~Spanky >>Did you (or someone) add "Active_Monitor_69" to violations.ignore?
Send a bit of what you LogCheck used to show.<< ------------------------------------------------------------------- Answer No... Here's a typical entry that we used to see from logcheck... Security Violations =-=-=-=-=-=-=-=-=-= Oct 17 04:55:51 ns imapd[12849]: Login failure user=Active_Monitor_69 host=localhost [127.0.0.1] (as the check is done hourly then there was usually another 3 similar readings) Unusual System Events =-=-=-=-=-=-=-=-=-=-= Oct 17 04:55:49 ns proftpd[12848]: ns.xxxxxxx.com (localhost[127.0.0.1]) - FTP session closed. Oct 17 04:55:49 ns in.proftpd[12848]: connect from 127.0.0.1 Oct 17 04:55:50 ns imapd[12849]: connect from 127.0.0.1 Oct 17 04:55:51 ns imapd[12849]: imap service init from 127.0.0.1 Oct 17 04:55:51 ns imapd[12849]: Login failure user=Active_Monitor_69 host=localhost [127.0.0.1] Oct 17 04:55:54 ns imapd[12849]: Command stream end of file, while reading line user=Active_Monitor_69 host=localhost [127.0.0.1] Oct 17 04:55:54 ns sendmail[12852]: NOQUEUE: Null connection from localhost [127.0.0.1] --------------------------------------------------------------- As I mentioned nothing has been changed in any of the logcheck files - this reading was done by calling /usr/local/sbin/swatch >>/var/cobalt/adm.log 2>&1 from the root as SU then invoking the logcheck script /usr/local/etc/logcheck.sh. Yet if logcheck runs in the cron.hourly all I get is the "Unusual System Events" readings and this doesn't include any of the above in it. SPOOKY it worked before but just stopped. Is there any way of checking that the crontab is activating the monitoring service? and is running as it should be? I think that the problem may be with crontab rather than logcheck - don't know Regards from Auckland Chae _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
