l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
January 6: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2003 Jul 29 12:34

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] some syslog questions
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] some syslog questions



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 29 July 2003 09:49 am, Peter Jay Salzman wrote:
> some questions i've been meaning to ask for awhile...
>
>
> 1. when a logging request is handled and matched by a rule, does logging
> end there (as with procmail) or does it continue for further logging?
> in other words, in this example:
>
>    *.emerg      *
>
>    mail.emerg   /var/log/mail.emerg
>
> do mail emergencies get forwarded to all logged in users AND get logged
> to a file?  or do they just get forwarded to all logged in users?

A syslog message will be matched multiple times. I'm using a syslog daemon 
that supports logging to a MySQL database, and I have it logging both to the 
database, AND to the usual flat files.

> 2. is there any way to determine the facility log level of a message?
> for instance, once this message got logged:
>
>    Jul 25 10:29:06 satan lpd[17559]: satan requests printjob lp
>
> were the facility and log level irretrievably lost?  in this example,
> the facility is lpr, not lpd (there's no lpd facility).  and the level
> is probably "info" or something like that.  it would be useful to know
> for sure.

It's not logged to the usual files. Try a diffrent syslog deamon, or look in 
the man page, there may be a way to make it log that information. At work I'm 
using msyslog http://msyslog.sf.net/, and the MySQL logger module can save 
this information (not by default), and I have it set to do so.

> 3. i wrapped exim with tcpd so i can use hosts.deny to "blackhole"
> domains that constantly spam.  that means i get logs in daemon.log like:
>
>    Jul 29 09:18:19 satan exim[26553]: connect from murphy.debian.org
>    Jul 25 09:06:58 satan exim[15324]: refused connect from 218.5.148.246
>
> everytime anybody makes an SMTP connection.  i really don't want to see
> this.  i believe that even though it says "exim", tcpd is doing the
> actual logging.  and since it's a tcpd refusal/acceptance, these
> messages are no different, in principle, from messages saying that some
> hacker is trying to connect with portmap, or lucifer is trying to mount
> an NFS partition from satan.
>
> my gut feeling is that i can't stop these exim messages.  i'm hoping i'm
> wrong.   any ideas?

You could drop them in iptables. Iptables rocks :-)

- -- 
PGP/GPG Fingerprint: 3B30 C6BE B1C6 9526 7A90  34E7 11DF 44F3 7217 7BC7
On pgp.mit.edu, import with `gpg --keyserver pgp.mit.edu --recv-key 72177BC7`
Also available at http://www.cal.net/~ryan/ryan_at_mother_dot_com.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/Jsb+Ed9E83IXe8cRAnz8AJ0cAjwK2m0teCvaCVXOGgBB6De8ewCeMSC8
u8F8oS5GmT1sFGxoG9Az7Ec=
=4eMG
-----END PGP SIGNATURE-----
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.