[hobbit] BBWin and Hobbit msgs log question.

Aaron Zink AaronZink at eharmony.com
Tue Jun 17 01:13:20 CEST 2008 

I'll try to answer these:

1) Honestly I'm not sure.  It shows up in the .txt file in tmp as eventlog_application but I have had more luck just using some sort of regex with application in it, like ^.*application.*$.  No idea if this is a bug or not.  One thing you could try to troubleshoot is just use an all-encompassing regex like .* for the file name to narrow it down.

2) Yes, I do see the [logfile:tlog] error when eventlog:Security is enabled, but I don't believe it is causing any issues.

3) I don't see any errors or failures in your security log, and nothing is in the application or system logs, so I'm not sure what to look for.  Right now I'm using:

hobbit-client.cfg:
        CLASS=win32
        LOG %.* "%error - .*" COLOR=red
        LOG %.* "%failure - .*" COLOR=red
        LOG %.* "%warning - .*" COLOR=yellow

client-local.cfg
        [win32]
        eventlog:security
        ignore Success
        eventlog:application
        ignore information
        eventlog:system
        ignore information

It can be more refined by specifying the log names, but it ensures that all errors, warnings or failures are caught no matter which log they are in.  The ignore entries are an attempt to clean up the data being sent to the hobbit server, but I can't get them to work.


- Aaron Zink


-----Original Message-----
From: McGraw, Robert P [mailto:rmcgraw at purdue.edu]
Sent: Monday, June 16, 2008 15:26
To: hobbit at hswn.dk
Subject: RE: [hobbit] BBWin and Hobbit msgs log question.

Aaron.

A couple questions:

[mailrelay.math.purdue.edu] is my win32 client I just use a host name.


On my server my client-local.cfg looks like the following:

        [mailrelay.math.purdue.edu]
        file:c:\Alligate\Digests\(rmcgraw at math.purdue.edu).txt
        eventlog:security

On the BBWin client I have

        $ cat clientlocal.cfg
        file:c:\Alligate\Digests\(rmcgraw at math.purdue.edu).txt
        eventlog:security

Which shows that it was read from the server correctly.

On the hobbit server in my hobbit-clients I have

        HOST=mailrelay.math.purdue.edu
                UP 30m 1w
                LOAD 40.0 70.0
                DISK * 90 95
                FILE c:\Alligate\Digests\(rmcgraw at math.purdue.edu).txt red
MTIME<43200
                LOG %security "Login attempt" COLOR=yellow

1) The second parameter of the LOG entry should be the file name. What is
the file name for the event security logs?

2) It seem that when I added "eventlog:security" I get the [logfile:tlog]
error message in the msg.mailrelay.math.purdue.edu.txt file that is located
in the BBWin/tmp directory. Do you get this?

3) From the information above and the snipit of my msg. file can you give me
the LOG entry that you think would work.


Snipit from my msg.mailrelay.math.purdue.edu.txt fileon the BBwin client
mailrelay.

[logfile:tlog]
ERROR: The system cannot find the file specified.

[msgs:eventlog_application]
[msgs:eventlog_security]
success - 2008/06/16 17:53:25 - Security (576) - Special privileges assigned
to new logon: User Name: Domain: Logon ID: (0x0,0x84B6EDC) Privileges:
SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege SeImpersonatePrivilege
success - 2008/06/16 17:53:25 - Security (528) - Successful Logon: User
Name: rmcgraw Domain: MAILRELAY Logon ID: (0x0,0x84B6EDC) Logon Type: 2
Logon Process: Advapi Authentication Package: Negotiate Workstation Name:
MAILRELAY Logon GUID: - Caller User Name: sshd_server Caller Domain:
MAILRELAY Caller Logon ID: (0x0,0x10A65) Caller Process ID: 2856 Transited
Services: - Source Network Address: - Source Port: -
success - 2008/06/16 17:53:25 - Security (552) - Logon attempt using
explicit credentials: Logged on user: User Name: sshd_server Domain:
MAILRELAY Logon ID: (0x0,0x10A65) Logon GUID: - User whose credentials were
used: Target User Name: rmcgraw Target Domain: MAILRELAY Target Logon GUID:
- Target Server Name: localhost Target Server Info: localhost Caller Process
ID: 2856 Source Network Address: - Source Port: -
success - 2008/06/16 17:53:25 - Security (680) - Logon attempt by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: rmcgraw Source
Workstation: MAILRELAY Error Code: 0x0
success - 2008/06/16 17:49:42 - Security (538) - User Logoff: User Name:
rmcgraw Domain: MAILRELAY Logon ID: (0x0,0x849D0DB) Logon Type: 7
success - 2008/06/16 17:49:42 - Security (576) - Special privileges assigned
to new logon: User Name: rmcgraw Domain: MAILRELAY Logon ID: (0x0,0x849D0DB)
Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege
SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege SeImpersonatePrivilege
success - 2008/06/16 17:49:42 - Security (528) - Successful Logon: User
Name: rmcgraw Domain: MAILRELAY Logon ID: (0x0,0x849D0DB) Logon Type: 7
Logon Process: User32 Authentication Package: Negotiate Workstation Name:
MAILRELAY Logon GUID: - Caller User Name: MAILRELAY$ Caller Domain: MATHNET
Caller Logon ID: (0x0,0x3E7) Caller Process ID: 3008 Transited Services: -
Source Network Address: 128.210.3.202 Source Port: 57339
success - 2008/06/16 17:49:42 - Security (552) - Logon attempt using
explicit credentials: Logged on user: User Name: MAILRELAY$ Domain: MATHNET
Logon ID: (0x0,0x3E7) Logon GUID: - User whose credentials were used: Target
User Name: rmcgraw Target Domain: MAILRELAY Target Logon GUID: - Target
Server Name: localhost Target Server Info: localhost Caller Process ID: 3008
Source Network Address: 128.210.3.202 Source Port: 57339
success - 2008/06/16 17:49:42 - Security (680) - Logon attempt by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: rmcgraw Source
Workstation: MAILRELAY Error Code: 0x0
[msgs:eventlog_system]



> -----Original Message-----
> From: Aaron Zink [mailto:AaronZink at eharmony.com]
> Sent: Monday, June 16, 2008 2:43 PM
> To: hobbit at hswn.dk
> Subject: RE: [hobbit] BBWin and Hobbit msgs log question.
>
>
> Robert,
>
> If you are running in centralized mode, to get message log alerting you
> will also need something in client-local.cfg, such as:
>
> [win32]
> eventlog:application
> ignore information
> ignore BigBrotherHobbitClient
> eventlog:system
> ignore information
>
> Then your LOG entry in hobbit-clients.cfg *should* work after restarting
> hobbit and bbwin, but you probably need/want to use regexes to refine the
> alerts.  For example, I use:
>
> CLASS=win32
>         LOG %application.* "%error - .*" COLOR=red
>         LOG %application.* "%warning - .*" COLOR=yellow
>
> Hope this helps.
>
>
> Aaron Zink
> Corporate IT Manager
> eHarmony.com
> 626.795.4814
>
>
> -----Original Message-----
> From: McGraw, Robert P [mailto:rmcgraw at purdue.edu]
> Sent: Monday, June 16, 2008 07:09
> To: bbwin-users at lists.sourceforge.net; hobbit at hswn.dk
> Subject: [hobbit] BBWin and Hobbit msgs log question.
>
> HOBBIT SERVER: SunOS zorn.math.purdue.edu 5.10 Generic_120011-14 sun4u
> sparc
> SUNW,Sun-Fire-280R runnint Hobbit 4.2
>
> BBWIN CLIENT: Microsoft Windows Server 2003, Standard Edition Service Pack
> 2
> (build 3790) running BBWin V.12
>
> On the hobbit server I have the following event logs under msgs that are
> coming from the BBWin server. I am not sure how I can monitor these log
> messages.
>
> Full log eventlog_application
> information - 2008/06/16 09:52:34 - sshd (0) - The description for Event
> ID
> ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have
> the necessary registry information or message DLL files to display
> messages
> from a remote computer. You may be able to use the /AUXSOURCE= flag to
> retrieve this description; see Help and Support for details. The following
> information is part of the event: sshd: PID 3320: Connection closed by
> 128.210.3.177.
> information - 2008/06/16 09:47:33 - sshd (0) - The description for Event
> ID
> ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have
> the necessary registry information or message DLL files to display
> messages
> from a remote computer. You may be able to use the /AUXSOURCE= flag to
> retrieve this description; see Help and Support for details. The following
> information is part of the event: sshd: PID 3524: Connection closed by
> 128.210.3.177.
>
> What would I put in the hobbit server hobbit-clients.cfg file to make the
> msgs icon for the bbwin client turn yellow.
>
> I had tried
>
>         LOG event_application information color=yellow
>
> But that did not work.
>
> Thanks
>
> Robert
>
>
> --------------------------------------------------------------------
> Robert P. McGraw, Jr.
> Manager, Computer System                 EMAIL: rmcgraw at purdue.edu
> Purdue University                         ROOM: MATH-807
> Department of Mathematics                PHONE: (765) 494-6055
> 150 N. University Street
> West Lafayette, IN 47907-2067
>
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
>

More information about the Xymon mailing list