syslog-ng issue
I'm trying to cleanup my logging using syslog-ng (version 1.5.6-1). The problem at this point is that my firewall (iptables) logs are showing up in my newly setup firewall log file, and still in the messages kern.log and syslog files. I used the default syslog-ng.conf file and added the following lines to the appropriate sections: destination firewall { file(/var/log/firewall owner(root) group(adm) perm\(0640)); }; filter f_firewall { match(Dropped: .*IN=.*OUT=.*); }; log { source(src); filter(f_firewall); destination(firewall); }; My desire is to have all firewall logs go ONLY to the firewall log file. Does the order in which these entries occur matter? I just noticed that the destination entry was at the end of that section while the filter and log entries are at the beginning. I moved the destination entry to the beginning of that section and will watch the logs. thanks for any help...jc -- Jeff CoppockNortel Networks Systems Engineerhttp://nortelnetworks.com Major Accts.Santa Clara, CA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: snort 1.8 for demarc
On Sun, Aug 05, 2001 at 19:41:41 +, Marco Tassinari wrote: /usr/local/lib/libpcap.a(gencode.o): In function `pcap_compile': Any particular reason you're using a local libpcap rather than the libpcap0 and libpcap-dev Debian packages? Ray -- Obsig: developing a new sig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Locking down a guest account - need help.
On Sat, Aug 04, 2001 at 12:30:20AM +0200, Tobias wrote: Hello! you can disable password login in sshd and only run ssh with public key authentication, just don't forget to put a root owned non-writable folder or file called .ssh and .ssh2 in the accounts you do not wish people to log in to. Putting a root-owned file in a directory owned by a user is not much help against a UNIX savvy-user. The user would still be able to rename the file(s). You could create the .ssh / .ssh2 directories or files (owned by root), and then use the ``chattr +i dirname'' command on each directory or file to protect it. This is for ext2fs only, but other filesystems may have equivalent commands. [FYI, chattr +i sets the immutable flag in the ext2 filesystem, rendering the file unchangable. chattr -i will remove the flag. Read the man page for more info.] Just my $0.02 worth, -- Eli Boaz ([EMAIL PROTECTED]) GNU/Linux: Free your computer from bad software. http://www.debian.org/ PGP signature
Re: syslog-ng issue
Jeff Coppock, 2001-Aug-05 09:04 -0700: I'm trying to cleanup my logging using syslog-ng (version 1.5.6-1). The problem at this point is that my firewall (iptables) logs are showing up in my newly setup firewall log file, and still in the messages kern.log and syslog files. I used the default syslog-ng.conf file and added the following lines to the appropriate sections: destination firewall { file(/var/log/firewall owner(root) group(adm) perm\(0640)); }; filter f_firewall { match(Dropped: .*IN=.*OUT=.*); }; log { source(src); filter(f_firewall); destination(firewall); }; My desire is to have all firewall logs go ONLY to the firewall log file. Does the order in which these entries occur matter? I just noticed that the destination entry was at the end of that section while the filter and log entries are at the beginning. I moved the destination entry to the beginning of that section and will watch the logs. thanks for any help...jc Well, I figured it out. More time and reading always seems to make a difference. Basically, I added another filter to not match the firewall messages and used that filter with the messages, kern.log and syslog log entries and it works great. jc -- Jeff CoppockNortel Networks Systems Engineerhttp://nortelnetworks.com Major Accts.Santa Clara, CA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
syslog-ng issue
I'm trying to cleanup my logging using syslog-ng (version 1.5.6-1). The problem at this point is that my firewall (iptables) logs are showing up in my newly setup firewall log file, and still in the messages kern.log and syslog files. I used the default syslog-ng.conf file and added the following lines to the appropriate sections: destination firewall { file(/var/log/firewall owner(root) group(adm) perm\(0640)); }; filter f_firewall { match(Dropped: .*IN=.*OUT=.*); }; log { source(src); filter(f_firewall); destination(firewall); }; My desire is to have all firewall logs go ONLY to the firewall log file. Does the order in which these entries occur matter? I just noticed that the destination entry was at the end of that section while the filter and log entries are at the beginning. I moved the destination entry to the beginning of that section and will watch the logs. thanks for any help...jc -- Jeff CoppockNortel Networks Systems Engineerhttp://nortelnetworks.com Major Accts.Santa Clara, CA
Re: snort 1.8 for demarc
On Sun, Aug 05, 2001 at 19:41:41 +, Marco Tassinari wrote: /usr/local/lib/libpcap.a(gencode.o): In function `pcap_compile': Any particular reason you're using a local libpcap rather than the libpcap0 and libpcap-dev Debian packages? Ray -- Obsig: developing a new sig
snort 1.8 for demarc
...mmhh... there is a tool for remote log-analysis, demarc, wich requies snort 1.8. Debian Snort is older... so I'm compiling it. But: /usr/local/lib/libpcap.a(gencode.o): In function `pcap_compile': gencode.o(.text+0x203): undefined reference to `lex_init' /usr/local/lib/libpcap.a(grammar.o): In function `yyparse': grammar.o(.text+0x94): undefined reference to `yylex' grammar.o(.text+0x9ba): undefined reference to `yylex' collect2: ld returned 1 exit status make: *** [snort] Error 1 but I've got a lot of lex: # dpkg -l | grep lex ii flex 2.5.4a-14 A fast lexical analyzer generator. ii flexml 1-5Generate fast validating XML processors and ii jflex 1.3.2-1lexical analyzer generator for Java ii jlex 1.2.3-5A Lex-style lexical analyser generator for J ii snort 1.7-9 Flexible NIDS (Network Intrusion Detection S ...so why doesn't snort compile? By the way, is it demarc good for you? I don't know what's the best for remote administration and log-analisy. Thanks, Marco