'Re: [psad-discuss] Psad mail output'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       psad-discuss
Subject:    Re: [psad-discuss] Psad mail output
From:       Michael Rash <michael.rash () gmail ! com>
Date:       2015-03-08 15:19:16
Message-ID: CAA9wn8k8qDgYAAr62uTTiznxA=bT3fsoqkaM2_t+PxwpweRoYQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Sun, Mar 8, 2015 at 3:49 AM, Shlomit Afgin <shlomit.afgin@weizmann.ac.il>
wrote:

>
>  Hi,
>  I install psad on few Linux machines.
>  I get of emails with:
>
>   …
>
>        Syslog hostname: unknown
>
>
psad attempts to extract the hostname from the iptables log messages
reported by syslog, but in this case it doesn't look like it was able to do
this. The "unknown" string is a fallback just in case psad wasn't able to
extract the hostname (as shown above).  Would you mind sending me a few of
your iptables log messages so I can troubleshoot this? You can anonymize
the IP addresses if you like. Usually something like "grep OUT=
/var/log/messages" will do the trick unless you are running on a system
where syslog messages are available through journalctl.

Also, what Linux distro and version of psad are you running?  (Use "psad
-V" to get the version.)



>
>  …
> [+] Whois Information (source IP):
> Whois data not available!
>
>

Is the source IP actually blank in the psad email? That would be strange.

There were some fixes in psad-2.2.4 for whois data processing.

Thanks,

--Mike




>
>
>  I cannot know from which machine it coming.
>
>  What the server  missing that I'm not getting      'syslog hostname'
>  and      'whois information'    ?
>
>  Thanks.
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>
>


-- 
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F

[Attachment #5 (text/html)]

<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Mar \
8, 2015 at 3:49 AM, Shlomit Afgin <span dir="ltr">&lt;<a \
href="mailto:shlomit.afgin@weizmann.ac.il" \
target="_blank">shlomit.afgin@weizmann.ac.il</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">



<div style="word-wrap:break-word;color:rgb(1,2,4);font-size:14px;font-family:Calibri,sans-serif">
 <span>
<div style="word-wrap:break-word">
<div style="color:rgb(1,2,4);font-family:Calibri,sans-serif;font-size:14px">
<br>
</div>
<div style="color:rgb(1,2,4);font-family:Calibri,sans-serif;font-size:14px">
Hi,</div>
<div style="color:rgb(1,2,4);font-family:Calibri,sans-serif;font-size:14px">
I install psad on few Linux machines.</div>
<div style="color:rgb(1,2,4);font-family:Calibri,sans-serif;font-size:14px">
I get of emails with:</div>
<div style="color:rgb(1,2,4);font-family:Calibri,sans-serif;font-size:14px">
<br>
</div>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div style="color:rgb(1,2,4);font-family:Calibri,sans-serif;font-size:14px">
…</div>
</blockquote>
<div>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div style="color:rgb(0,0,0);font-family:Consolas;font-size:14px">         Syslog \
hostname: unknown</div></blockquote></div></div></span></div></blockquote><div><br></div><div>psad \
attempts to extract the hostname from the iptables log messages reported by syslog, \
but in this case it doesn&#39;t look like it was able to do this. The \
&quot;unknown&quot; string is a fallback just in case psad wasn&#39;t able to extract \
the hostname (as shown above).   Would you mind sending me a few of your iptables log \
messages so I can troubleshoot this? You can anonymize the IP addresses if you like. \
Usually something like &quot;grep OUT= /var/log/messages&quot; will do the trick \
unless you are running on a system where syslog messages are available through \
journalctl.<br><br></div><div>Also, what Linux distro and version of psad are you \
running?   (Use &quot;psad -V&quot; to get the version.)<br></div><div><br>  \
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div \
style="word-wrap:break-word;color:rgb(1,2,4);font-size:14px;font-family:Calibri,sans-serif"><span><div \
style="word-wrap:break-word"><div><blockquote style="margin:0 0 0 \
40px;border:none;padding:0px"> <div \
style="color:rgb(0,0,0);font-family:Consolas;font-size:14px"><br> </div>
<div style="color:rgb(0,0,0);font-family:Consolas;font-size:14px">…</div>
<div style="color:rgb(0,0,0);font-family:Consolas;font-size:14px">[+] Whois \
Information (source IP):</div> <div \
style="color:rgb(0,0,0);font-family:Consolas;font-size:14px">Whois data not \
available!</div></blockquote></div></div></span></div></blockquote><div><br><br></div><div>Is \
the source IP actually blank in the psad email? That would be \
strange.<br><br></div><div>There were some fixes in psad-2.2.4 for whois data \
processing.<br><br></div><div>Thanks,<br><br></div><div>--Mike<br><br><br></div><div> \
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div \
style="word-wrap:break-word;color:rgb(1,2,4);font-size:14px;font-family:Calibri,sans-serif"><span><div \
style="word-wrap:break-word"><div><blockquote style="margin:0 0 0 \
40px;border:none;padding:0px"> </blockquote>
<div style="color:rgb(0,0,0);font-family:Consolas;font-size:14px"><span \
style="color:rgb(1,2,4);font-family:Calibri,sans-serif"><br> </span></div>
<div style="color:rgb(0,0,0);font-family:Consolas;font-size:14px"><span \
style="color:rgb(1,2,4);font-family:Calibri,sans-serif"><br> </span></div>
<div><font face="Calibri,sans-serif" color="#010204">I</font><font \
face="Calibri,sans-serif" color="#010204">  cannot know from which machine it  \
coming.</font></div> <div><font face="Calibri,sans-serif" color="#010204"><br>
</font></div>
<div><span style="color:rgb(1,2,4);font-family:Calibri,sans-serif">What the server   \
missing that  I'm not getting         &#39;syslog hostname&#39;         and         \
&#39;whois information'      ?</span></div> </div>
<div><font face="Calibri,sans-serif" color="#010204"><br>
</font></div>
<div><font face="Calibri,sans-serif" color="#010204">Thanks.</font></div>
</div>
</span>
</div>

<br>------------------------------------------------------------------------------<br>
 Dive into the World of Parallel Programming The Go Parallel Website, sponsored<br>
by Intel and developed in partnership with Slashdot Media, is your hub for all<br>
things parallel software development, from weekly thought leadership blogs to<br>
news, videos, case studies, tutorials and more. Take a look and join the<br>
conversation now. <a href="http://goparallel.sourceforge.net/" \
target="_blank">http://goparallel.sourceforge.net/</a><br>_______________________________________________<br>
 psad-discuss mailing list<br>
<a href="mailto:psad-discuss@lists.sourceforge.net">psad-discuss@lists.sourceforge.net</a><br>
 <a href="https://lists.sourceforge.net/lists/listinfo/psad-discuss" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/psad-discuss</a><br> \
<br></blockquote></div><br><br clear="all"><br>-- <br><div \
class="gmail_signature">Michael Rash | Founder<br><a \
href="http://www.cipherdyne.org/">http://www.cipherdyne.org/</a><br>Key fingerprint = \
53EA 13EA 472E 3771 894F   AC69 95D8 5D6B A742 839F</div> </div></div>



------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic