Solaris 10 sparc xymon 4.3.10 issue ?
Hi,
I installed xymon 4.3.10 last week and since then I have noticed that something has been appending data to the end of /usr/bin/logger every 5 minutes. Since this wasn't happening before I suspect xymon.
164.76.2.44 - - [08/Oct/201 2:11:26:03 -0400] "GET / HTTP/1.1" 302 209.
This is the IP address of my xymon server. Any suggestions as what I might need to tweak?
Thanks, Matt
-- Matthew Goebel : goebel at emunix.emich.edu : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating medher... "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/08/2012 12:08 PM, Matt Goebel wrote:
Hi,
I installed xymon 4.3.10 last week and since then I have noticed that something has been appending data to the end of /usr/bin/logger every 5 minutes. Since this wasn't happening before I suspect xymon.
164.76.2.44 - - [08/Oct/201 2:11:26:03 -0400] "GET / HTTP/1.1" 302 209.
This is the IP address of my xymon server. Any suggestions as what I might need to tweak?
Thanks, Matt
/usr/bin/logger? A binary?
- ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$&| |__| | | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBy/EYACgkQmb+gadEcsb4mHwCgh4pz/ryHCn2P6WBhWwWfxtlN 9uEAoK13Sa8JhazU/egT3j3J/AU+Ga91 =G3U/ -----END PGP SIGNATURE-----
Yes... /bin/logger is a binary...
I seem to have figured out the issue, fping was being run as root by xymon, so I did the following :
so I removed the sticky bit from user and group on /usr/local/sbin/fping
then I did the following and restarted xymon
add in : /etc/security/exec_attr Network Management:solaris:cmd:::/usr/local/sbin/fping:privs=net_icmpaccess
add in : /etc/user_attr xymon::::defaultpriv=basic,net_icmpaccess
Matt
-- Matthew Goebel : goebel at emunix.emich.edu : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating medher... "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
If something was appending to the /usr/bin/logger binary, you might want to check your various scripts for code that does:
....... > /usr/bin/loggerinstead of:
..... | /usr/bin/loggerRalph Mitchell On Oct 8, 2012 12:50 PM, "Matt Goebel" <goebel at emunix.emich.edu> wrote:
Yes... /bin/logger is a binary...
I seem to have figured out the issue, fping was being run as root by xymon, so I did the following :
so I removed the sticky bit from user and group on /usr/local/sbin/fping
then I did the following and restarted xymon
add in : /etc/security/exec_attr Network Management:solaris:cmd:::/usr/local/sbin/fping:privs=net_icmpaccess
add in : /etc/user_attr xymon::::defaultpriv=basic,net_icmpaccess
Matt
-- Matthew Goebel : goebel at emunix.emich.edu : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating medher... "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Aha, there was a long burried issue on our apache server in a customlog setup which had never been an issues until xymon was turned on. There was no redirect, /bin/tee was opening everything listed after it including "|" and "/bin/logger" and appending to them the apache logs... it must be a monday... :)
Matt
And now a bit of polka music by "Ralph Mitchell"
If something was appending to the /usr/bin/logger binary, you might want to check your various scripts for code that does:
....... > /usr/bin/loggerinstead of:
..... | /usr/bin/loggerRalph Mitchell On Oct 8, 2012 12:50 PM, "Matt Goebel" <goebel at emunix.emich.edu> wrote:
Yes... /bin/logger is a binary...
I seem to have figured out the issue, fping was being run as root by xymon, so I did the following :
so I removed the sticky bit from user and group on /usr/local/sbin/fping
then I did the following and restarted xymon
add in : /etc/security/exec_attr Network Management:solaris:cmd:::/usr/local/sbin/fping:privs=net_icmpaccess
add in : /etc/user_attr xymon::::defaultpriv=basic,net_icmpaccess
Matt
-- Matthew Goebel : goebel at emunix.emich.edu : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating medher... "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
--bcaec54fb0c030d40f04cb8f19b6 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
<p dir=3D"ltr">If something was appending to the /usr/bin/logger binary, yo= u might want to check your various scripts for code that does:</p> <p dir=3D"ltr">=A0=A0=A0=A0 ....... > /usr/bin/logger</p> <p dir=3D"ltr">instead of:</p> <p dir=3D"ltr">=A0=A0=A0=A0 ..... | /usr/bin/logger</p> <p dir=3D"ltr">Ralph Mitchell</p> <div class=3D"gmail_quote">On Oct 8, 2012 12:50 PM, "Matt Goebel"= <<a href=3D"mailto:goebel at emunix.emich.edu">goebel at emunix.emich.edu</a>= > wrote:<br type=3D"attribution"><blockquote class=3D"gmail_quote" style= =3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br> Yes... /bin/logger is a binary...<br> <br> I seem to have figured out the issue, fping was being run as root by xymon,= <br> so I did the following :<br> <br> so I removed the sticky bit from user and group on /usr/local/sbin/fping<br=
<br> then I did the following and restarted xymon<br> <br> add in : /etc/security/exec_attr<br> Network Management:solaris:cmd:::/usr/local/sbin/fping:privs=3Dnet_icmpacce= ss<br> <br> add in : /etc/user_attr<br> xymon::::defaultpriv=3Dbasic,net_icmpaccess<br> <br> Matt<br> <br> --<br> Matthew Goebel : <a href=3D"mailto:goebel at emunix.emich.edu">goebel at emunix.e= mich.edu</a> : Unix Jockey @ EMU : Hail Eris<br> Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...<br> =A0"Always with the negative waves, Moriarty" - Oddball<br> =A0"Comfort the troubled, and trouble the comfortable." - Dietric= h Bonhoeffer<br> _______________________________________________<br> Xymon mailing list<br> <a href=3D"mailto:Xymon at xymon.com">Xymon at xymon.com</a><br> <a href=3D"http://lists.xymon.com/mailman/listinfo/xymon" target=3D"_blank"=
http://lists.xymon.com/mailman/listinfo/xymon</a><br> </blockquote></div>
--bcaec54fb0c030d40f04cb8f19b6--
-- Matthew Goebel : goebel at emunix.emich.edu : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating medher... "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
participants (3)
-
goebel@emunix.emich.edu
-
novosirj@umdnj.edu
-
ralphmitchell@gmail.com