port rule evaluation in hobbit-clients.cfg
list Jay Brislin
I set up a PORT rule to alert for SENDMAIL logins in the DEFAULT section of my hobbit-clients.cfg file. I wanted
to override that rule for certain hosts to allow SENDMAIL logins. My hobbit-clients.cfg looks like this:
HOST=luxuria
PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=9 color=green "TEXT=SENDMAIL logins"
DEFAULT
# These are the built-in defaults.
UP 1h
LOAD 5.0 10.0
DISK * 90 95
MEMPHYS 100 101
MEMSWAP 70 85
MEMACT 90 97
PROC cron
PROC ntpd
PORT "LOCAL=%([.:]23)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=TELNET logins"
PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=SENDMAIL logins"
PORT "LOCAL=%([.:]20)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=FTP logins"
But I see this on the hobbit server display:
green SENDMAIL logins (found 1, req. at most 9)
green TELNET logins (found 0, req. at most 0)
red SENDMAIL logins (found 1, req. at most 0)
green FTP logins (found 0, req. at most 0)
Does anybody know why both rules for the SENDMAIL port are being evaluated? The man page for hobbit-clients.cfg
says:
The entire file is evaluated from the top to bottom, and the first match found is used. So you should put
the specific settings first, and the generic ones last.
--
Jay
list Henrik Størner
▸
On Thu, Sep 13, 2007 at 09:20:08AM -0400, Jay Brislin wrote:
I set up a PORT rule to alert for SENDMAIL logins in the DEFAULT section of my hobbit-clients.cfg file. I wanted
to override that rule for certain hosts to allow SENDMAIL logins. My hobbit-clients.cfg looks like this:
HOST=luxuria
PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=9 color=green "TEXT=SENDMAIL logins"
DEFAULT
PORT "LOCAL=%([.:]23)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=TELNET logins"
PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=SENDMAIL logins"
PORT "LOCAL=%([.:]20)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=FTP logins"
The DEFAULT section should ONLY be used to change the defaults for cpu-,
disk- and memory-thresholds. Do NOT use it for process- or
port-monitoring. Instead, you should use:
HOST=luxuria
PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=9 color=green "TEXT=SENDMAIL logins"
EXHOST=luxuria
▸
PORT "LOCAL=%([.:]23)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=TELNET logins"
PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=SENDMAIL logins"
PORT "LOCAL=%([.:]20)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=FTP logins"
Henrik
list Dominique Frise
▸
Henrik Stoerner wrote:
On Thu, Sep 13, 2007 at 09:20:08AM -0400, Jay Brislin wrote:I set up a PORT rule to alert for SENDMAIL logins in the DEFAULT section of my hobbit-clients.cfg file. I wanted to override that rule for certain hosts to allow SENDMAIL logins. My hobbit-clients.cfg looks like this: HOST=luxuria PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=9 color=green "TEXT=SENDMAIL logins" DEFAULT PORT "LOCAL=%([.:]23)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=TELNET logins" PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=SENDMAIL logins" PORT "LOCAL=%([.:]20)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=FTP logins"The DEFAULT section should ONLY be used to change the defaults for cpu-, disk- and memory-thresholds. Do NOT use it for process- or port-monitoring. Instead, you should use: HOST=luxuria PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=9 color=green "TEXT=SENDMAIL logins" EXHOST=luxuria PORT "LOCAL=%([.:]23)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=TELNET logins" PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=SENDMAIL logins" PORT "LOCAL=%([.:]20)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=FTP logins" Henrik
We use the DEFAULT section for common LOG rules.
(IGNORE rules omitted for clarity)
DEFAULT
# These are the built-in defaults.
UP 1h
LOAD 5.0 10.0
DISK %^/cdrom/.* 101 101
DISK * 90 95
MEMPHYS 100 101
MEMSWAP 50 80
MEMACT 90 97
LOG /var/adm/messages %(?-i)NOTICE|kern.error
LOG /var/adm/messages %(?-i)WARNING COLOR=yellow IGNORE=%(?-i)forceload
LOG /var/log/messages %(?-i)Redundancy\slost|degraded|error|Error
LOG /var/log/messages %(?-i)failed IGNORE=%(?-i)cdrom:\sopen\sfailed
COLOR=yellow
LOG /var/log/system.log %(?-i)error|Error
LOG /var/log/system.log %(?-i)failed COLOR=yellow
Is this really wrong?
Dominique
UNIL - University of Lausanne
list Henrik Størner
▸
On Thu, Sep 13, 2007 at 04:49:46PM +0200, Dominique Frise wrote:
Henrik Stoerner wrote:The DEFAULT section should ONLY be used to change the defaults for cpu-, disk- and memory-thresholds. Do NOT use it for process- or port-monitoring. Instead, you should use:We use the DEFAULT section for common LOG rules.
[snip]
Is this really wrong?
It isn't really *wrong*, but it isn't *right* either ... The thing is - it works, until you need to do something like what the original poster wrote: Have the default rules applied to all hosts except a few. Regards, Henrik