[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] [RaQ4] Good logchecker.ignore file for RaQ4i
- Subject: Re: [cobalt-security] [RaQ4] Good logchecker.ignore file for RaQ4i
- From: "Jelmer Jellema" <cobalt@xxxxxxxxxxxxxxx>
- Date: Wed, 30 Jan 2002 14:08:14 +0100
- Organization: Spin in het Web (www.spininhetweb.nl)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
>From: Chris Williams
>This is just a sample. This happened every 15 min. 127.0.0.1 is my loopback
address. I found an entry in my crontab file that called >SWATCH every 15
min. I basically put a # in front of it, restarted crond and everything
stopped.
>Can anyone shed any light on this? Other than my log files are now quiet I
have noticed no difference since I remarked out the command
Well, I guess Swatch is the program that warns you when a service crashes,
sending an e-mail to the adres mentioned in the administrator interface. So
I think it's a good idea to let that one run. I put this in my
logcheck.ignore to stop those lines from being mentioned:
..:00:0.*proftpd.* \(localhost\[127.0.0.1\]\) - FTP session opened
..:00:0.*proftpd.* \(localhost\[127.0.0.1\]\) - FTP session closed
..:15:0.*proftpd.* \(localhost\[127.0.0.1\]\) - FTP session opened
..:15:0.*proftpd.* \(localhost\[127.0.0.1\]\) - FTP session closed
..:30:0.*proftpd.* \(localhost\[127.0.0.1\]\) - FTP session opened
..:30:0.*proftpd.* \(localhost\[127.0.0.1\]\) - FTP session closed
..:45:0.*proftpd.* \(localhost\[127.0.0.1\]\) - FTP session opened
..:45:0.*proftpd.* \(localhost\[127.0.0.1\]\) - FTP session closed
sendmail.*NOQUEUE\: localhost \[127\.0\.0\.1\] did not issue
MAIL\/EXPN\/VRFY\/ETRN during connection to MTA
in.qpopper.* connect from [^[:space:]]+$
etc.etc.
My problem is to find a set of such rules that makes sure I don't get a mail
every x minutes, but I do get it when there's really something going on.
Jelmer