[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] pafalertd and logsentry

Subject: Re: [cobalt-users] pafalertd and logsentry
From: Paul Warner <pwarner@xxxxxxxxxxxxxxxxxx>
Date: Fri Sep 27 14:46:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

> On Friday 27 September 2002 17:13, Paul Warner wrote:
> > > On Friday 27 September 2002 03:03 pm, Michael Gabriel wrote:
> > > > im totally lost here
> > > > i installed logsentry and killed most of the uninformative lines via
> > > > the ignore file
> > > > for some reason i cant find a fitting regex to kill:
> > > >
> > > > swatch checking sendmail and imapd
> > > > sendmail[5525]: NOQUEUE: localhost [127.0.0.1] did not issue
> > > > MAIL/EXPN/VRFY/ETRN during connection to MTA
> > > > imapd[6125]: Logout user=??? host=localhost [127.0.0.1]
> > >
> > > sendmail.*NOQUEUE.*localhost
> >
> > This does not work...I'm guessing (with the very limited docs) that the
> > .violations file containing EXPN and VRFY is why the filter doesn't
> > work...anyone know more about the function of the logcheck.violations
and
> > logcheck.violations.ignore files?
> >
>
> What kind of a Cobalt Server do you have?
> That statement works on RaQ4s
>

Gerald-

It is a RaQ4.  I had fought this a while back and was unsuccessful and just
ignore...figured since someone else brought it up maybe there was some magic
I was missing...

These are the relevant entries from logcheck.ignore:
sendmail.*User Unknown
sendmail.*alias database.*rebuilt
sendmail.*aliases.*longest
sendmail.*from=
sendmail.*lost input channel
sendmail.*message-id=
sendmail.*putoutmsg
sendmail.*return to sender
sendmail.*return to sender
sendmail.*stat=
sendmail.*timeout waiting
sendmail.*NOQUEUE.*localhost

and these are in the email logcheck spits...
Security Violations
=-=-=-=-=-=-=-=-=-=
Sep 27 17:30:02 kanga sendmail[13283]: NOQUEUE: localhost [127.0.0.1] did
not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Sep 27 17:20:06 kanga named[478]: ns_forw:
query(177.218.119.66.in-addr.arpa) All possible A RR's lame
Sep 27 17:30:01 kanga imapd[13217]: imap service init from 127.0.0.1
Sep 27 17:30:01 kanga imapd[13217]: Logout user=??? host=localhost
[127.0.0.1]

References:
- [cobalt-users] pafalertd and logsentry
  - From: Michael Gabriel
- Re: [cobalt-users] pafalertd and logsentry
  - From: Gerald Waugh
- Re: [cobalt-users] pafalertd and logsentry
  - From: Paul Warner
- Re: [cobalt-users] pafalertd and logsentry
  - From: Gerald Waugh

Prev by Date: Re: [cobalt-users] hack?
Next by Date: [cobalt-users] mail error
Previous by thread: Re: [cobalt-users] pafalertd and logsentry
Next by thread: Re: [cobalt-users] pafalertd and logsentry

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index