Monitoring MSGS issues

3 messages in this thread

list Tats Shibata · Sun, 17 Dec 2006 17:50:09 +0900 ·

Hi all,

I have two issues for MSGS. Thanks for your help.

# Environment #

   Hobbit: Hobbit 4.2.0
       OS: CentOS 4.4 (Linux 2.6.9)
Hostname: oscar (Both Hobbit server and client)

1. "ignore" clause in client-local.cfg doesn't filter out it.

I set the below in client-local.cfg on oscar, but the msgs page on  Hobbit shows the below. Why does not it filter out "br104fmx"?

== ~hobbit/server/etc/clinet-local.cfg ==
[oscar]
log:/var/log/messages:10240
ignore br104fmx

== oscar - msgs ==
No entries in /var/log/messages


Full log /var/log/messages
Dec 17 16:50:43 uniform brl04fmx TCP connection dropped -  Source:xxx.xxx.xxx.xxx,6293,WAN - Destination:xxx.xxx.xxx.xxx,53131,LAN
Dec 17 16:50:43 uniform brl04fmx [2006-12-17 16:50:43] | From: [xxx.xxx.xxx.xxx] | Port:[53131] | [Blocked]
Dec 17 16:51:16 uniform brl04fmx TCP connection dropped -  Source:xxx.xxx.xxx.xxx,4689,WAN - Destination:xxx.xxx.xxx.xxx,445,LAN
Dec 17 16:51:16 uniform brl04fmx [2006-12-17 16:51:16] | From: [xxx.xxx.xxx.xxx] | Port:[445] | [Blocked]
Dec 17 16:52:22 oscar su(pam_unix)[4887]: session opened for user  root by gadget(uid=500)
Dec 17 16:55:43 uniform brl04fmx TCP connection dropped -  Source:xxx.xxx.xxx.xxx,6293,WAN - Destination:xxx.xxx.xxx.xxx,53147,LAN
(abbr)

2. I set the below in hobbit-clients.cfg on oscar, but Hobbit doesn't  alert it. Sent logfile is the below. Why does not Hobbit alert  "failure"? PORT and PROC have no problems.

== ~hobbit/server/etc/hobbit-clients.cfg ==
HOST=oscar
     PORT 139 "TEXT=NetBIOS: 139"
     PORT 445 "TEXT=SMB: 445"
     PORT 3303 "TEXT=MySQL: 3306"
     PORT 3690 "TEXT=Subversion: 3690"
     LOG /var/log/messages failure
     PROC nfsd
     PROC mysqld 2
     PROC smbd
     PROC svnserve

== oscar - msgs ==
No entries in /var/log/messages


Full log /var/log/messages
(abbr)
Dec 17 17:28:40 uniform brl04fmx TCP connection dropped -  Source:xxx.xxx.xxx.xxx,6293,WAN - Destination:xxx.xxx.xxx.xxx,53404,LAN
Dec 17 17:28:40 uniform brl04fmx [2006-12-17 17:28:40] | From: [xxx.xxx.xxx.xxx] | Port:[53404] | [Blocked]
Dec 17 17:30:26 oscar sshd(pam_unix)[5637]: authentication failure;  logname= uid=0 euid=0 tty=ssh ruser= rhost=powermac  user=gadget
Dec 17 17:30:35 oscar sshd(pam_unix)[5637]: 2 more authentication  failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=powermac   user=gadget
Dec 17 17:33:39 uniform brl04fmx TCP connection dropped -  Source:xxx.xxx.xxx.xxx,6293,WAN - Destination:xxx.xxx.xxx.xxx,53418,LAN
Dec 17 17:33:39 uniform brl04fmx [2006-12-17 17:33:39] | From: [xxx.xxx.xxx.xxx] | Port:[53418] | [Blocked]
(abbr)


Thanks,

-- 
Tats SHIBATA
Rewse Lab.

list Lars Ebeling · Sun, 17 Dec 2006 10:03:38 +0100 ·

Your first question I don't understand,
 but in the second try with:

LOG /var/log/messages %failure

Lars

----- Original Message ----- From: "Tats SHIBATA" <user-c4c249ecb058@xymon.invalid>
To: <user-ae9b8668bcde@xymon.invalid>
Sent: Sunday, December 17, 2006 9:50 AM
Subject: [hobbit] Monitoring MSGS issues

▸ quoted from Tats Shibata

Hi all,

I have two issues for MSGS. Thanks for your help.

# Environment #

  Hobbit: Hobbit 4.2.0
      OS: CentOS 4.4 (Linux 2.6.9)
Hostname: oscar (Both Hobbit server and client)

1. "ignore" clause in client-local.cfg doesn't filter out it.

I set the below in client-local.cfg on oscar, but the msgs page on  Hobbit shows the below. Why does not it filter out "br104fmx"?

== ~hobbit/server/etc/clinet-local.cfg ==
[oscar]
log:/var/log/messages:10240
ignore br104fmx

== oscar - msgs ==
No entries in /var/log/messages


Full log /var/log/messages
Dec 17 16:50:43 uniform brl04fmx TCP connection dropped -  Source:xxx.xxx.xxx.xxx,6293,WAN - Destination:xxx.xxx.xxx.xxx,53131,LAN
Dec 17 16:50:43 uniform brl04fmx [2006-12-17 16:50:43] | From: [xxx.xxx.xxx.xxx] | Port:[53131] | [Blocked]
Dec 17 16:51:16 uniform brl04fmx TCP connection dropped -  Source:xxx.xxx.xxx.xxx,4689,WAN - Destination:xxx.xxx.xxx.xxx,445,LAN
Dec 17 16:51:16 uniform brl04fmx [2006-12-17 16:51:16] | From: [xxx.xxx.xxx.xxx] | Port:[445] | [Blocked]
Dec 17 16:52:22 oscar su(pam_unix)[4887]: session opened for user  root by gadget(uid=500)
Dec 17 16:55:43 uniform brl04fmx TCP connection dropped -  Source:xxx.xxx.xxx.xxx,6293,WAN - Destination:xxx.xxx.xxx.xxx,53147,LAN
(abbr)

2. I set the below in hobbit-clients.cfg on oscar, but Hobbit doesn't  alert it. Sent logfile is the below. Why does not Hobbit alert  "failure"? PORT and PROC have no problems.

== ~hobbit/server/etc/hobbit-clients.cfg ==
HOST=oscar
    PORT 139 "TEXT=NetBIOS: 139"
    PORT 445 "TEXT=SMB: 445"
    PORT 3303 "TEXT=MySQL: 3306"
    PORT 3690 "TEXT=Subversion: 3690"
    LOG /var/log/messages failure
    PROC nfsd
    PROC mysqld 2
    PROC smbd
    PROC svnserve

== oscar - msgs ==
No entries in /var/log/messages


Full log /var/log/messages
(abbr)
Dec 17 17:28:40 uniform brl04fmx TCP connection dropped -  Source:xxx.xxx.xxx.xxx,6293,WAN - Destination:xxx.xxx.xxx.xxx,53404,LAN
Dec 17 17:28:40 uniform brl04fmx [2006-12-17 17:28:40] | From: [xxx.xxx.xxx.xxx] | Port:[53404] | [Blocked]
Dec 17 17:30:26 oscar sshd(pam_unix)[5637]: authentication failure;  logname= uid=0 euid=0 tty=ssh ruser= rhost=powermac  user=gadget
Dec 17 17:30:35 oscar sshd(pam_unix)[5637]: 2 more authentication  failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=powermac   user=gadget
Dec 17 17:33:39 uniform brl04fmx TCP connection dropped -  Source:xxx.xxx.xxx.xxx,6293,WAN - Destination:xxx.xxx.xxx.xxx,53418,LAN
Dec 17 17:33:39 uniform brl04fmx [2006-12-17 17:33:39] | From: [xxx.xxx.xxx.xxx] | Port:[53418] | [Blocked]
(abbr)


Thanks,

-- 
Tats SHIBATA
Rewse Lab.

list Tats Shibata · Sun, 17 Dec 2006 20:36:59 +0900 ·

Hi Lars,

Thanks for your answer. I fixed the second question by %.

And the first question was resolved, too. I'm ashamed to say that I  set br104fmx (BR1) but there are brl04fmx (BRL) at the log...

Yours,

-- 
Tats SHIBATA
Rewse Lab.

▸ quoted from Lars Ebeling



On 2006/12/17, at 18:03, lars ebeling wrote:

Your first question I don't understand,
but in the second try with:

LOG /var/log/messages %failure

Lars

----- Original Message ----- From: "Tats SHIBATA" <user-c4c249ecb058@xymon.invalid>
To: <user-ae9b8668bcde@xymon.invalid>
Sent: Sunday, December 17, 2006 9:50 AM
Subject: [hobbit] Monitoring MSGS issues

Hi all,
I have two issues for MSGS. Thanks for your help.
# Environment #
  Hobbit: Hobbit 4.2.0
      OS: CentOS 4.4 (Linux 2.6.9)
Hostname: oscar (Both Hobbit server and client)
1. "ignore" clause in client-local.cfg doesn't filter out it.
I set the below in client-local.cfg on oscar, but the msgs page  on  Hobbit shows the below. Why does not it filter out "br104fmx"?
== ~hobbit/server/etc/clinet-local.cfg ==
[oscar]
log:/var/log/messages:10240
ignore br104fmx
== oscar - msgs ==
No entries in /var/log/messages
Full log /var/log/messages


Dec 17 16:50:43 uniform brl04fmx TCP connection dropped -   Source:xxx.xxx.xxx.xxx,6293,WAN - Destination:xxx.xxx.xxx.xxx, 53131,LAN

▸ quoted from Lars Ebeling

Dec 17 16:50:43 uniform brl04fmx [2006-12-17 16:50:43] | From:  [xxx.xxx.xxx.xxx] | Port:[53131] | [Blocked]
Dec 17 16:51:16 uniform brl04fmx TCP connection dropped -   Source:xxx.xxx.xxx.xxx,4689,WAN - Destination:xxx.xxx.xxx.xxx,445,LAN
Dec 17 16:51:16 uniform brl04fmx [2006-12-17 16:51:16] | From:  [xxx.xxx.xxx.xxx] | Port:[445] | [Blocked]
Dec 17 16:52:22 oscar su(pam_unix)[4887]: session opened for user   root by gadget(uid=500)


Dec 17 16:55:43 uniform brl04fmx TCP connection dropped -   Source:xxx.xxx.xxx.xxx,6293,WAN - Destination:xxx.xxx.xxx.xxx, 53147,LAN

▸ quoted from Lars Ebeling

(abbr)
2. I set the below in hobbit-clients.cfg on oscar, but Hobbit  doesn't  alert it. Sent logfile is the below. Why does not Hobbit  alert  "failure"? PORT and PROC have no problems.
== ~hobbit/server/etc/hobbit-clients.cfg ==
HOST=oscar
    PORT 139 "TEXT=NetBIOS: 139"
    PORT 445 "TEXT=SMB: 445"
    PORT 3303 "TEXT=MySQL: 3306"
    PORT 3690 "TEXT=Subversion: 3690"
    LOG /var/log/messages failure
    PROC nfsd
    PROC mysqld 2
    PROC smbd
    PROC svnserve
== oscar - msgs ==
No entries in /var/log/messages
Full log /var/log/messages
(abbr)


Dec 17 17:28:40 uniform brl04fmx TCP connection dropped -   Source:xxx.xxx.xxx.xxx,6293,WAN - Destination:xxx.xxx.xxx.xxx, 53404,LAN

▸ quoted from Lars Ebeling

Dec 17 17:28:40 uniform brl04fmx [2006-12-17 17:28:40] | From:  [xxx.xxx.xxx.xxx] | Port:[53404] | [Blocked]
Dec 17 17:30:26 oscar sshd(pam_unix)[5637]: authentication  failure;  logname= uid=0 euid=0 tty=ssh ruser= rhost=powermac   user=gadget
Dec 17 17:30:35 oscar sshd(pam_unix)[5637]: 2 more authentication   failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=powermac    user=gadget


Dec 17 17:33:39 uniform brl04fmx TCP connection dropped -   Source:xxx.xxx.xxx.xxx,6293,WAN - Destination:xxx.xxx.xxx.xxx, 53418,LAN

▸ quoted from Lars Ebeling

Dec 17 17:33:39 uniform brl04fmx [2006-12-17 17:33:39] | From:  [xxx.xxx.xxx.xxx] | Port:[53418] | [Blocked]
(abbr)
Thanks,
-- 
Tats SHIBATA
Rewse Lab.

Monitoring MSGS issues 🔗 link

Monitoring MSGS issues