scoobydope
03-16-2001, 12:56 PM
Reinstalling portsentry from scratch on a new install. The last few times i installed portsentry i just accepted the default location of the logged messages to be written into
/var/log/messages.
I have tried this time to create its own log file under /var/log as 'portscan'
in the portsentry_config.h file, the following default exists:
/* These are probably ok. Be sure you change the Makefile if you */
/* change the path */
#define CONFIG_FILE "/usr/local/psionic/portsentry/portsentry.conf"
/* The location of Wietse Venema's TCP Wrapper hosts.deny file */
#define WRAPPER_HOSTS_DENY "/etc/hosts.deny"
/* The default syslog is as daemon.notice. You can also use */
/* any of the facilities from syslog.h to send messages to (LOCAL0, etc) */
#define SYSLOG_FACILITY LOG_DAEMON
#define SYSLOG_LEVEL LOG_NOTICE
then, my /etc/syslog.conf file was untouched as Mandrake had installed it:
# Various entry
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
user.* -/var/log/user.log
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none -/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Mail logging
mail.=debug;mail.=info;mail.=notice -/var/log/mail/info
mail.=warn -/var/log/mail/warnings
mail.err -/var/log/mail/errors
# Cron logging
cron.=debug;cron.=info;cron.=notice -/var/log/cron/info
cron.=warn -/var/log/cron/warnings
cron.err -/var/log/cron/errors
# Kernel logging
kern.=debug;kern.=info;kern.=notice -/var/log/kernel/info
kern.=warn -/var/log/kernel/warnings
kern.err /var/log/kernel/errors
# Lpr logging
lpr.=debug;lpr.=info;lpr.=notice -/var/log/lpr/info
lpr.=warn -/var/log/lpr/warnings
lpr.err -/var/log/lpr/errors
# News logging
news.=debug;news.=info;news.=notice -/var/log/news/info
news.=warn -/var/log/news/warnings
news.err -/var/log/news/errors
# Daemons logging
daemon.=debug;daemon.=info;daemon.=notice -/var/log/daemons/info
daemon.=warn -/var/log/daemons/warnings
daemon.err -/var/log/daemons/errors
# Everybody gets emergency messages
*.emerg *
# Save mail and news errors of level err and higher in a
# special file.
uucp,news.crit -/var/log/spooler
# Save boot messages also to boot.log
local7.* -/var/log/boot.log
# Mandrake-Security : if you remove this comment, remove the next line too.
*.* /dev/tty12
So what i have done so far, is to change the line in the portsentry_config.h file from #define SYSLOG_FACILITY LOG_DAEMON
#define SYSLOG_LEVEL LOG_NOTICE
to
#define SYSLOG_FACILITY LOG_LOCAL0
#define SYSLOG_LEVEL LOG_NOTICE
then added the following to my /etc/syslog.conf
# Newly added Portsentry logging
local0.notice -/var/log/portscan
This almost seemed to work great, all the new portscan messages are now being written to their own file under /var/log/portscan
however, i just noticed that they are ALSO still being written to /var/log/messages.
I would like to remove them from being written to /messages ... one is enough.
See anything? I am thinking its the first line of the Mandrake syslog.conf file, but don't know for sure.
/var/log/messages.
I have tried this time to create its own log file under /var/log as 'portscan'
in the portsentry_config.h file, the following default exists:
/* These are probably ok. Be sure you change the Makefile if you */
/* change the path */
#define CONFIG_FILE "/usr/local/psionic/portsentry/portsentry.conf"
/* The location of Wietse Venema's TCP Wrapper hosts.deny file */
#define WRAPPER_HOSTS_DENY "/etc/hosts.deny"
/* The default syslog is as daemon.notice. You can also use */
/* any of the facilities from syslog.h to send messages to (LOCAL0, etc) */
#define SYSLOG_FACILITY LOG_DAEMON
#define SYSLOG_LEVEL LOG_NOTICE
then, my /etc/syslog.conf file was untouched as Mandrake had installed it:
# Various entry
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
user.* -/var/log/user.log
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none -/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Mail logging
mail.=debug;mail.=info;mail.=notice -/var/log/mail/info
mail.=warn -/var/log/mail/warnings
mail.err -/var/log/mail/errors
# Cron logging
cron.=debug;cron.=info;cron.=notice -/var/log/cron/info
cron.=warn -/var/log/cron/warnings
cron.err -/var/log/cron/errors
# Kernel logging
kern.=debug;kern.=info;kern.=notice -/var/log/kernel/info
kern.=warn -/var/log/kernel/warnings
kern.err /var/log/kernel/errors
# Lpr logging
lpr.=debug;lpr.=info;lpr.=notice -/var/log/lpr/info
lpr.=warn -/var/log/lpr/warnings
lpr.err -/var/log/lpr/errors
# News logging
news.=debug;news.=info;news.=notice -/var/log/news/info
news.=warn -/var/log/news/warnings
news.err -/var/log/news/errors
# Daemons logging
daemon.=debug;daemon.=info;daemon.=notice -/var/log/daemons/info
daemon.=warn -/var/log/daemons/warnings
daemon.err -/var/log/daemons/errors
# Everybody gets emergency messages
*.emerg *
# Save mail and news errors of level err and higher in a
# special file.
uucp,news.crit -/var/log/spooler
# Save boot messages also to boot.log
local7.* -/var/log/boot.log
# Mandrake-Security : if you remove this comment, remove the next line too.
*.* /dev/tty12
So what i have done so far, is to change the line in the portsentry_config.h file from #define SYSLOG_FACILITY LOG_DAEMON
#define SYSLOG_LEVEL LOG_NOTICE
to
#define SYSLOG_FACILITY LOG_LOCAL0
#define SYSLOG_LEVEL LOG_NOTICE
then added the following to my /etc/syslog.conf
# Newly added Portsentry logging
local0.notice -/var/log/portscan
This almost seemed to work great, all the new portscan messages are now being written to their own file under /var/log/portscan
however, i just noticed that they are ALSO still being written to /var/log/messages.
I would like to remove them from being written to /messages ... one is enough.
See anything? I am thinking its the first line of the Mandrake syslog.conf file, but don't know for sure.