[KLUG Members] Re:Introduction and Logfiles mess, Such as?
members@kalamazoolinux.org
members@kalamazoolinux.org
Tue, 5 Mar 2002 15:17:11 -0500
>As a rookie sysadmin, I don't have the confidence to tune application or
>syslog settings to try to slow some of the garbadge down.
>One example would be logfile noise generated from my new email setup. I
>installed an LRP firewall with two NIC's so I could create a split DNS with
>a DMZ for my chrooted Postrix and central logserver.
>I have my 30 windows email clients on the LAN access my Postfix mailserver
>running in the DMZ via secure POP3. To pull this off, I had to configure
>Stunnel and Postfix on the mail server and reconfigure each of the windows
>clients to use secure pop3.
This doesn't sound so neophyte to me. Sounds more like a great presentation for
KLUG.
>Now, each time a windows client logs in to the mailserver I get:
>an xinetd START: pop3 from 127.0.0.1 entry, in my secure logfile,
Ah, yes. I hate these, they are pointless in mass (possibly hundreds a
minute). Go into /etc/xinetd.conf/ipop3d and change
"log_on_success
+= SOMETHING HERE" to
"log_on_success =" and logging of successful POP connections will stop.
I like to leave logging of unseccesful connections on. Same applies to other
services provided by xinetd.
>an ipop3d pop3 service init from 127.0.0.1 entry in my maillog and
Yep, I get these from imapd. I haven't found an obvious way to make them go away.
>two stunnel SSL_accept error messages in syslog
>one for no shared cipher and one for unknown protocol
Sorry, don't know anything about stunnel.
>That comes out to hundreds of useless entries a day in my logs.
>I don't know if the error messages are from stupid windows clients,
>improper settings for Postfix, Xinetd and Stunnel or improper syslog settings
>that are recording useless messages!!!
I'd wager the errors are from stunnel itself. Possibly because it's barfing on
something the Win32 client is sending. Try and capture a conversation with
something like ethereal, I'm willing to take a look at it.
>Since the mailserver is functioning and a lot more secure than when I
>started, I just have to put up with the garbadge while I struggle to fix
>more important things like windows clients crashing when certain Samba
>shares are accessed on the central file server.
What version of Samba?
>>>Fortunately the essential things are mostly working. My single biggest
>>>annoyance is wading through lots of trivial messages in my log files.
>>Such as? syslog is quite configurable as is the verbosity level of most
>>applications.
>>logview is a nice GNOME application for wading through logs.
>>It is also pretty simple to centralize all/most of the logs on one
>>server.
>I built a remote central log server while I was putting the new security
>infrastructure in. I had to use recycled parts and the only hard drive I
>had at the time was 350 MB. By the time I got RedHat 7.0 on there, there
>wasn't
>a lot of space left for logging. Data from four servers filled that puppy
>up real quick.
Yep, logging requires lots of space. Especially if you are using the default
settings.
>I recently got my hands on a *WESTERN DIGITAL* 20 GB disk, but with what I
>am reading about western digital I am not sure I want to use it. If I do
I'd prefer something more robust. But it should work as an interim solution.
>put it in, I have to figure out where to mount it and reconfigure the syslog
>deamon to log data there.
You want to mount it at /var/log. Put it in, bring the system up in single
user mode, make the filesystem, mount it on something like /mnt/tmp, move the
files, edit /etc/fstab, and reboot.
>I really don't have a linux box to call my own and I strip X off of most of
>the production servers. But I did fire up X on my internal DNS/VNC (over
>SSH) RedHat 7.0 server. The System Log Viewer looks pretty slick. Thanks
>for the tip.
Bummer, there are lots of great admin tools for GNOME. Especially in RH7.2
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/