hi, Myself, I would prefer to use FreeBSD because in /etc/newsyslog.conf I could specify on time column to $D0 and it will automatically rotate the log at 00:00 (midnight) --- abhinav tiwari <abhinav_tiwariat_private> wrote: > hi all > > anyone advise pls what shud be best way of writing > syslog.conf ..? i mean > best when logging of all the security events gets > enabled in the unix > server.this will help me alot in capturing all > events in files...like > /var/log/messages > > any users ...who did the setups this way..? > > also any of u working Purely on BSDi Unix pls > revert...some points for > discussion requried...the docs for bsdi on internet > is too less it seems. > > regds > abhinav > > > > > > > >From: loganalysis-requestat_private > >Reply-To: loganalysisat_private > >To: loganalysisat_private > >Subject: LogAnalysis digest, Vol 1 #41 - 3 msgs > >Date: Fri, 11 Oct 2002 12:00:04 +0000 > > > >Send LogAnalysis mailing list submissions to > > loganalysisat_private > > > >To subscribe or unsubscribe via the World Wide Web, > visit > > > http://lists.shmoo.com/mailman/listinfo/loganalysis > >or, via email, send a message with subject or body > 'help' to > > loganalysis-requestat_private > > > >You can reach the person managing the list at > > loganalysis-adminat_private > > > >When replying, please edit your Subject line so it > is more specific > >than "Re: Contents of LogAnalysis digest..." > > > > > >Today's Topics: > > > > 1. slapper logfile marks .. (Jose Nazario) > > 2. Re: compress log error (was PIX logging) > (Daniel Deremiah) > > 3. Fight Back (Ganu Skop) > > > >--__--__-- > > > >Message: 1 > >Date: Tue, 8 Oct 2002 10:10:01 -0400 (EDT) > >From: Jose Nazario <joseat_private> > >To: loganalysisat_private > >Subject: [logs] slapper logfile marks .. > > > >trying to see if these are telltale signs of a > slapper request. looking > >at the worm's source code it makes a http request > for /: > > > >GET HTTP/1.1 > > > >(note that its incomplete for the 1.1 spec, its > missing the host: > >declaration.) it then sends two ssl connections to > try and overflow the > >key exchange for SSLv2. > > > >this would explain this logfile pattern i have seen > with an apache > >installation. the first request looks like the > problem in the port 80 > >server fingerprinting: > > > >[Sun Oct 6 03:25:18 2002] [error] [client > 202.133.158.195] client sent > >HTTP/1.1 request without hostname (see RFC2068 > section 9, and 14.23): / > > > >with followups immediately with SSL errors: > > > >[Sun Oct 6 03:25:37 2002] [error] mod_ssl: SSL > handshake interrupted by > >system [Hint: Stop button pressed in browser?!] > (System error follows) > >[Sun Oct 6 03:25:37 2002] [error] System: > Connection reset by peer > >(errno: 104) > > > >unfortunately the error log doesn't report the SSL > client who made the > >errors. > > > >anyhow, is this the pattern other people have been > seeing for slapper > >hosts? > > > >___________________________ > >jose nazario, ph.d. joseat_private > > http://www.monkey.org/~jose/ > > > > > > > >--__--__-- > > > >Message: 2 > >Date: Wed, 9 Oct 2002 13:09:08 -0700 (PDT) > >From: Daniel Deremiah > <Daniel.Deremiahat_private> > >To: Allen Crawford <AllenCat_private> > >Subject: Re: [logs] compress log error (was PIX > logging) > > > >remove the compress line and add the gzip command > to the postrotate > >sequence. What is happening is you are renaming > the file out of under the > >rotate script. > > > >-- > >-dand > > > >============================================================= > >Dan Deremiah Unix System > Administrator > >Wind River Systems, Alameda CA > 510/749-2033 Desk > >============================================================= > > > >On Fri, 6 Sep 2002, Allen Crawford wrote: > > > > > Ok, I've got the PIX logging working now I > believe. I had to create a > > > separate logrotate script and run it at a > specific time (11:55pm) > >because I > > > just realized that the daily cron job was > running at 4:02 pm, which > >isn't > > > when I want my Cisco logs to be rotated. > > > > > > Anyway, the only problem I'm having now is > getting them to compress. > >Here's > > > the logrotate script for the PIX that I'm using: > > > > > > /var/log/cisco_pix_515e/pix { > > > daily > > > rotate 4 > > > create > > > compress > > > postrotate > > > /usr/bin/killall -HUP syslogd; mv > > > /var/log/cisco_pix_515e/pix.1 > /var/log/cisco_pix_515e/pix$(date +%Y%m%d) > > > endscript > > > } > > > > > > > > > For testing I'm calling it with the following > line: > > > > > > logrotate -f > /etc/cisco_pix_515e_logrotate_script > > > > > > After running that, it rotates it correctly and > starts logging to the > >new > > > file. However, with the compress line left in > the script, I get the > > > following error: > > > > > > gzip: /var/log/cisco_pix_515e/pix.1: No such > file or directory > > > failed to compress log > /var/log/cisco_pix_515e/pix.1 > > > > > > Any tips on what I am doing wrong here? > > > > > > Thanks a lot, > > > Allen > > > _______________________________________________ > > > LogAnalysis mailing list > > > LogAnalysisat_private > > > > http://lists.shmoo.com/mailman/listinfo/loganalysis > > > > > > > > > > >--__--__-- > === message truncated === __________________________________________________ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 10:03:20 PST