BBWin and Hobbit msgs log question.
list Robert P McGraw
HOBBIT SERVER: SunOS zorn.math.purdue.edu 5.10 Generic_120011-14 sun4u sparc SUNW,Sun-Fire-280R runnint Hobbit 4.2 BBWIN CLIENT: Microsoft Windows Server 2003, Standard Edition Service Pack 2 (build 3790) running BBWin V.12 On the hobbit server I have the following event logs under msgs that are coming from the BBWin server. I am not sure how I can monitor these log messages. Full log eventlog_application information - 2008/06/16 09:52:34 - sshd (0) - The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd: PID 3320: Connection closed by 128.210.3.177. information - 2008/06/16 09:47:33 - sshd (0) - The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd: PID 3524: Connection closed by 128.210.3.177. What would I put in the hobbit server hobbit-clients.cfg file to make the msgs icon for the bbwin client turn yellow. I had tried LOG event_application information color=yellow But that did not work. Thanks Robert Robert P. McGraw, Jr. Manager, Computer System EMAIL: user-33cf07af04dd@xymon.invalid Purdue University ROOM: MATH-807 Department of Mathematics PHONE: (XXX) XXX-XXXX XXX N. University Street West Lafayette, IN XXXXX-XXXX
list Aaron Zink
Robert,
If you are running in centralized mode, to get message log alerting you will also need something in client-local.cfg, such as:
[win32]
eventlog:application
ignore information
ignore BigBrotherHobbitClient
eventlog:system
ignore information
Then your LOG entry in hobbit-clients.cfg *should* work after restarting hobbit and bbwin, but you probably need/want to use regexes to refine the alerts. For example, I use:
CLASS=win32
LOG %application.* "%error - .*" COLOR=red
LOG %application.* "%warning - .*" COLOR=yellow
Hope this helps.
Aaron Zink
Corporate IT Manager
eHarmony.com
XXX.XXX.XXXX
▸
-----Original Message-----
From: McGraw, Robert P [mailto:user-33cf07af04dd@xymon.invalid]
Sent: Monday, June 16, 2008 07:09
To: user-cfc16496e024@xymon.invalid; user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] BBWin and Hobbit msgs log question.
HOBBIT SERVER: SunOS zorn.math.purdue.edu 5.10 Generic_120011-14 sun4u sparc
SUNW,Sun-Fire-280R runnint Hobbit 4.2
BBWIN CLIENT: Microsoft Windows Server 2003, Standard Edition Service Pack 2
(build 3790) running BBWin V.12
On the hobbit server I have the following event logs under msgs that are
coming from the BBWin server. I am not sure how I can monitor these log
messages.
Full log eventlog_application
information - 2008/06/16 09:52:34 - sshd (0) - The description for Event ID
( 0 ) in Source ( sshd ) cannot be found. The local computer may not have
the necessary registry information or message DLL files to display messages
from a remote computer. You may be able to use the /AUXSOURCE= flag to
retrieve this description; see Help and Support for details. The following
information is part of the event: sshd: PID 3320: Connection closed by
128.210.3.177.
information - 2008/06/16 09:47:33 - sshd (0) - The description for Event ID
( 0 ) in Source ( sshd ) cannot be found. The local computer may not have
the necessary registry information or message DLL files to display messages
from a remote computer. You may be able to use the /AUXSOURCE= flag to
retrieve this description; see Help and Support for details. The following
information is part of the event: sshd: PID 3524: Connection closed by
128.210.3.177.
What would I put in the hobbit server hobbit-clients.cfg file to make the
msgs icon for the bbwin client turn yellow.
I had tried
LOG event_application information color=yellow
But that did not work.
Thanks
Robert
Robert P. McGraw, Jr.
Manager, Computer System EMAIL: user-33cf07af04dd@xymon.invalid
Purdue University ROOM: MATH-807
Department of Mathematics PHONE: (XXX) XXX-XXXX
XXX N. University Street
West Lafayette, IN XXXXX-XXXX
list Robert P McGraw
Aaron.
A couple questions:
[mailrelay.math.purdue.edu] is my win32 client I just use a host name.
On my server my client-local.cfg looks like the following:
[mailrelay.math.purdue.edu]
file:c:\Alligate\Digests\(user-0fe9b25bd89e@xymon.invalid).txt
eventlog:security
On the BBWin client I have
$ cat clientlocal.cfg
file:c:\Alligate\Digests\(user-0fe9b25bd89e@xymon.invalid).txt
eventlog:security
Which shows that it was read from the server correctly.
On the hobbit server in my hobbit-clients I have
HOST=mailrelay.math.purdue.edu
UP 30m 1w
LOAD 40.0 70.0
DISK * 90 95
FILE c:\Alligate\Digests\(user-0fe9b25bd89e@xymon.invalid).txt red
MTIME<43200
LOG %security "Login attempt" COLOR=yellow
1) The second parameter of the LOG entry should be the file name. What is
the file name for the event security logs?
2) It seem that when I added "eventlog:security" I get the [logfile:tlog]
error message in the msg.mailrelay.math.purdue.edu.txt file that is located
in the BBWin/tmp directory. Do you get this?
3) From the information above and the snipit of my msg. file can you give me
the LOG entry that you think would work.
Snipit from my msg.mailrelay.math.purdue.edu.txt fileon the BBwin client
mailrelay.
[logfile:tlog]
ERROR: The system cannot find the file specified.
[msgs:eventlog_application]
[msgs:eventlog_security]
success - 2008/06/16 17:53:25 - Security (576) - Special privileges assigned
to new logon: User Name: Domain: Logon ID: (0x0,0x84B6EDC) Privileges:
SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege SeImpersonatePrivilege
success - 2008/06/16 17:53:25 - Security (528) - Successful Logon: User
Name: rmcgraw Domain: MAILRELAY Logon ID: (0x0,0x84B6EDC) Logon Type: 2
Logon Process: Advapi Authentication Package: Negotiate Workstation Name:
MAILRELAY Logon GUID: - Caller User Name: sshd_server Caller Domain:
MAILRELAY Caller Logon ID: (0x0,0x10A65) Caller Process ID: 2856 Transited
Services: - Source Network Address: - Source Port: -
success - 2008/06/16 17:53:25 - Security (552) - Logon attempt using
explicit credentials: Logged on user: User Name: sshd_server Domain:
MAILRELAY Logon ID: (0x0,0x10A65) Logon GUID: - User whose credentials were
used: Target User Name: rmcgraw Target Domain: MAILRELAY Target Logon GUID:
- Target Server Name: localhost Target Server Info: localhost Caller Process
ID: 2856 Source Network Address: - Source Port: -
success - 2008/06/16 17:53:25 - Security (680) - Logon attempt by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: rmcgraw Source
Workstation: MAILRELAY Error Code: 0x0
success - 2008/06/16 17:49:42 - Security (538) - User Logoff: User Name:
rmcgraw Domain: MAILRELAY Logon ID: (0x0,0x849D0DB) Logon Type: 7
success - 2008/06/16 17:49:42 - Security (576) - Special privileges assigned
to new logon: User Name: rmcgraw Domain: MAILRELAY Logon ID: (0x0,0x849D0DB)
Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege SeImpersonatePrivilege
success - 2008/06/16 17:49:42 - Security (528) - Successful Logon: User
Name: rmcgraw Domain: MAILRELAY Logon ID: (0x0,0x849D0DB) Logon Type: 7
Logon Process: User32 Authentication Package: Negotiate Workstation Name:
MAILRELAY Logon GUID: - Caller User Name: MAILRELAY$ Caller Domain: MATHNET
Caller Logon ID: (0x0,0x3E7) Caller Process ID: 3008 Transited Services: -
Source Network Address: 128.210.3.202 Source Port: 57339
success - 2008/06/16 17:49:42 - Security (552) - Logon attempt using
explicit credentials: Logged on user: User Name: MAILRELAY$ Domain: MATHNET
Logon ID: (0x0,0x3E7) Logon GUID: - User whose credentials were used: Target
User Name: rmcgraw Target Domain: MAILRELAY Target Logon GUID: - Target
Server Name: localhost Target Server Info: localhost Caller Process ID: 3008
Source Network Address: 128.210.3.202 Source Port: 57339
success - 2008/06/16 17:49:42 - Security (680) - Logon attempt by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: rmcgraw Source
Workstation: MAILRELAY Error Code: 0x0
[msgs:eventlog_system]
▸
-----Original Message-----
From: Aaron Zink [mailto:user-d721f5a4f642@xymon.invalid]
Sent: Monday, June 16, 2008 2:43 PM
To: user-ae9b8668bcde@xymon.invalid
Subject: RE: [hobbit] BBWin and Hobbit msgs log question.
Robert,
If you are running in centralized mode, to get message log alerting you
will also need something in client-local.cfg, such as:
[win32]
eventlog:application
ignore information
ignore BigBrotherHobbitClient
eventlog:system
ignore information
Then your LOG entry in hobbit-clients.cfg *should* work after restarting
hobbit and bbwin, but you probably need/want to use regexes to refine the
alerts. For example, I use:
CLASS=win32
LOG %application.* "%error - .*" COLOR=red
LOG %application.* "%warning - .*" COLOR=yellow
Hope this helps.
Aaron Zink
Corporate IT Manager
eHarmony.com
XXX.XXX.XXXX
-----Original Message-----
From: McGraw, Robert P [mailto:user-33cf07af04dd@xymon.invalid]
Sent: Monday, June 16, 2008 07:09
To: user-cfc16496e024@xymon.invalid; user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] BBWin and Hobbit msgs log question.
HOBBIT SERVER: SunOS zorn.math.purdue.edu 5.10 Generic_120011-14 sun4u
sparc
SUNW,Sun-Fire-280R runnint Hobbit 4.2
BBWIN CLIENT: Microsoft Windows Server 2003, Standard Edition Service Pack
2
(build 3790) running BBWin V.12
On the hobbit server I have the following event logs under msgs that are
coming from the BBWin server. I am not sure how I can monitor these log
messages.
Full log eventlog_application
information - 2008/06/16 09:52:34 - sshd (0) - The description for Event
ID
( 0 ) in Source ( sshd ) cannot be found. The local computer may not have
the necessary registry information or message DLL files to display
messages
from a remote computer. You may be able to use the /AUXSOURCE= flag to
retrieve this description; see Help and Support for details. The following
information is part of the event: sshd: PID 3320: Connection closed by
128.210.3.177.
information - 2008/06/16 09:47:33 - sshd (0) - The description for Event
ID
( 0 ) in Source ( sshd ) cannot be found. The local computer may not have
the necessary registry information or message DLL files to display
messages
from a remote computer. You may be able to use the /AUXSOURCE= flag to
retrieve this description; see Help and Support for details. The following
information is part of the event: sshd: PID 3524: Connection closed by
128.210.3.177.
What would I put in the hobbit server hobbit-clients.cfg file to make the
msgs icon for the bbwin client turn yellow.
I had tried
LOG event_application information color=yellow
But that did not work.
Thanks
Robert
Robert P. McGraw, Jr.
Manager, Computer System EMAIL: user-33cf07af04dd@xymon.invalid
Purdue University ROOM: MATH-807
Department of Mathematics PHONE: (XXX) XXX-XXXX
XXX N. University Street
West Lafayette, IN XXXXX-XXXX
list Aaron Zink
I'll try to answer these:
1) Honestly I'm not sure. It shows up in the .txt file in tmp as eventlog_application but I have had more luck just using some sort of regex with application in it, like ^.*application.*$. No idea if this is a bug or not. One thing you could try to troubleshoot is just use an all-encompassing regex like .* for the file name to narrow it down.
2) Yes, I do see the [logfile:tlog] error when eventlog:Security is enabled, but I don't believe it is causing any issues.
3) I don't see any errors or failures in your security log, and nothing is in the application or system logs, so I'm not sure what to look for. Right now I'm using:
hobbit-client.cfg:
CLASS=win32
LOG %.* "%error - .*" COLOR=red
LOG %.* "%failure - .*" COLOR=red
LOG %.* "%warning - .*" COLOR=yellow
client-local.cfg
[win32]
eventlog:security
ignore Success
eventlog:application
ignore information
eventlog:system
ignore information
It can be more refined by specifying the log names, but it ensures that all errors, warnings or failures are caught no matter which log they are in. The ignore entries are an attempt to clean up the data being sent to the hobbit server, but I can't get them to work.
- Aaron Zink
▸
-----Original Message-----
From: McGraw, Robert P [mailto:user-33cf07af04dd@xymon.invalid]
Sent: Monday, June 16, 2008 15:26
To: user-ae9b8668bcde@xymon.invalid
Subject: RE: [hobbit] BBWin and Hobbit msgs log question.
Aaron.
A couple questions:
[mailrelay.math.purdue.edu] is my win32 client I just use a host name.
On my server my client-local.cfg looks like the following:
[mailrelay.math.purdue.edu]
file:c:\Alligate\Digests\(user-0fe9b25bd89e@xymon.invalid).txt
eventlog:security
On the BBWin client I have
$ cat clientlocal.cfg
file:c:\Alligate\Digests\(user-0fe9b25bd89e@xymon.invalid).txt
eventlog:security
Which shows that it was read from the server correctly.
On the hobbit server in my hobbit-clients I have
HOST=mailrelay.math.purdue.edu
UP 30m 1w
LOAD 40.0 70.0
DISK * 90 95
FILE c:\Alligate\Digests\(user-0fe9b25bd89e@xymon.invalid).txt red
MTIME<43200
LOG %security "Login attempt" COLOR=yellow
1) The second parameter of the LOG entry should be the file name. What is
the file name for the event security logs?
2) It seem that when I added "eventlog:security" I get the [logfile:tlog]
error message in the msg.mailrelay.math.purdue.edu.txt file that is located
in the BBWin/tmp directory. Do you get this?
3) From the information above and the snipit of my msg. file can you give me
the LOG entry that you think would work.
Snipit from my msg.mailrelay.math.purdue.edu.txt fileon the BBwin client
mailrelay.
[logfile:tlog]
ERROR: The system cannot find the file specified.
[msgs:eventlog_application]
[msgs:eventlog_security]
success - 2008/06/16 17:53:25 - Security (576) - Special privileges assigned
to new logon: User Name: Domain: Logon ID: (0x0,0x84B6EDC) Privileges:
SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege SeImpersonatePrivilege
success - 2008/06/16 17:53:25 - Security (528) - Successful Logon: User
Name: rmcgraw Domain: MAILRELAY Logon ID: (0x0,0x84B6EDC) Logon Type: 2
Logon Process: Advapi Authentication Package: Negotiate Workstation Name:
MAILRELAY Logon GUID: - Caller User Name: sshd_server Caller Domain:
MAILRELAY Caller Logon ID: (0x0,0x10A65) Caller Process ID: 2856 Transited
Services: - Source Network Address: - Source Port: -
success - 2008/06/16 17:53:25 - Security (552) - Logon attempt using
explicit credentials: Logged on user: User Name: sshd_server Domain:
MAILRELAY Logon ID: (0x0,0x10A65) Logon GUID: - User whose credentials were
used: Target User Name: rmcgraw Target Domain: MAILRELAY Target Logon GUID:
- Target Server Name: localhost Target Server Info: localhost Caller Process
ID: 2856 Source Network Address: - Source Port: -
success - 2008/06/16 17:53:25 - Security (680) - Logon attempt by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: rmcgraw Source
Workstation: MAILRELAY Error Code: 0x0
success - 2008/06/16 17:49:42 - Security (538) - User Logoff: User Name:
rmcgraw Domain: MAILRELAY Logon ID: (0x0,0x849D0DB) Logon Type: 7
success - 2008/06/16 17:49:42 - Security (576) - Special privileges assigned
to new logon: User Name: rmcgraw Domain: MAILRELAY Logon ID: (0x0,0x849D0DB)
Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege SeImpersonatePrivilege
success - 2008/06/16 17:49:42 - Security (528) - Successful Logon: User
Name: rmcgraw Domain: MAILRELAY Logon ID: (0x0,0x849D0DB) Logon Type: 7
Logon Process: User32 Authentication Package: Negotiate Workstation Name:
MAILRELAY Logon GUID: - Caller User Name: MAILRELAY$ Caller Domain: MATHNET
Caller Logon ID: (0x0,0x3E7) Caller Process ID: 3008 Transited Services: -
Source Network Address: 128.210.3.202 Source Port: 57339
success - 2008/06/16 17:49:42 - Security (552) - Logon attempt using
explicit credentials: Logged on user: User Name: MAILRELAY$ Domain: MATHNET
Logon ID: (0x0,0x3E7) Logon GUID: - User whose credentials were used: Target
User Name: rmcgraw Target Domain: MAILRELAY Target Logon GUID: - Target
Server Name: localhost Target Server Info: localhost Caller Process ID: 3008
Source Network Address: 128.210.3.202 Source Port: 57339
success - 2008/06/16 17:49:42 - Security (680) - Logon attempt by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: rmcgraw Source
Workstation: MAILRELAY Error Code: 0x0
[msgs:eventlog_system]
-----Original Message-----
From: Aaron Zink [mailto:user-d721f5a4f642@xymon.invalid]
Sent: Monday, June 16, 2008 2:43 PM
To: user-ae9b8668bcde@xymon.invalid
Subject: RE: [hobbit] BBWin and Hobbit msgs log question.
Robert,
If you are running in centralized mode, to get message log alerting you
will also need something in client-local.cfg, such as:
[win32]
eventlog:application
ignore information
ignore BigBrotherHobbitClient
eventlog:system
ignore information
Then your LOG entry in hobbit-clients.cfg *should* work after restarting
hobbit and bbwin, but you probably need/want to use regexes to refine the
alerts. For example, I use:
CLASS=win32
LOG %application.* "%error - .*" COLOR=red
LOG %application.* "%warning - .*" COLOR=yellow
Hope this helps.
Aaron Zink
Corporate IT Manager
eHarmony.com
XXX.XXX.XXXX
-----Original Message-----
From: McGraw, Robert P [mailto:user-33cf07af04dd@xymon.invalid]
Sent: Monday, June 16, 2008 07:09
To: user-cfc16496e024@xymon.invalid; user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] BBWin and Hobbit msgs log question.
HOBBIT SERVER: SunOS zorn.math.purdue.edu 5.10 Generic_120011-14 sun4u
sparc
SUNW,Sun-Fire-280R runnint Hobbit 4.2
BBWIN CLIENT: Microsoft Windows Server 2003, Standard Edition Service Pack
2
(build 3790) running BBWin V.12
On the hobbit server I have the following event logs under msgs that are
coming from the BBWin server. I am not sure how I can monitor these log
messages.
Full log eventlog_application
information - 2008/06/16 09:52:34 - sshd (0) - The description for Event
ID
( 0 ) in Source ( sshd ) cannot be found. The local computer may not have
the necessary registry information or message DLL files to display
messages
from a remote computer. You may be able to use the /AUXSOURCE= flag to
retrieve this description; see Help and Support for details. The following
information is part of the event: sshd: PID 3320: Connection closed by
128.210.3.177.
information - 2008/06/16 09:47:33 - sshd (0) - The description for Event
ID
( 0 ) in Source ( sshd ) cannot be found. The local computer may not have
the necessary registry information or message DLL files to display
messages
from a remote computer. You may be able to use the /AUXSOURCE= flag to
retrieve this description; see Help and Support for details. The following
information is part of the event: sshd: PID 3524: Connection closed by
128.210.3.177.
What would I put in the hobbit server hobbit-clients.cfg file to make the
msgs icon for the bbwin client turn yellow.
I had tried
LOG event_application information color=yellow
But that did not work.
Thanks
Robert
Robert P. McGraw, Jr.
Manager, Computer System EMAIL: user-33cf07af04dd@xymon.invalid
Purdue University ROOM: MATH-807
Department of Mathematics PHONE: (XXX) XXX-XXXX
XXX N. University Street
West Lafayette, IN XXXXX-XXXX