Sample swatch configuration

by · 

Sample swatch configuration #1

Disclaimer: Sample configurations are provided as a service
to the reader.  Use at your own risk.  If you have questions or
comments, please send them to the LogAnalysis mailing list <loganalysis@securityfocus.com>.

#
# FHCRC InfoTech loghost swatch config file
# Posted by Stuart Kendrick <skendric@fhcrc.org>
# to the LogAnalysis Mailing List on 6 September 2001.
#

# The upfront “ignore” lines are purely for performance optimization,
# to reduce the amount of stuff which actually gets searched for
# meaning

########################################################################
# Ignore lots of stuff, to improve performance
########################################################################

# Ignore these boxes entirely
ignore = /cache-eng/
ignore = /ga-a-fw|ga-b-fw/
ignore = /cf-a-rtr|cf-b-rtr|df-a-rtr|df-b-rtr|mp-a-rtr|mp-b-rtr/

# Skip the popular entries
# Frequent ones
ignore = /bootpd|radiusd|slapd|pop3|imap/

# Common ones
ignore = /nodewatch|qpage|xntpd|last
message|inetd|printer|mail.local|tftp/

# Regular ones
ignore = /bind_stats|AT-6-NODEWRONG|apager|fping|bulkmail|Admusermod
failed/

# BOOTP/dhcpd error messages
ignore = /BOOTREQUEST from/
ignore = /No applicable record for BOOTP host/

# Normal dhcpd messages
ignore = /DHCPREQUEST|DHCPACK|DHCPOFFER|DHCPDISCOVER|DHCPRELEASE/

# BIND error messages 
ignore = /dangling CNAME pointer|Lame server on/
ignore = /bad referral|No possible A RRs|Response from unexpected source/
ignore = /NS points to CNAME|unapproved update from/
ignore = /dumping nameserver stats|NSTATS|XSTATS|A RR negative cache
entry/

# Normal NIS+ messages
ignore = /read only child|readonly child|replica_update/
ignore = /timestamp is earlier than the one previously/
ignore = /invalid timestamp received from unix/
ignore = /is unable to encrypt session key|keyserv_client:  can’t stat/
ignore = /starting to reap child process|child process ended/
ignore = /is unable to generate session key/

#######################################################################
# Look for interesting stuff
#######################################################################

# Applications ####################################################
# sendmail issues
#watchfor = /config error: mail loops back to me/
#	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: mail relay
configuration error — we are bouncing mail.  –swatch\”
#	mail = it-server
#	throttle=480:00
#
ignore = /sendmail/

# BIND issues
watchfor = /CNAME and OTHER data error/
	mail = it-server
	throttle = 60:00

watchfor = /db_load could not open/
	mail = it-server
	throttle = 60:00

ignore = /named/

# DHCP issues
watchfor = /no free leases/
	exec=/home/netops/bin/let_me_sleep -g skendric -m \”Duty:  A DHCP
pool on $4 has exhausted its leases.  –swatch\”
	mail = it-server
	throttle = 480:00

ignore = /dhcpd/


# Packet Infrastructure issues ######################################
# Ascend issues
watchfor = /LAN security error.*isdn/
#	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: cf-x-rad are denying
valid username-password combinations.  –swatch\”
	throttle = 480:00
	mail = skendric

ignore = /ASCEND/

# Router sees duplicate IP addresses
watchfor = /STANDBY-3-DUPADDR/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: The Supervisor card
in $4 is failing. –swatch\”
	mail = skendric
	throttle = 480:00

ignore = /STANDBY/


# IP space ########################################################
# Duplicate IP addresses
watchfor = /Duplicate address/
        exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Duplicate IP
address.  Som
eone has assigned $4 ‘s IP address to another device. –swatch\”
        mail = it-server
        throttle = 480:00

# Unix OS Stuff ######################################################
# File system full
watchfor = /file system full/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk space exhausted
on $4.  –swatch\”
	mail = it-server
	throttle = 480:00

# System crashes and halts
watchfor = /(panic|halt)/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: $4 panicked and is
now rebooting.  –swatch\”
	mail = it-server
	throttle = 480:00

# File system errors
watchfor = /Media Error/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4.  –swatch\”
	mail = it-server
	throttle = 480:00

# Hardware errors ##################################################
# Memory errors
watchfor = /dma error|DMA error/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: RAM problems on
$4.  –swatch\”
	mail = it-server
	throttle = 480:00

# SCSI Bus errors
watchfor = /SCSI transport failed/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: SCSI bus problems on
$4.  –swatch\”
	mail = it-server
	throttle = 480:00


# Security issues ##################################################
# Stack smashing attempt
watchfor = /attempt to execute code on stack/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty:  Hackers are
attacking $4:  attempt to execute code on stack.  –swatch\”
	mail = it-server
	throttle = 60:00


# NIS+ issues #########################################################
# These indicate possible corruption in the NIS+ space
watchfor = /NIS+ server needs to be checkpointed/
	mail = it-server
	throttle = 480:00
watchfor = /Error in RPC subsystem/
	mail = it-server
	throttle = 480:00

# These indicate serious corruption in the NIS+ space
watchfor = /no public key for unix/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: The NIS+ server $4
may be corrupted.  –swatch\”
	mail = it-server
	throttle = 480:00

watchfor = /possible loop detected in name space/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: The NIS+ server $4
is corrupted.  –swatch\”
	mail = it-server
	throttle = 480:00

watchfor = /xdr_array: out of memory/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: The NIS+ server $4
is corrupted.  –swatch\”
	mail = it-server
	throttle = 480:00

watchfor = /xdr_bytes: out of memory/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: The NIS+ server $4
is corrupted.  –swatch\”
	mail = it-server
	throttle = 480:00

watchfor = /WARNING: db_dictionary/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: The NIS+ server $4
is corrupted.  –swatch\”
	mail = it-server
	throttle = 480:00

# DiskSuite ########################################################
# These indicate physical drive problems
watchfor = /Could not load misc/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4.  –swatch\”
	mail = it-server
	throttle = 480:00

watchfor = /db: Parsing error on/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4.  –swatch\”
	mail = it-server
	throttle = 480:00

watchfor = /Hot spared device/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4.  –swatch\”
	mail = it-server
	throttle = 480:00

watchfor = /hotspared device/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4.  –swatch\”
	mail = it-server
	throttle = 480:00

watchfor = /no mem for property/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4.  –swatch\”
	mail = it-server
	throttle = 480:00

watchfor = /Cannot load .* driver/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4.  –swatch\”
	mail = it-server
	throttle = 480:00

watchfor = /Open error of hotspare/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4.  –swatch\”
	mail = it-server
	throttle = 480:00

watchfor = /read error on/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4.  –swatch\”
	mail = it-server
	throttle = 480:00

watchfor = /write error on/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4.  –swatch\”
	mail = it-server
	throttle = 480:00

watchfor = /State database/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4.  –swatch\”
	mail = it-server
	throttle = 480:00

watchfor = /Unknown close type/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4.  –swatch\”
	mail = it-server
	throttle = 480:00

watchfor = /Unknown open type/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4.  –swatch\”
	mail = it-server
	throttle = 480:00

watchfor = /WARNING: md: .  –swatch* needs maintenance/
	exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4.  –swatch\”
	mail = it-server
	throttle = 480:00

서진우

슈퍼컴퓨팅 전문 기업 클루닉스/ 상무(기술이사)/ 정보시스템감리사/ 시스존 블로그 운영자

You may also like...

1 Response

  1. cozy coffee shop 말해보세요:
    2023년 12월 2일, 5:52 오전

    cozy coffee shop

    응답

페이스북/트위트/구글 계정으로 댓글 가능합니다.