Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[Solved] Tenshi not working at all
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
schmeggahead
Guru
Guru


Joined: 25 Feb 2003
Posts: 314
Location: Columbus, Ohio
PostPosted: Sat Mar 14, 2009 3:29 pm    Post subject: [Solved] Tenshi not working at all Reply with quote
I have been working with tenshi log watch that uses perl scripts

Trouble is, I have hardened logs using the default syslog-ng setup and the logs are scattered everywhere

Worse, the format of the logs does not appear to match the tenshi perl reg expressions.

for example:

Code:
group ^login\(pam_unix\):
critical ^login\(pam_unix\): session opened for user root by root\(uid=0\)
critical ^login\(pam_unix\): session opened for user root by \(uid=0\)
report   ^login\(pam_unix\): session closed for user (.+)
report   ^login\(pam_unix\): session opened for user (.+)
group_end


I don't think will match:
Code:
Mar  9 21:40:37 localhost login[5239]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)


so my attempt at a remedy:

Code:
group ^login\[(.+)\]:
critical,mobile ^login\[(.+)\]: FAILED LOGIN
critical,mobile ^login\[(.+)\]: TOO MANY LOGIN TRIES
critical,mobile ^login\[(.+)\]: ROOT LOGIN
critical ^login\[(.+)\]: pam_unix\(login:session\): session opened for user root by root\(uid=0\)
critical ^login\[(.+)\]: pam_unix\(login:session\): session opened for user root by LOGIN\(uid=0\)
critical ^login\[(.+)\]: pam_unix\(login:session\): session opened for user root
critical ^login\[(.+)\]: PAM (.+) more authentication failures
critical ^login\[(.+)\]: pam_unix(login:auth): authentication failure
critical ^login\[(.+)\]: pam_unix(login:auth): check pass; user unknown
report ^login\[(.+)\]: pam_unix\(login:session\): session opened for user (.+)
report ^login\[(.+)\]: pam_unix\(login:session\): session closed for user (.+)
report ^login\[(.+)\]:
group_end


I added the extra .+ stuff because the man page said if you had pid turned on you needed it and it appears I have PID turned on.

but now that I look at the config file, maybe I don't have it turned on:

Code:
set hidepid on


I added a duplicate set without the added \[(.+)\] following the first set and not difference.
:( :( :(

I have also used sendmail to send email to the recipients listed and all came through from the machine. e.g. sendmail root < sample.text and the contents of sample.text arrived correctly to each destination.

Last edited by schmeggahead on Sat Mar 14, 2009 6:21 pm; edited 2 times in total
Back to top
View user's profile Send private message
schmeggahead
Guru
Guru


Joined: 25 Feb 2003
Posts: 314
Location: Columbus, Ohio
PostPosted: Sat Mar 14, 2009 6:21 pm    Post subject: Reply with quote
So I figured out the SSMTP doesn't listen to port 25 as I thought.

When I sent is straight to a functioning SMTP server, all worked after adding all the additional hardened log files.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy