# logwatch dizziness

## Azangod

Hi there,

I'm experiencing some issues in the logs provided by logwatch. 

Sometimes I see sshd connection never made. Obviusly I've checked log, last, command history without finding anything. I'm quite sure noone has cracked my account and spoofed my ip. 

A friend of mine told me that he had noticed some emerge-entry wich should'nt exist.

At this point I'm asking if there are some other people who had noticed something fishy, and then if this logwatch tool is reliable!

----------

## ianw1974

logwatch is just parsing the logs and reading the information from them - so anything in the log files was added by something else.  I've been using logwatch on my servers for a while now, and it's doing a good job of telling me things but most of them I know about, cos it was me  :Smile: 

----------

## Azangod

Yes, I know that logwatch simply parses my logfiles but still I found in my daily report something wich I cannot find on the logs. At least sometimes.

I dont figure out why...

----------

## cach0rr0

I use it too, haven't noticed such a thing. 

It isn't something silly like logrotate archiving the relevant log entries before you have the chance to review by hand? I do mine daily, so by the time i have the email, it's already archived.

----------

## Azangod

I dunno. I tought about logwatch too. 

What could become if logwatch cron stars before logrotate one had the time to finish his task?

I'm working about it, but I've also started logwach manually, with different options (--archive is one among the test I did). Nothing happens to me.

I still have a phantom sshd connection.

This was yesterday, today did'nt notice anything odd.

----------

## cach0rr0

I have no ideas really, unless the connection/login is being logged to somewhere atypical =/

grep -ir somestring /var/log

heh...my only other idea - it sh. sorry dude, I've no more ideas

----------

## Azangod

 *Quote:*   

> I have no ideas really, unless the connection/login is being logged to somewhere atypical =/ 

 

Here! Now a question I've ever wanted to post: what's the best solution in managing logs?

By Gentoo Handbook (and ebuild defaults) syslogd config comes putting all the stuff in a single file (syslog - hoping I did'nt forget something). 

But looking around you can find thousand of variants.

Here's mine:

 *Quote:*   

> # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.7 2007/08/02 04:52:18 mr_bones_ Exp $
> 
> #                                                                                                                           
> 
> # Syslog-ng default configuration file for Gentoo Linux                                                                     
> ...

 

The first time I tryied to use logwatch I had to move to these settigs to get it working. I don't know if nowadays it works without all this mess.

By the way, the standard syslogd provides one single file... not very suitable to me to have a single enormous file... in the other hand this configuration produces too many files and some of them contains the same entries too.

I'm wondering if maybe this issues depends on it and, of more relevance, what you gurus use and/or your suggestions  :Very Happy: 

I know that tuning gentoo is more about personal taste (and needs) than a religious war between good and evil but in all things there always be something is better to do and not to.

So I beg you all to post your personal feelings about this so I can made up my decisions based upon people experience other than my needs or my tests.

 *Quote:*   

> grep -ir somestring /var/log 

 

Yes, I'm grepping around looking for this phantom connection. At lest I've found out other entries about one report wich once I thought was a phantom. Those entries were in an apache log archived by logrotate. But I'm 100% sure thats not the case of my phantom sshd connection that pops sometimes. The reason is that I use knockd, if someone enters my server has to pass into knockd logs too.

 *Quote:*   

> heh...my only other idea - it sh. sorry dude, I've no more ideas

 

Thanks for all, you helped me much more than you think   :Smile: 

----------

## cach0rr0

wow...i think i was falling asleep as i typed that last night. 

I use the stock standard syslog-ng policy that comes with a hardened stage/profile.

It breaks things up very nicely, though, I really do need to see about tweaking logrotate to handle emerge.log. I find all these mailing list entries that say not to rotate it - so what, am I just supposed to leave the bloody thing and have that chatter in my logwatch report every day?

----------

## Azangod

I rotate emerge.log. What's bad in this ?   :Question: 

```

/var/log/emerge.log {

        notifempty

        missingok

        monthly

        rotate 3

}

```

And about logwatch reports I do not care much about emerge, that's my output:

```

Emerge Started: 2 times 

Emerge Sync Completed: 

   with rsync://134.68.220.73/gentoo-portage 

Package Unmerged: 4 times 

    >>>  to sys-apps/man-pages-3.20 

    >>>  to app-emulation/open-vm-tools-0.0.20090618.172495-r2 

    >>>  to www-client/lynx-2.8.6-r2 

    >>>  to sys-devel/autoconf-2.63 

Package Installed: 4 times 

    ::: (2 to of 4) sys-devel/autoconf-2.63-r1 to / 

    ::: (1 to of 4) sys-apps/man-pages-3.21 to / 

    ::: (4 to of 4) app-emulation/open-vm-tools-0.0.20090722.179896 to / 

    ::: (3 to of 4) www-client/lynx-2.8.6-r2 to / 

 emerge End

```

Nothing to be mad about (at least for me!)

A new question... on a production environment... it's realy a must to use hardened or the 'normal' version is more than enough?

I've never had hardened and I don't know anyone who told me that is "compulsory" and that is simple and fast to build... don't have time to mockle and I'm already full of package to tweak, confs to check, new features to test and so on

----------

## cach0rr0

so, this is the basic criteria I use to decide if I should go the hardened route:

1)will I be using X? 

2)will this be a server? 

3)will I need access to bleeding edge features and packages

If I'll be using X, then I go the standard route. While people have and do get X working under hardened-sources (and the other misc changes), it's a pain in the ass, things often don't work, and by the time you're done you've disabled protections on so many binaries you might as well have not gone the hardened route in the first place. This will however, get better with time, as individual package maintainers become better gifted in keeping things functional with pax/aslr/pic/ssp/etc. Don't consider this as a rule to be followed indefinitely. 

If I'll be using the system as a server, for starters it needs no X, so I have no real reason NOT to go the hardened route. If the system is going to be accessible from external hosts, 100 out of 100 times I will go the hardened route. 

If I need access to bleeding edge packages and features, and this is for some inexplicable reason mission critical to me, I may not go the hardened route; it depends on the state of the packages I intend to use at the time. 

In terms of configuration....honestly, if this is a server the ONLY difference is

-snag a hardened stage

-use hardened-sources instead of gentoo-sources

-rebuild all your compiler/toolchain nonsense once you're done. 

Plenty of grsec-related tweaks you can make from there in defining RBAC. Actually RBAC is *huge*, will protect you to a considerable extent even if someone manages to get root on your box. 

And of course you may find paxctl is needed from time to time. 

But these are both done AFTER the main setup. Honestly, well worth the small bit of extra compile time spent, though, not an excuse for an admin to be anything but vigilant.

----------

## Azangod

It seems there are more to be added to my agenda. I don't know if I'd to be happy or sad.

My public server has only services, no X, I'm firmly against it. 

At the very moment that's what needed: apache php mysql postgre tomcat modjk phpmyadmin phppgadmin knockd, and very soon: postfix courier-imap squirrelmail ssl.

Something for web-statistics is also a priority in my agenda. For now the best candidate is awstats.

Oh! I forgot, all this is on a vmware-esx virtual machine. Unfortunatly not mine. I cannot simply snapshot or replicate to create another vm to test; I must start from scratch meaning downtime for all my customers who surely will not be happy about it.

I heard some time ago, maybe I misunderstood, that is possible to have more than one kernel into a machine and hot-swap among them. Was I drunk? It's really possible? This really would be a bleeding edge feature for my. Now upgrading the kernel is such a pain that a prefer to not upgrade it. Simply cannot risk to reboot and have a warm welcome by a kernel panic.

----------

