[Logwatch-Devel] Re: [Logwatch-Announce] Logwatch 4.1 has been released

James Wysynski wysynskij@yahoo.com
Sat, 19 Oct 2002 18:21:55 -0700 (PDT)


Okay, I've posted a fixed version at
http://snurk.org/projects/files/kernel.  Mark, let me
know if it works okay for you and/or if you find
further problems.

I decided it was easier to handle messages with [ .. ]
as a special case.  I'm not entirely happy about it,
but it seems that no matter what I do, Perl is parsing
the second set of elements for SRC, DST and PROTO.  So
unless someone has a better suggestion, this works and
it will do the trick.

-James

--- mark@winksmith.com wrote:
> On Sat, Oct 19, 2002 at 12:28:01PM -0700, James
> Wysynski wrote:
> > 2) The only ICMP messages I've seen in my logs are
> of
> > this format, which is presumably why it's not
> working
> > with yours.  The ICMP messages are formatted the
> same
> > as everything else is.
> > 
> > Oct 18 15:13:01 tilt kernel: ICMP drop IN=eth0
> OUT=
> > MAC=00:03:47:05:49:33:00:10:67:00:b2:50:08:00
> > SRC=64.14.42.16 DST=67.115.101.130 LEN=64 TOS=0x00
> > PREC=0x00 TTL=51 ID=28365 PROTO=ICMP TYPE=8 CODE=0
> > ID=52994 SEQ=0 
> 
> type 8's ICMP_ECHO are pretty boring.
> 
> > I'm running RedHat 7.3.  Do you have a Linux
> kernel,
> > or something else?
> 
> i've seen the [bracketted] messages come out for
> type 11
> (ICMP_TIME_EXCEEDED), type 4 (ICMP_SOURCE_QUENCH)
> and i think
> type 3 (ICMP_DEST_UNREACH).  i'm running 2.4.18.  it
> is a
> 7.2 rh system with update including the 2.4.18
> kernel.
> 
> > 3) Right now I parse prefix, in, out, src, dst,
> proto.
> >  For your case it looks like I need to add some
> logic
> > which will catch prefix, in, out, proto, src, dst
> (and
> > possibly the square brackets).  It's hard to tell
> > without the full log message.
> 
> your wish is my command:
> 
> 	Oct 13 11:35:05 internal kernel: FAILED INPUT:
> IN=eth0 OUT=
> MAC=00:a0:cc:d0:d9:8c:00:60:8c:39:ed:db:08:00
> SRC=66.37.218.174 DST=192.168.1.2 LEN=56 TOS=0x00
> PREC=0x00 TTL=244 ID=5926 DF PROTO=ICMP TYPE=4
> CODE=0 [SRC=192.168.1.2 DST=66.37.215.45 LEN=67
> TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=UDP SPT=1024
> DPT=53 LEN=47 ] 
> 	Oct 13 12:52:18 internal kernel: FAILED INPUT:
> IN=eth0 OUT=
> MAC=00:a0:cc:d0:d9:8c:00:40:96:33:53:6b:08:00
> SRC=192.168.1.253 DST=192.168.1.2 LEN=576 TOS=0x00
> PREC=0xC0 TTL=255 ID=47777 PROTO=ICMP TYPE=11 CODE=1
> [SRC=192.168.1.2 DST=192.168.1.253 LEN=1500 TOS=0x00
> PREC=0x00 TTL=64 ID=18362 MF PROTO=UDP SPT=2049
> DPT=800 LEN=8328 ] 
> 
> -- 
> Mark Smith
> mark at winksmith dot com
> mark at tux dot org
> _______________________________________________
> Logwatch-Devel mailing list
> Logwatch-Devel@logwatch.org
>
http://list.logwatch.org/lists/listinfo/logwatch-devel


__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/