[KLUG Members] Re:Introduction and Logfiles mess, Such as?

[members@kalamazoolinux.org]

>As a rookie sysadmin, I don't have the confidence to tune application or
>syslog settings to try to slow some of the garbadge down.
>One example would be logfile noise generated from my new email setup. I
>installed an LRP firewall with two NIC's so I could create a split DNS with
>a DMZ for my chrooted Postrix and central logserver.
>I have my 30 windows email clients on the LAN access my Postfix mailserver
>running in the DMZ via secure POP3. To pull this off, I had to configure
>Stunnel and Postfix on the mail server and reconfigure each of the windows
>clients to use secure pop3.

This doesn't sound so neophyte to me.  Sounds more like a great presentation for
KLUG.

>Now, each time a windows client logs in to the mailserver I get:
>an xinetd START: pop3 from 127.0.0.1 entry, in my secure logfile,

Ah, yes.  I hate these,  they are pointless in mass (possibly hundreds a
minute).  Go into /etc/xinetd.conf/ipop3d and change 
"log_on_success
	+= SOMETHING HERE" to 
"log_on_success          =" and logging of successful POP connections will stop.
 I like to leave logging of unseccesful connections on.  Same applies to other
services provided by xinetd.

>an ipop3d pop3 service init from 127.0.0.1 entry in my maillog and

Yep,  I get these from imapd.  I haven't found an obvious way to make them go away.

>two stunnel SSL_accept error messages in syslog
>one for no shared cipher and one for unknown protocol

Sorry, don't know anything about stunnel.

>That comes out to hundreds of useless entries a day in my logs.
>I don't know if the error messages are from stupid windows clients,
>improper settings for Postfix, Xinetd and Stunnel or improper syslog settings
>that are recording useless messages!!!

I'd wager the errors are from stunnel itself.  Possibly because it's barfing on
something the Win32 client is sending.  Try and capture a conversation with
something like ethereal,  I'm willing to take a look at it.

>Since the mailserver is functioning and a lot more secure than when I
>started, I just have to put up with the garbadge while I struggle to fix
>more important things like windows clients crashing when certain Samba
>shares are accessed on the central file server.

What version of Samba?

>>>Fortunately the essential things are mostly working. My single biggest
>>>annoyance is wading through lots of trivial messages in my log files.
>>Such as?  syslog is quite configurable as is the verbosity level of most
>>applications.
>>logview is a nice GNOME application for wading through logs.
>>It is also pretty simple to centralize all/most of the logs on one
>>server.
>I built a remote central log server while I was putting the new security
>infrastructure in. I had to use recycled parts and the only hard drive I
>had at the time was 350 MB. By the time I got RedHat 7.0 on there, there 
>wasn't
>a lot of space left for logging. Data from four servers filled that puppy
>up real quick.

Yep,  logging requires lots of space.  Especially if you are using the default
settings.
 
>I recently got my hands on a *WESTERN DIGITAL* 20 GB disk, but with what I
>am reading about western digital I am not sure I want to use it. If I do

I'd prefer something more robust.  But it should work as an interim solution.

>put it in, I have to figure out where to mount it and reconfigure the syslog
>deamon to log data there.

You want to mount it at /var/log.  Put it in,  bring the system up in single
user mode,  make the filesystem, mount it on something like /mnt/tmp, move the
files,  edit /etc/fstab, and reboot.

>I really don't have a linux box to call my own and I strip X off of most of
>the production servers. But I did fire up X on my internal DNS/VNC (over
>SSH) RedHat 7.0 server. The System Log Viewer looks pretty slick. Thanks
>for the tip.

Bummer,  there are lots of great admin tools for GNOME.  Especially in RH7.2


-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/