Aaron.
A couple questions:
[mailrelay.math.purdue.edu] is my win32 client I just use a host name.
On my server my client-local.cfg looks like the following:
[mailrelay.math.purdue.edu]
file:c:\Alligate\Digests\(rmcgraw at math.purdue.edu).txt
eventlog:securityOn the BBWin client I have
$ cat clientlocal.cfg
file:c:\Alligate\Digests\(rmcgraw at math.purdue.edu).txt
eventlog:securityWhich shows that it was read from the server correctly.
On the hobbit server in my hobbit-clients I have
HOST=mailrelay.math.purdue.edu
UP 30m 1w
LOAD 40.0 70.0
DISK * 90 95
FILE c:\Alligate\Digests\(rmcgraw at math.purdue.edu).txt redMTIME<43200 LOG %security "Login attempt" COLOR=yellow
The second parameter of the LOG entry should be the file name. What is the file name for the event security logs?
It seem that when I added "eventlog:security" I get the [logfile:tlog] error message in the msg.mailrelay.math.purdue.edu.txt file that is located in the BBWin/tmp directory. Do you get this?
From the information above and the snipit of my msg. file can you give me the LOG entry that you think would work.
Snipit from my msg.mailrelay.math.purdue.edu.txt fileon the BBwin client mailrelay.
[logfile:tlog] ERROR: The system cannot find the file specified.
[msgs:eventlog_application] [msgs:eventlog_security] success - 2008/06/16 17:53:25 - Security (576) - Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0,0x84B6EDC) Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege success - 2008/06/16 17:53:25 - Security (528) - Successful Logon: User Name: rmcgraw Domain: MAILRELAY Logon ID: (0x0,0x84B6EDC) Logon Type: 2 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: MAILRELAY Logon GUID: - Caller User Name: sshd_server Caller Domain: MAILRELAY Caller Logon ID: (0x0,0x10A65) Caller Process ID: 2856 Transited Services: - Source Network Address: - Source Port: - success - 2008/06/16 17:53:25 - Security (552) - Logon attempt using explicit credentials: Logged on user: User Name: sshd_server Domain: MAILRELAY Logon ID: (0x0,0x10A65) Logon GUID: - User whose credentials were used: Target User Name: rmcgraw Target Domain: MAILRELAY Target Logon GUID:
- Target Server Name: localhost Target Server Info: localhost Caller Process ID: 2856 Source Network Address: - Source Port: - success - 2008/06/16 17:53:25 - Security (680) - Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: rmcgraw Source Workstation: MAILRELAY Error Code: 0x0 success - 2008/06/16 17:49:42 - Security (538) - User Logoff: User Name: rmcgraw Domain: MAILRELAY Logon ID: (0x0,0x849D0DB) Logon Type: 7 success - 2008/06/16 17:49:42 - Security (576) - Special privileges assigned to new logon: User Name: rmcgraw Domain: MAILRELAY Logon ID: (0x0,0x849D0DB) Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege success - 2008/06/16 17:49:42 - Security (528) - Successful Logon: User Name: rmcgraw Domain: MAILRELAY Logon ID: (0x0,0x849D0DB) Logon Type: 7 Logon Process: User32 Authentication Package: Negotiate Workstation Name: MAILRELAY Logon GUID: - Caller User Name: MAILRELAY$ Caller Domain: MATHNET Caller Logon ID: (0x0,0x3E7) Caller Process ID: 3008 Transited Services: - Source Network Address: 128.210.3.202 Source Port: 57339 success - 2008/06/16 17:49:42 - Security (552) - Logon attempt using explicit credentials: Logged on user: User Name: MAILRELAY$ Domain: MATHNET Logon ID: (0x0,0x3E7) Logon GUID: - User whose credentials were used: Target User Name: rmcgraw Target Domain: MAILRELAY Target Logon GUID: - Target Server Name: localhost Target Server Info: localhost Caller Process ID: 3008 Source Network Address: 128.210.3.202 Source Port: 57339 success - 2008/06/16 17:49:42 - Security (680) - Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: rmcgraw Source Workstation: MAILRELAY Error Code: 0x0 [msgs:eventlog_system]
-----Original Message----- From: Aaron Zink [mailto:AaronZink at eharmony.com] Sent: Monday, June 16, 2008 2:43 PM To: hobbit at hswn.dk Subject: RE: [hobbit] BBWin and Hobbit msgs log question.
Robert,
If you are running in centralized mode, to get message log alerting you will also need something in client-local.cfg, such as:
[win32] eventlog:application ignore information ignore BigBrotherHobbitClient eventlog:system ignore information
Then your LOG entry in hobbit-clients.cfg *should* work after restarting hobbit and bbwin, but you probably need/want to use regexes to refine the alerts. For example, I use:
CLASS=win32 LOG %application.* "%error - .*" COLOR=red LOG %application.* "%warning - .*" COLOR=yellow
Hope this helps.
Aaron Zink Corporate IT Manager eHarmony.com 626.795.4814
-----Original Message----- From: McGraw, Robert P [mailto:rmcgraw at purdue.edu] Sent: Monday, June 16, 2008 07:09 To: bbwin-users at lists.sourceforge.net; hobbit at hswn.dk Subject: [hobbit] BBWin and Hobbit msgs log question.
HOBBIT SERVER: SunOS zorn.math.purdue.edu 5.10 Generic_120011-14 sun4u sparc SUNW,Sun-Fire-280R runnint Hobbit 4.2
BBWIN CLIENT: Microsoft Windows Server 2003, Standard Edition Service Pack 2 (build 3790) running BBWin V.12
On the hobbit server I have the following event logs under msgs that are coming from the BBWin server. I am not sure how I can monitor these log messages.
Full log eventlog_application information - 2008/06/16 09:52:34 - sshd (0) - The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd: PID 3320: Connection closed by 128.210.3.177. information - 2008/06/16 09:47:33 - sshd (0) - The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd: PID 3524: Connection closed by 128.210.3.177.
What would I put in the hobbit server hobbit-clients.cfg file to make the msgs icon for the bbwin client turn yellow.
I had tried
LOG event_application information color=yellowBut that did not work.
Thanks
Robert
Robert P. McGraw, Jr. Manager, Computer System EMAIL: rmcgraw at purdue.edu Purdue University ROOM: MATH-807 Department of Mathematics PHONE: (765) 494-6055 150 N. University Street West Lafayette, IN 47907-2067
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk