Sample swatch configuration

Sample swatch configuration #1

Disclaimer: Sample configurations are provided as a service
to the reader. Use at your own risk. If you have questions or
comments, please send them to the LogAnalysis mailing list <loganalysis@securityfocus.com>.

#
# FHCRC InfoTech loghost swatch config file
# Posted by Stuart Kendrick <skendric@fhcrc.org>
# to the LogAnalysis Mailing List on 6 September 2001.
#

# The upfront “ignore” lines are purely for performance optimization,
# to reduce the amount of stuff which actually gets searched for
# meaning

########################################################################
# Ignore lots of stuff, to improve performance
########################################################################

# Ignore these boxes entirely
ignore = /cache-eng/
ignore = /ga-a-fw|ga-b-fw/
ignore = /cf-a-rtr|cf-b-rtr|df-a-rtr|df-b-rtr|mp-a-rtr|mp-b-rtr/

# Skip the popular entries
# Frequent ones
ignore = /bootpd|radiusd|slapd|pop3|imap/

# Common ones
ignore = /nodewatch|qpage|xntpd|last
message|inetd|printer|mail.local|tftp/

# Regular ones
ignore = /bind_stats|AT-6-NODEWRONG|apager|fping|bulkmail|Admusermod
failed/

# BOOTP/dhcpd error messages
ignore = /BOOTREQUEST from/
ignore = /No applicable record for BOOTP host/

# Normal dhcpd messages
ignore = /DHCPREQUEST|DHCPACK|DHCPOFFER|DHCPDISCOVER|DHCPRELEASE/

# BIND error messages
ignore = /dangling CNAME pointer|Lame server on/
ignore = /bad referral|No possible A RRs|Response from unexpected source/
ignore = /NS points to CNAME|unapproved update from/
ignore = /dumping nameserver stats|NSTATS|XSTATS|A RR negative cache
entry/

# Normal NIS+ messages
ignore = /read only child|readonly child|replica_update/
ignore = /timestamp is earlier than the one previously/
ignore = /invalid timestamp received from unix/
ignore = /is unable to encrypt session key|keyserv_client: can’t stat/
ignore = /starting to reap child process|child process ended/
ignore = /is unable to generate session key/

#######################################################################
# Look for interesting stuff
#######################################################################

# Applications ####################################################
# sendmail issues
#watchfor = /config error: mail loops back to me/
# exec=/opt/local/bin/qpage -f \”\” cns \”Duty: mail relay
configuration error — we are bouncing mail. –swatch\”
# mail = it-server
# throttle=480:00
#
ignore = /sendmail/

# BIND issues
watchfor = /CNAME and OTHER data error/
mail = it-server
throttle = 60:00

watchfor = /db_load could not open/
mail = it-server
throttle = 60:00

ignore = /named/

# DHCP issues
watchfor = /no free leases/
exec=/home/netops/bin/let_me_sleep -g skendric -m \”Duty: A DHCP
pool on $4 has exhausted its leases. –swatch\”
mail = it-server
throttle = 480:00

ignore = /dhcpd/


# Packet Infrastructure issues ######################################
# Ascend issues
watchfor = /LAN security error.*isdn/
# exec=/opt/local/bin/qpage -f \”\” cns \”Duty: cf-x-rad are denying
valid username-password combinations. –swatch\”
throttle = 480:00
mail = skendric

ignore = /ASCEND/

# Router sees duplicate IP addresses
watchfor = /STANDBY-3-DUPADDR/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: The Supervisor card
in $4 is failing. –swatch\”
mail = skendric
throttle = 480:00

ignore = /STANDBY/


# IP space ########################################################
# Duplicate IP addresses
watchfor = /Duplicate address/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Duplicate IP
address. Som
eone has assigned $4 ‘s IP address to another device. –swatch\”
mail = it-server
throttle = 480:00

# Unix OS Stuff ######################################################
# File system full
watchfor = /file system full/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk space exhausted
on $4. –swatch\”
mail = it-server
throttle = 480:00

# System crashes and halts
watchfor = /(panic|halt)/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: $4 panicked and is
now rebooting. –swatch\”
mail = it-server
throttle = 480:00

# File system errors
watchfor = /Media Error/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4. –swatch\”
mail = it-server
throttle = 480:00

# Hardware errors ##################################################
# Memory errors
watchfor = /dma error|DMA error/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: RAM problems on
$4. –swatch\”
mail = it-server
throttle = 480:00

# SCSI Bus errors
watchfor = /SCSI transport failed/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: SCSI bus problems on
$4. –swatch\”
mail = it-server
throttle = 480:00


# Security issues ##################################################
# Stack smashing attempt
watchfor = /attempt to execute code on stack/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Hackers are
attacking $4: attempt to execute code on stack. –swatch\”
mail = it-server
throttle = 60:00


# NIS+ issues #########################################################
# These indicate possible corruption in the NIS+ space
watchfor = /NIS+ server needs to be checkpointed/
mail = it-server
throttle = 480:00
watchfor = /Error in RPC subsystem/
mail = it-server
throttle = 480:00

# These indicate serious corruption in the NIS+ space
watchfor = /no public key for unix/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: The NIS+ server $4
may be corrupted. –swatch\”
mail = it-server
throttle = 480:00

watchfor = /possible loop detected in name space/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: The NIS+ server $4
is corrupted. –swatch\”
mail = it-server
throttle = 480:00

watchfor = /xdr_array: out of memory/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: The NIS+ server $4
is corrupted. –swatch\”
mail = it-server
throttle = 480:00

watchfor = /xdr_bytes: out of memory/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: The NIS+ server $4
is corrupted. –swatch\”
mail = it-server
throttle = 480:00

watchfor = /WARNING: db_dictionary/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: The NIS+ server $4
is corrupted. –swatch\”
mail = it-server
throttle = 480:00

# DiskSuite ########################################################
# These indicate physical drive problems
watchfor = /Could not load misc/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4. –swatch\”
mail = it-server
throttle = 480:00

watchfor = /db: Parsing error on/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4. –swatch\”
mail = it-server
throttle = 480:00

watchfor = /Hot spared device/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4. –swatch\”
mail = it-server
throttle = 480:00

watchfor = /hotspared device/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4. –swatch\”
mail = it-server
throttle = 480:00

watchfor = /no mem for property/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4. –swatch\”
mail = it-server
throttle = 480:00

watchfor = /Cannot load .* driver/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4. –swatch\”
mail = it-server
throttle = 480:00

watchfor = /Open error of hotspare/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4. –swatch\”
mail = it-server
throttle = 480:00

watchfor = /read error on/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4. –swatch\”
mail = it-server
throttle = 480:00

watchfor = /write error on/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4. –swatch\”
mail = it-server
throttle = 480:00

watchfor = /State database/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4. –swatch\”
mail = it-server
throttle = 480:00

watchfor = /Unknown close type/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4. –swatch\”
mail = it-server
throttle = 480:00

watchfor = /Unknown open type/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4. –swatch\”
mail = it-server
throttle = 480:00

watchfor = /WARNING: md: . –swatch* needs maintenance/
exec=/opt/local/bin/qpage -f \”\” cns \”Duty: Disk problems on
$4. –swatch\”
mail = it-server
throttle = 480:00

서진우

슈퍼컴퓨팅 전문 기업 클루닉스/ 상무(기술이사)/ 정보시스템감리사/ 시스존 블로그 운영자

You may also like...

페이스북/트위트/구글 계정으로 댓글 가능합니다.