Re: [cobalt-users] Logcheck report

[Glen Scott <glen@xxxxxxxxxxxxxxxxxxxx>]

> Hello all,
>
> I have installed LogCheck-1.1.1 onto my Raq4r following every instruction
> from the useful guide I found at UK2Raq.
> Here is the guide I followed
> http://www.uk2raq.com/raqfaq/raqfaqshow.php?faq=45
>
> Everything seemed to work out perfectly with the install of LogCheck.
>
> Does anybody know how to read / determine if the emails sent by LogCheck are
> saying my Cobalt has been compromised or not?
> I get a lot of this in a typical report...
>
> ----------------------------------------------------------------------------

<logcheck report snipped!>

> None of the IP's listed in this report are mine and for obvious reasons I
> have removed my host and domain names.
>
> I have read through the archives for this list and believe the lines by
> proftpd ending in '- FTP session opened/closed.' are the active monitor, how
> do I learn to suppress these or any lines in the report...
>
> I just don't know how to read my hourly report...
>
> Any help?
> Thanks in advance...

Todd,

First of all- *don't panic*!  The logcheck report didn't contain 
anything that even remotely resembles a security breach.

Anything that Logcheck doesn't recognise,  it will report.  In this 
case, it is alerting you to unusual behaviour from named ( part of 
the DNS server software on the RaQ ).  In actual fact, this is quite 
a common problem from named and nothing to worry about.

To ignore this, you will need to add a line to logcheck.ignore along 
the lines of

named.*bad referal

or similar.  You may need to add this to logcheck.violations.ignore as well.

When you get any reports from logcheck that you don't understand, 
just take a few minutes to search around on the web for possible 
solutions before panicking.  More often than not, Logcheck will be 
reporting a false alarm.

Above all *read the documentation* that came with Logcheck.  If you 
don't understand it, then really you should uninstall it.

Regards,

Glen