Henrik Stoerner wrote:
On Thu, Sep 13, 2007 at 09:20:08AM -0400, Jay Brislin wrote:
I set up a PORT rule to alert for SENDMAIL logins in the DEFAULT section of my hobbit-clients.cfg file. I wanted to override that rule for certain hosts to allow SENDMAIL logins. My hobbit-clients.cfg looks like this:
HOST=luxuria PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=9 color=green "TEXT=SENDMAIL logins" DEFAULT PORT "LOCAL=%([.:]23)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=TELNET logins" PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=SENDMAIL logins" PORT "LOCAL=%([.:]20)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=FTP logins"
The DEFAULT section should ONLY be used to change the defaults for cpu-, disk- and memory-thresholds. Do NOT use it for process- or port-monitoring. Instead, you should use:
HOST=luxuria PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=9 color=green "TEXT=SENDMAIL logins"
EXHOST=luxuria PORT "LOCAL=%([.:]23)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=TELNET logins" PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=SENDMAIL logins" PORT "LOCAL=%([.:]20)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=FTP logins"
Henrik
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
We use the DEFAULT section for common LOG rules. (IGNORE rules omitted for clarity)
DEFAULT # These are the built-in defaults. UP 1h LOAD 5.0 10.0 DISK %^/cdrom/.* 101 101 DISK * 90 95 MEMPHYS 100 101 MEMSWAP 50 80 MEMACT 90 97 LOG /var/adm/messages %(?-i)NOTICE|kern.error LOG /var/adm/messages %(?-i)WARNING COLOR=yellow IGNORE=%(?-i)forceload LOG /var/log/messages %(?-i)Redundancy\slost|degraded|error|Error LOG /var/log/messages %(?-i)failed IGNORE=%(?-i)cdrom:\sopen\sfailed COLOR=yellow LOG /var/log/system.log %(?-i)error|Error LOG /var/log/system.log %(?-i)failed COLOR=yellow
Is this really wrong?
Dominique UNIL - University of Lausanne