port rule evaluation in hobbit-clients.cfg
I set up a PORT rule to alert for SENDMAIL logins in the DEFAULT section of my hobbit-clients.cfg file. I wanted to override that rule for certain hosts to allow SENDMAIL logins. My hobbit-clients.cfg looks like this:
HOST=luxuria PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=9 color=green "TEXT=SENDMAIL logins" DEFAULT # These are the built-in defaults. UP 1h LOAD 5.0 10.0 DISK * 90 95 MEMPHYS 100 101 MEMSWAP 70 85 MEMACT 90 97 PROC cron PROC ntpd PORT "LOCAL=%([.:]23)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=TELNET logins" PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=SENDMAIL logins" PORT "LOCAL=%([.:]20)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=FTP logins"
But I see this on the hobbit server display:
green SENDMAIL logins (found 1, req. at most 9) green TELNET logins (found 0, req. at most 0) red SENDMAIL logins (found 1, req. at most 0) green FTP logins (found 0, req. at most 0)
Does anybody know why both rules for the SENDMAIL port are being evaluated? The man page for hobbit-clients.cfg says: The entire file is evaluated from the top to bottom, and the first match found is used. So you should put the specific settings first, and the generic ones last.
-- Jay
On Thu, Sep 13, 2007 at 09:20:08AM -0400, Jay Brislin wrote:
I set up a PORT rule to alert for SENDMAIL logins in the DEFAULT section of my hobbit-clients.cfg file. I wanted to override that rule for certain hosts to allow SENDMAIL logins. My hobbit-clients.cfg looks like this:
HOST=luxuria PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=9 color=green "TEXT=SENDMAIL logins" DEFAULT PORT "LOCAL=%([.:]23)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=TELNET logins" PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=SENDMAIL logins" PORT "LOCAL=%([.:]20)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=FTP logins"
The DEFAULT section should ONLY be used to change the defaults for cpu-, disk- and memory-thresholds. Do NOT use it for process- or port-monitoring. Instead, you should use:
HOST=luxuria PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=9 color=green "TEXT=SENDMAIL logins"
EXHOST=luxuria PORT "LOCAL=%([.:]23)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=TELNET logins" PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=SENDMAIL logins" PORT "LOCAL=%([.:]20)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=FTP logins"
Henrik
Henrik Stoerner wrote:
On Thu, Sep 13, 2007 at 09:20:08AM -0400, Jay Brislin wrote:
I set up a PORT rule to alert for SENDMAIL logins in the DEFAULT section of my hobbit-clients.cfg file. I wanted to override that rule for certain hosts to allow SENDMAIL logins. My hobbit-clients.cfg looks like this:
HOST=luxuria PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=9 color=green "TEXT=SENDMAIL logins" DEFAULT PORT "LOCAL=%([.:]23)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=TELNET logins" PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=SENDMAIL logins" PORT "LOCAL=%([.:]20)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=FTP logins"
The DEFAULT section should ONLY be used to change the defaults for cpu-, disk- and memory-thresholds. Do NOT use it for process- or port-monitoring. Instead, you should use:
HOST=luxuria PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=9 color=green "TEXT=SENDMAIL logins"
EXHOST=luxuria PORT "LOCAL=%([.:]23)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=TELNET logins" PORT "LOCAL=%([.:]25)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=SENDMAIL logins" PORT "LOCAL=%([.:]20)$" state=ESTABLISHED min=0 max=0 color=red "TEXT=FTP logins"
Henrik
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
We use the DEFAULT section for common LOG rules. (IGNORE rules omitted for clarity)
DEFAULT # These are the built-in defaults. UP 1h LOAD 5.0 10.0 DISK %^/cdrom/.* 101 101 DISK * 90 95 MEMPHYS 100 101 MEMSWAP 50 80 MEMACT 90 97 LOG /var/adm/messages %(?-i)NOTICE|kern.error LOG /var/adm/messages %(?-i)WARNING COLOR=yellow IGNORE=%(?-i)forceload LOG /var/log/messages %(?-i)Redundancy\slost|degraded|error|Error LOG /var/log/messages %(?-i)failed IGNORE=%(?-i)cdrom:\sopen\sfailed COLOR=yellow LOG /var/log/system.log %(?-i)error|Error LOG /var/log/system.log %(?-i)failed COLOR=yellow
Is this really wrong?
Dominique UNIL - University of Lausanne
On Thu, Sep 13, 2007 at 04:49:46PM +0200, Dominique Frise wrote:
Henrik Stoerner wrote:
The DEFAULT section should ONLY be used to change the defaults for cpu-, disk- and memory-thresholds. Do NOT use it for process- or port-monitoring. Instead, you should use:
We use the DEFAULT section for common LOG rules. [snip] Is this really wrong?
It isn't really *wrong*, but it isn't *right* either ...
The thing is - it works, until you need to do something like what the original poster wrote: Have the default rules applied to all hosts except a few.
Regards, Henrik
participants (3)
-
brislin@bc.edu
-
Dominique.Frise@unil.ch
-
henrik@hswn.dk