lock
    lremovexattr
    lseek
    lsetxattr
    lstat
    mkdir
    mknod
    notify_watch
    ntimes
    open
    opendir
    pread
    pwrite
    read
    readdir
    readlink
    realpath
    recvfile
    removexattr
    rename
    rewinddir
    rmdir
    seekdir
    sendfile
    set_quota
    setxattr
    stat
    statvfs
    streaminfo
    strict_lock
    strict_unlock
    symlink
    sys_acl_add_perm
    sys_acl_clear_perms
    sys_acl_create_entry
    sys_acl_delete_def_file
    sys_acl_free_acl
    sys_acl_free_qualifier
    sys_acl_free_text
    sys_acl_get_entry
    sys_acl_get_fd
    sys_acl_get_file
    sys_acl_get_perm
    sys_acl_get_permset
    sys_acl_get_qualifier
    sys_acl_get_tag_type
    sys_acl_init
    sys_acl_set_fd
    sys_acl_set_file
    sys_acl_set_permset
    sys_acl_set_qualifier
    sys_acl_set_tag_type
    sys_acl_to_text
    sys_acl_valid
    telldir
    translate_name
    unlink
    write
    

No comments:

Post a Comment