[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Logcheck & Crontab
- Subject: RE: [cobalt-security] Logcheck & Crontab
- From: "FLHQ" <fultonlyons@xxxxxxxxxxxxxx>
- Date: Wed, 17 Oct 2001 13:14:42 -0700
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hmmm...no idea. One thing in common is they all contain 127.0.0.1. I
know you said none of the files were modified, just check to be sure.
One thing I did when trying to solve a LogCheck problem is make empty
versions of the LogCheck files (logcheck.ignore,
logcheck.violations.ignore, logcheck.violations) and see if what you're
looking for comes through.
Are the entires you're looking for showing up in the logs themselves?
Not just the LogCheck version of them? Check the logifles directly to
see if your missing entries are in there.
I don't know much about cron itself. Try running the cron job directly
from the /etc/cron.hourly directory. Maybe it has been corrupted
somehow. If the permissions are not correct or there's a glitch in the
file, it may not run. Also, I'm not familiar with the swatch command
you're running first, but if has to run before logcheck, be sure that
that is happening as well.
Good to talk w/you again Chae. I'm excited to visit NZ, even though
it's a ways in the future! (We emailed once before)
~Spanky
> -----Original Message-----
> From: cobalt-security-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Render-Vue
> Sent: Wednesday, October 17, 2001 4:03 AM
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: RE: [cobalt-security] Logcheck & Crontab
>
>
> ~Spanky
>
> >>Did you (or someone) add "Active_Monitor_69" to violations.ignore?
>
> Send a bit of what you LogCheck used to show.<<
> -------------------------------------------------------------------
>
> Answer No...
>
> Here's a typical entry that we used to see from logcheck...
>
> Security Violations
> =-=-=-=-=-=-=-=-=-=
> Oct 17 04:55:51 ns imapd[12849]: Login failure user=Active_Monitor_69
> host=localhost [127.0.0.1]
> (as the check is done hourly then there was usually another 3 similar
> readings)
>
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
> Oct 17 04:55:49 ns proftpd[12848]: ns.xxxxxxx.com
> (localhost[127.0.0.1]) -
> FTP session closed.
> Oct 17 04:55:49 ns in.proftpd[12848]: connect from 127.0.0.1
> Oct 17 04:55:50 ns imapd[12849]: connect from 127.0.0.1
> Oct 17 04:55:51 ns imapd[12849]: imap service init from 127.0.0.1
> Oct 17 04:55:51 ns imapd[12849]: Login failure user=Active_Monitor_69
> host=localhost [127.0.0.1]
> Oct 17 04:55:54 ns imapd[12849]: Command stream end of file,
> while reading
> line user=Active_Monitor_69 host=localhost [127.0.0.1]
> Oct 17 04:55:54 ns sendmail[12852]: NOQUEUE: Null connection
> from localhost
> [127.0.0.1]
> ---------------------------------------------------------------
>
> As I mentioned nothing has been changed in any of the
> logcheck files - this
> reading was done by calling /usr/local/sbin/swatch
> >>/var/cobalt/adm.log
> 2>&1 from the root as SU then invoking the logcheck script
> /usr/local/etc/logcheck.sh.
>
> Yet if logcheck runs in the cron.hourly all I get is the
> "Unusual System
> Events" readings and this doesn't include any of the above in
> it. SPOOKY it
> worked before but just stopped.
>
> Is there any way of checking that the crontab is activating
> the monitoring
> service? and is running as it should be? I think that the
> problem may be
> with crontab rather than logcheck - don't know
>
> Regards from Auckland
>
> Chae
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security