Xymon Mailing List Archive search

Flooding hobbit

list Vernon Everett
Mon, 28 Apr 2008 11:34:02 +0800
Message-Id: <user-08c47ae43d48@xymon.invalid>

Hi Ettienne

This sounds like a good plan.
I think my knowledge of Windoze and BBWin is too lacking for me to think
of this sort of thing on my own.

The bulk of the noise is coming through in the "Full log
eventlog_security" section.
Most of them are lines like this one
success - 2008/04/28 10:41:34 - Security (680) - Logon attempt by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: xxxxxx Source
Workstation: ABCDEFG Error Code: 0x0

The lines start with "success", and appear to end with "Error Code: 0x0"

I tried both these entries in client-local.cfg :
[win32]
eventlog:security
ignore success

It gave me no joy, but according to the comments in client-local.cfg, I
would have expected it to.

Or should it look like this
[win32]
eventlog:security
ignore 0

This did the trick.
Can you confirm that it would only remove the return code 0x0, and not
remove all lines containing a 0?

Thanks
    Vernon


-----Original Message-----
From: Etienne Grignon [mailto:user-87c74c1037a4@xymon.invalid] Sent: Thursday, 24 April 2008 4:51 PM
To: user-ae9b8668bcde@xymon.invalid
Subject: Re: [hobbit] Flooding hobbit

Hello Vernon,

2008/4/18, Everett, Vernon <user-9da1a1882f49@xymon.invalid>:

Hoping somebody has encountered this before.
We have put BBWin on a few Windoze servers, but one of the, a DC, has a HUGE event log.
So large, that hobbit is freaking out, and doing the "Data flooding from 1.2.3.4, closing connection" thing.

I know this is hobbit protecting iteself from a DOS attack, but is there a way around this?
Can I somehow tell hobbit not to do this for that IP address?

Unfortunately, because of its function, we can't reduce the logging on
the Windoze server, so we need to either
    a) get hobbit to handle the problem (desirable solution)
    b) get bbwin to truncate the event log (less desirable)

Do you use the central or local mode of BBWin ?

Depending the mode you use, you may add ignore rules in your BBWin.cfg
(local mode) or client-local.cfg (win32 section) on the hobbit server.

Example for local mode in BBWin.cfg :
<ignore logfile="Application" type ="Error" eventid="2001" />

Example for central mode in client-local.cfg :
[win32]
eventlog:application
ignore 2001


--
Etienne GRIGNON


NOTICE: This email and any attachments are confidential. They may contain legally privileged information or copyright material. You must not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages and all attachments.