Attachment 18085 Details for Bug 29278 – Update metalog section

[patch] Update metalog section

gentoo-security-1.16-metalog.diff (text/plain), 3.06 KB, created by Sune Kloppenborg Jeppesen on 2003-09-21 11:39:26 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Sune Kloppenborg Jeppesen

Created: 2003-09-21 11:39:26 UTC

Size: 3.06 KB

patch

obsolete

>--- gentoo-security-1.16.xml	2003-09-21 15:13:13.000000000 +0200
>+++ gentoo-security-1.16-metalog.xml	2003-09-21 20:38:18.000000000 +0200
>@@ -560,88 +560,27 @@
> 
> 
> <uri link="http://metalog.sourceforge.net">Metalog</uri> by Frank Dennis is not able to log to a remote server, but it does have advantages when it comes to performance and logging flexibility.
>-
>-
>-
>-It can log by program name or by facility (like syslogd) and comes with regular expression matching and execution of commands. Very good for taking action when needed.
>+It can log by program name, urgency, program name,by facility (like syslogd) and comes with regular expression matching and it can launch external scripts when specific patterns are found. It is very good for taking action when needed.
> 
> 
>-<pre caption="/etc/metalog/metalog.conf">
>-maxsize = 1000000
>-maxtime = 86400
>-maxfiles = 7
>-minimum = 7
>-
>-Kernel messages :
>-
>- facility = "kern"
>- logdir = "/var/log/kernel"
>-
>-Auth messages :
>- facility = "auth"
>- logdir = "/var/log/auth"
>-
>-Critical :
>- facility = "critical"
>- command = "/usr/local/sbin/pwdfail.sh" 
>-
>-Crond :
>-
>- program = "crond"
>- logdir = "/var/log/crond"
>- 
>-Password failures :
>-
>- regex = "(password|login|authentication)\s+(fail|invalid)"
>- regex = "(failed|invalid)\s+(password|login|authentication)"
>- regex = "ILLEGAL ROOT LOGIN"
>- logdir = "/var/log/pwdfail"
>- command = "/usr/local/sbin/pwdfail.sh"
>-
>-SSH Server :
>-
>- program = "sshd"
>- logdir = "/var/log/sshd"
>-
>-Mail :
>-
>- facility = "ftp-mail-news"
>- logdir = "/var/log/mail"
>-
>-Snort:
>- program = "snort"
>- command = "/usr/local/sbin/pwdfail.sh"
>-
>-Everything important :
>-
>- facility = "*"
>- logdir = "/var/log/everything"
>-
>-Everything very important :
>-
>- facility = "*"
>- logdir = "/var/log/critical"
>-
>-</pre>
>-
> 
>-This is basically a standard configuration with a few modifications, like a minimum logging level at 7, which means that everything will be logged.
>+The standard configuration is basically enough. If you want to be notified by email whenever a password failure occurs use one of the following scripts.
> 
> 
> 
>-pwdfail.sh for postfix.
>+For postfix:
> 
> 
>-<pre caption = "postfix' pwdfail.sh">
>+<pre caption = "/usr/local/sbin/mail_pwd_failures.sh for postfix">
> #! /bin/sh
> echo "$3" | mail -s "Warning (program : $2)" root
> </pre>
> 
> 
>-pwdfail.sh for qmail.
>+For qmail:
> 
> 
>-<pre caption = "qmail's pwdfail.sh">
>+<pre caption = "/user/local/sbin/mail_pwd_failures.sh for qmail">
> #!/bin/sh
> echo "To: root
> Subject:Failure (Warning: $2) 
>@@ -650,12 +589,20 @@
> </pre>
> 
> 
>-More information can be found in the <uri link="http://metalog.sourceforge.net">metalog</uri> website.
>+Remember to make the script executable by issuing <c>chmod +x /usr/local/sbin/mail_pwd_failures.sh</c>
> 
> 
>+
>+Then uncomment the command line under Password failures in metalog.conf like:
>+
>+
>+<pre caption="/etc/metalog/metalog.conf">
>+command = "/usr/local/sbin/mail_pwd_failures.sh"
>+</pre>
> 
> </body>
> </section>
>+
> <section>
> 
> <title>Syslog-ng</title>

Actions: View | Diff

Attachments on bug 29278: 18084 | 18085 | 18086 | 18087 | 18088 | 18119 | 18120