Edward Croft wrote:

I have it set up on different machines, in different configurations trying to find the one that works.The only one that works is the one that is using the bb client. We are trying to move away from Big Brother. When it is client-side, I configure it on the client, on the server side I configure all of them whether they are client-side or not. Question, I note that the bb-hosts file isn't installed client-side, I did copy it over to /usr/local/hobbit/client/etc directory just in case, but still no go. The important thing is for it to alert if there is the word NOTICE in the line for messages, and BREAKIN for secure. Thanks Henrik. Other than that, it all looks great. I really like it, but I have to get this working or it is a no go and I will have to look elsewhere.

On Jan 12, 2008 9:15 AM, Henrik Stoerner <henrik at hswn.dk <mailto:henrik at hswn.dk>> wrote:

Have you configured your client(s) for server-side or client-side
configuration ? It's the first question asked when you configure
the client:
 Server side client configuration, or client side [server] ?

And what host are you editing the client-local.cfg and
hobbit-clients.cfg files on ? On the client or on the server?


Henrik


On Thu, Jan 10, 2008 at 02:15:24PM -0500, Edward Croft wrote:
> On the message page I am getting the following results.
> In the client-local.cfg file it says:
> log:/var/log/messages:10240
> trigger NOTICE
> trigger WARNING
>
> log:/var/log/secure:10240
> ignore "Connection closed by"
> trigger BREAKIN
>
> In hobbit-clients.cfg it says:
>         LOG /var/log/messages WARNING COLOR=yellow
>         LOG /var/log/messages NOTICE COLOR=red
>         LOG /var/log/secure BREAKIN
>
> Yet, nothing appears in the top half and it never changes from
green.
>
>
> No entries in /var/log/messages
> <
http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/messages
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/messages>>
>
> No entries in /var/log/secure
> <
http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/secure
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/secure>>
>
>
> Full log /var/log/messages
> <
http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/messages
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/messages>>
> Jan 10 13:31:40 sirona ecroft: NOTICE
>
> Full log /var/log/secure
>
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/secure
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/secure>>
> Jan 10 13:22:50 sirona sshd[5087]: Connection closed by
10.0.14.249 <http://10.0.14.249>
> Jan 10 13:27:51 sirona sshd[5133]: Connection closed by
10.0.14.249 <http://10.0.14.249>
> Jan 10 13:31:38 sirona ecroft: BREAKIN
> Jan 10 13:32:52 sirona sshd[5181]: Connection closed by
10.0.14.249 <http://10.0.14.249>
> Jan 10 13:37:53 sirona sshd[5227]: Connection closed by
10.0.14.249 <http://10.0.14.249>
> Jan 10 13:42:54 sirona sshd[5273]: Connection closed by
10.0.14.249 <http://10.0.14.249>
> Jan 10 13:47:55 sirona sshd[5319]: Connection closed by
10.0.14.249 <http://10.0.14.249>
> Jan 10 13:52:56 sirona sshd[5365]: Connection closed by
10.0.14.249 <http://10.0.14.249>
>
>
>
> --
> If the sane say the insane are insane,
> What if the sane are insane?
> Would that make the insane sane?
> Explains a lot in Washington!
>  --E. Croft

--
Henrik Storner

To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe at hswn.dk <mailto:hobbit-unsubscribe at hswn.dk>

-- If the sane say the insane are insane, What if the sane are insane? Would that make the insane sane? Explains a lot in Washington! --E. Croft Unless you have a reason not to (like a firewall you have no control over), install it with serverside configuration. While hobbit may look and feel like BB (and use most of the bbc clients with little or no modification), it works differently. With hobbit, set up with serverside config, you only have to maintain bbhosts on the server. Check out the man pages that you can link via the web page.

=G=

Thank you both. I will check this out first thing Monday morning.

On Jan 12, 2008 11:46 AM, Henrik Stoerner <henrik at hswn.dk> wrote:

On Sat, Jan 12, 2008 at 10:43:31AM -0500, Edward Croft wrote:

...

On Jan 12, 2008 9:15 AM, Henrik Stoerner <henrik at hswn.dk> wrote:

...

Have you configured your client(s) for server-side or client-side configuration ?

I have it set up on different machines, in different configurations trying to find the one that works.

Ok, let's pick ONE machine and get that to work. Preferably one where the client is configured for server-side configuration. Verify this by looking at the "conn" status - you must have a "Client data available" link right above the graph. If there's no link, then the client isn't sending a Hobbit "client" message, but just the old-style BB messages.

I'll assume this client system is called "testhost.foo.com". Your client-local.cfg (on the hobbit server) should then have

[testhost.foo.com] log:/var/log/messages:10240 trigger NOTICE trigger WARNING

log:/var/log/secure:10240 ignore "Connection closed by" trigger BREAKIN

Changes to client-local.cfg can take up to 15 minutes to trickle down to the client. You can speed this up by 1) sending a HUP signal to the hobbitd process on the Hobbit server, and then 2) restarting the Hobbit client software. After restarting the client, it takes 5 minutes for the changes to take effect.

Your hobbit-clients.cfg - also on the Hobbit server - must have these lines:

HOST=testhost.foo.com LOG /var/log/messages WARNING COLOR=yellow LOG /var/log/messages NOTICE COLOR=red LOG /var/log/secure BREAKIN

You can test the configuration on the Hobbit server with the "hobbitd_client --test" command. Like this:

$ bbcmd hobbitd_client --test 2008-01-12 17:41:18 Using default environment file /usr/lib/hobbit/server/etc/hobbitserver.cfg Hostname (.=end, ?=dump, !=reload) []: testhost.foo.com Hosttype []: Test (cpu, mem, disk, proc, log, port): log log filename: /var/log/secure To read log data from a file, enter '@FILENAME' at the prompt log line: Jan 10 13:22:50 sirona sshd[5087]: Connection closed by 10.0.14.249 log line: Jan 10 13:27:51 sirona sshd[5133]: Connection closed by 10.0.14.249 log line: Jan 10 13:31:38 sirona ecroft: BREAKIN log line: Jan 10 13:32:52 sirona sshd[5181]: Connection closed by 10.0.14.249 log line: Jan 10 13:37:53 sirona sshd[5227]: Connection closed by 10.0.14.249 log line: Log status is red

&red Jan 10 13:22:50 sirona sshd[5087]: Connection closed by 10.0.14.249Jan 10 13:27:51 sirona sshd[5133]: Connection closed by 10.0.14.249Jan 10 13:31:38 sirona ecroft: BREAKINJan 10 13:32:52 sirona sshd[5181]: Connection closed by 10.0.14.249Jan 10 13:37:53 sirona sshd[5227]: Connection closed by 10.0.14.249

Also, while in the "hobbitd_client --test" environment, you can use the dump-command to see how your hobbits-clients.cfg was parsed.

If this doesn't make your msgs column go red, then I'd like to have a look at the bb-hosts entry for this host, and your client-local.cfg and hobbit-clients.cfg files. You can send them directly to me, no need to bother the entire mailing list with them.

Regards, Henrik

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

-- If the sane say the insane are insane, What if the sane are insane? Would that make the insane sane? Explains a lot in Washington! --E. Croft