This is a typical report you would receive from Epylog. All
names changed to protect the innocent and make fun of the
guilty. :)
monitor.dept.duke.edu
First event: Mon Apr 21 09:59:46 2003
Last event: Mon Apr 21 11:00:01 2003
The "First event" and the "Last event" are calculated based upon
the timestamps found in the logs. If your machines have skewed
clocks, there will be skewed results here.
Logins
ROOT Login FAILURES
|
| stool |
ssh2(pw) |
@dsl-addr.atlnga1.dsl-verizon.net(1) |
ROOT Logins
|
| rubeus |
su |
ivon(1) |
| stool |
ssh2(pw) |
@dsl-addr.atlnga1.dsl-verizon.net(1) |
The logins report goes first by default. As you can see here,
root logins and root failures are listed namely. The first
column is the name of the system to which root hath logged
in. The second column is the login method, and the third column
is user@remotehost. If remotehost is N/A, then only the username
is displayed. If the username is not available, well, then it's
omitted.
User Failures
|
| cburger |
imapd |
mail(1) |
| mstoner |
ssh2(rsa) |
tickleme(1) |
| mmilner |
gdm |
baraddur5(1) |
| esperalto |
IMP2 |
imap.dept.duke.edu(1) |
User Logins
|
| amd2000 |
IMP2 |
mail.dept.duke.edu(1) |
| |
imapd |
mail(10) |
| bananj |
imapd |
mail(58) |
| bclamsy |
imapd |
mail(1) |
| beenjammin |
imapd |
mail(9), mail::dsl-addr.dsl.speakeasy.net(6)
|
| brok |
imapd |
mail(2) |
| capten |
gdm |
neutrino(1) |
| nyc3 |
ssh2(pw) |
panic0(1) |
| hsgeez |
ssh2(pw) |
bheema::192.168.160.120(1)
|
| ivon |
gdm |
rubeus(1) |
| |
imapd |
mail(7) |
This is the list of users logging in and failing to do so. You
will notice that some entries have a hostname in red -- there is
an option for the logins module where you can specify which
domains are "trusted." E.g. this run was with "duke.edu" set as
a trusted domain, so anyone logging in from a remote host not
matching "duke.edu" will get their remote hostname highlighted
in red.
Packet Filter
Firewall Violations
|
| 242 |
192.168.216.160 |
[126 hosts]
|
[2] |
SkyDance (4000/tcp)
|
| 123 |
192.168.84.66 |
ipsurf |
LDROP |
[123 ports] |
| 3 |
addy.mi.hypervine.net |
softice |
LDROP |
http (80/tcp) |
| 2 |
dhcp19.dept.duke.edu |
wtf4 |
REJECT |
44515/udp |
| 2 |
dhcp19.dept.duke.edu |
wtf2 |
REJECT |
44515/udp |
| 2 |
addy1.ns.aol.com |
ipsurf |
LDROP |
35410/udp |
| 1 |
addy2.ns.aol.com |
ipsurf |
LDROP |
RemoConChubo (81/tcp) |
This is a firewall report. The firewall module will happily
process ipchains, iptables, and ipfilter reports, though they
might require some configuration. The columns go like this:
number of packets, offending remote host, reporting victim host,
log method, and the port on which the violation has occurred. If
there are more than 10 hosts hit, or more than 10 ports probed,
the logins module will collapse the report nicely, so it's not a
kilometer long. If you don't like the number 10, you can set a
different one in the logins module config file. If the module
detects that the probe occurred on a port commonly running a
trojan, the name will be highlighted in red. The trojan list is
found in /etc/epylog/trojans.list and can be easily edited, or
disabled entirely in the config file for the module.
Mail
General Mail Report
|
| 490 |
Total Messages Processed |
| 769 |
Total Successful
Deliveries |
| 33 |
Total Warnings Issued |
| 19 |
Total Bounced Messages |
| 441 |
Processed by Procmail |
| 3 MB |
Total Transferred Size |
Top 5 active systems
|
| 439 |
mail |
| 10 |
loginner1 |
| 8 |
loginner2 |
| 6 |
supervova |
| 4 |
ipsurf |
Top 5 connecting hosts
|
| 26 |
listman.redhat.com |
| 16 |
192.168.177.110 |
| 12 |
addy.swfla.rr.com |
| 10 |
loginner1.dept.duke.edu |
| 8 |
zahn.bigplace.duke.edu |
Top 5 senders
|
| 48 |
<mailer-daemon> |
| 29 |
<addy1@dept.duke.edu> |
| 12 |
<addy1@redhat.com> |
| 8 |
<addy2@redhat.com> |
| 8 |
<addy2@dept.duke.edu> |
Top 5 recipients
|
| 23 |
<addy1@dept.duke.edu> |
| 20 |
<addy2@dept.duke.edu> |
| 20 |
<addy3@dept.duke.edu> |
| 19 |
<addy4@dept.duke.edu> |
| 19 |
<addy5@dept.duke.edu> |
This is pretty self-explanatory. The mail module will process
entries by sendmail and postfix, with qmail support slated for
the near future.
Spamassassin
Total stats
|
| 138 users/437 msgs |
2 MB |
2 min |
0.2 (412/25) |
Top 10 ranking users
|
| srvidal |
92 KB |
5 sec |
-6.6 (19/0) |
| ivon |
91 KB |
2 sec |
-0.9 (18/0) |
| mpriest |
24 KB |
4 sec |
-1.3 (13/0) |
| zjeigler |
46 KB |
4 sec |
-1.2 (12/0) |
| salsa |
25 KB |
2 sec |
1.0 (11/0) |
| mstoner |
68 KB |
1 sec |
-1.2 (11/0) |
| sounders |
21 KB |
1 sec |
1.0 (9/1) |
| btigre |
17 KB |
4 sec |
-1.4 (10/0) |
| martini |
14 KB |
2 sec |
-1.3 (9/0) |
| adidas |
14 KB |
5 sec |
-1.4 (9/0) |
The spammassassin module is not enabled by default, but is handy
to give you some stats about what is going on. The columns go
like so: first the username (or totals), then the size of
messages processed, total time spent processing, and the
mean-average score. The numbers in the parentheses are (under
threshold/over threshold). The default spam threshold is 5, but
it can be set in the spamd module config file.
Notices
CRITICAL Notices
|
| baraddur5 |
rebooted with kernel
2.4.18-27.7.x(1) |
General Notices
|
| baraddur5 |
misc CDROM errors(1) |
| grands-26 |
Gconf locking errors(1) |
| grands-28 |
Gconf locking errors(236) |
| grands-32 |
misc CDROM errors(1) |
| mail |
ypproc_match denied from
mail.dept.duke.edu(345) |
| wehen0 |
Gconf locking errors(9) |
| web |
ypproc_match denied from
monitor.dept.duke.edu(1) |
The notices module is a convenience module that will notify you
of some alerts or problems. It isn't very configurable at the
moment, but there will be an extra config file where custom
entries can be added in the short run (before 1.0). As you can
see, gconfd is still the smelliest piece of crap under the
sun. :)
Weedeater
Total messages weeded: 9212
The weeder module makes sure that crap you don't care to know
about doesn't land in the unparsed strings. This helps to lessen
the size of the report dramatically. Filtered strings are
configurable -- see more in the weeder.conf file.
Unparsed Strings:
Apr 21 10:26:54 panic0/panic0 sshd[4795]: Received disconnect from 192.168.232.146: 11: Disconnect requested by Windows SSH Client.
Apr 21 10:31:29 baraddur5/baraddur5 sshd[1051]: Server listening on 0.0.0.0 port 22.
[...skipped...]
Apr 21 10:55:33 rubeus/rubeus kernel: nfs: server hawking not responding, still trying
Apr 21 10:55:33 rubeus/rubeus kernel: nfs: server hawking OK
Lastly, the strings that didn't match anything are
appended. This can be turned off, but not recommended -- usually
these would be very useful.
A little bit of self-promotion goes a long way. :)