'Re: [psad-discuss] psad on Ubuntu 8.04 Server: syslogd not'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       psad-discuss
Subject:    Re: [psad-discuss] psad on Ubuntu 8.04 Server: syslogd not
From:       Michael Rash <mbr () cipherdyne ! org>
Date:       2008-11-12 1:54:10
Message-ID: 20081112015410.GA17898 () cipherdyne ! org
[Download RAW message or body]

On Nov 12, 2008, Sam Kuper wrote:

> I just noticed that my email client turned part of the last line of my
> syslog.conf, as pasted into my previous email, into a hyperlink. I'm
> posting it again below (in a plain-text email this time) for clarity.
> 
> All best,
> 
> Sam
> 
> 
> 
> #  /etc/syslog.conf     Configuration file for syslogd.
> #
> #                       For more information see syslog.conf(5)
> #                       manpage.
> 
> #
> # First some standard logfiles.  Log by facility.
> #
> 
> auth,authpriv.*                 /var/log/auth.log
> *.*;auth,authpriv.none          -/var/log/syslog
> #cron.*                         /var/log/cron.log
> daemon.*                        -/var/log/daemon.log
> kern.*                          -/var/log/kern.log
> lpr.*                           -/var/log/lpr.log
> mail.*                          -/var/log/mail.log
> user.*                          -/var/log/user.log
> 
> #
> # Logging for the mail system.  Split it up so that
> # it is easy to write scripts to parse these files.
> #
> mail.info                       -/var/log/mail.info
> mail.warn                       -/var/log/mail.warn
> mail.err                        /var/log/mail.err
> 
> # Logging for INN news system
> #
> news.crit                       /var/log/news/news.crit
> news.err                        /var/log/news/news.err
> news.notice                     -/var/log/news/news.notice
> 
> #
> # Some `catch-all' logfiles.
> #
> *.=debug;\
>         auth,authpriv.none;\
>         news.none;mail.none     -/var/log/debug
> *.=info;*.=notice;*.=warn;\
>         auth,authpriv.none;\
>         cron,daemon.none;\
>         mail,news.none          -/var/log/messages
> 
> #
> # Emergencies are sent to everybody logged in.
> #
> *.emerg                         *
> 
> #
> # I like to have messages displayed on the console, but only on a virtual
> # console I usually leave idle.
> #
> #daemon,mail.*;\
> #       news.=crit;news.=err;news.=notice;\
> #       *.=debug;*.=info;\
> #       *.=notice;*.=warn       /dev/tty8
> 
> # The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
> # you must invoke `xconsole' with the `-file' option:
> #
> #    $ xconsole -file /dev/xconsole [...]
> #
> # NOTE: adjust the list below, or you'll go crazy if you have a reasonably
> #      busy site..
> #
> daemon.*;mail.*;\
>         news.err;\
>         *.=debug;*.=info;\
>         *.=notice;*.=warn       |/dev/xconsole
> 
> kern.info\t|/var/lib/psad/psadfifo

This last line looks a bit strange in my email client at least.  It
should be:

kern.conf   |/var/lib/psad/psadfifo

Where the whitespace after the "kern.conf" part is a tab character.  It
looks like the tab is put as "\t" even though there should be other tabs
in the syslog.conf file too.  Can you edit the /etc/syslog.conf and
ensure that there is only whitespace instead of literally "\t"?  If you
need to make a change to the file, then restart syslog and restart psad
via the init scripts and see if that helps.

Another thing to check is to make sure that the iptables LOG rule is
configured to log messages at the appropriate priority so the kern.info
actually applies.  You can check this with "iptables -v -nL |grep LOG".
If things still do not work properly, I would temporarily modify your
syslog.conf file to send all kern.* messages through the psadfifo named
pipe and see if that helps.  If so, then you just need to use the
--log-level switch when building your LOG rule to whatever matches the
psadfifo line.

Thanks,

--Mike

> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic