Solved

Need help dechipering logs/fixing the problems they "describe".

Posted on 2003-11-14
6
470 Views
Last Modified: 2010-04-22
Hello, everybody.

I'm a programmer, not a network administrator, but in the absence of anyone better qualified, I'm managing (well... sort of) my company's network.

We have a Linux server setup in our network. It's a Red Hat 7.2 and it is a file server, PDC, and FireWall all in one.

PDC and file sharing soft: Samba.
FireWall soft: ShoreWall (Shoreline Firewall).

But it was setup by the gods, when mankind was young and now we don't have anyone with enough Linux skills to really manage it, so it's a lucky thing that Linux is so robust and stable.

In the /root directory, I've put a .forward file with my e-mail address and everyday I get two mails. One is always exactly the same. It's from the Cron Daemon, has subject "Cron <root@firewall> run-parts /etc/cron.daily" and says:


/etc/cron.daily/tripwire-check:

****    Error: Tripwire database for firewall not found.    ****
**** Run /etc/tripwire/twinstall.sh and/or tripwire --init. ****


Is this bad or good? If it's bad: how do I fix it?

The other mail is from root (also *to* root). Subject: Log watch for firewall. And it looks like this:


 ################## LogWatch 2.6 Begin #####################

 --------------------- Samba Begin ------------------------

**Unmatched Entries**
[2003/11/13 07:55:06, 0] lib/util_sock.c:read_data(436)
 : 1 Time(s)
[2003/11/13 09:12:30, 0] lib/util.c:smb_panic(1094)
 : 4 Time(s)
[2003/11/13 09:12:30, 0] lib/util_sec.c:assert_gid(111)
 : 4 Time(s)
[2003/11/13 09:12:33, 0] lib/util.c:smb_panic(1094)
 : 4 Time(s)
[2003/11/13 09:12:33, 0] lib/util_sec.c:assert_gid(111)
 : 4 Time(s)
[2003/11/13 10:02:22, 0] lib/util_sock.c:read_data(436)
 : 1 Time(s)
[2003/11/13 12:16:41, 0] lib/util_sock.c:read_data(436)
 : 1 Time(s)
[2003/11/13 14:17:05, 0] smbd/chgpasswd.c:check_oem_password(817)
 : 1 Time(s)
[2003/11/13 16:37:51, 0] lib/util_sock.c:read_data(436)
 : 1 Time(s)
[2003/11/13 18:52:59, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(154)
 : 1 Time(s)
[2003/11/13 18:52:59, 0] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(312)
 : 1 Time(s)
[2003/11/13 18:53:16, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(404)
 : 1 Time(s)
[2003/11/13 18:53:59, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(154)
 : 1 Time(s)
[2003/11/13 18:53:59, 0] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(312)
 : 1 Time(s)
[2003/11/13 18:54:16, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(404)
 : 1 Time(s)
[2003/11/13 18:55:00, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(154)
 : 1 Time(s)
[2003/11/13 18:55:00, 0] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(312)
 : 1 Time(s)
[2003/11/13 18:55:17, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(404)
 : 1 Time(s)
[2003/11/13 18:56:13, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(154)
 : 1 Time(s)
[2003/11/13 18:56:13, 0] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(312)
 : 1 Time(s)

...
[A lot more lines like this]
...

[2003/11/13 23:58:06, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(154)
 : 1 Time(s)
[2003/11/13 23:58:06, 0] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(312)
 : 1 Time(s)
[2003/11/13 23:58:23, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(404)
 : 1 Time(s)


 ---------------------- Samba End -------------------------



 ---------------- Connections (secure-log) Begin -------------------

**Unmatched Entries**
useradd[7335]: new user: name=s250$, uid=586, gid=101, home=/dev/null, shell=/bin/false


 ----------------- Connections (secure-log) End --------------------



 --------------------- sendmail Begin ------------------------

1774 bytes transferred
2 messages sent
 ---------------------- sendmail End -------------------------


 ###################### LogWatch End #########################
 

The list of messages is never the same. It changes from day to day, but this is pretty representative.

What do all those messages mean?
Does smb_panic mean SoMeBody should be PANICing? Is it about a problem in the disk?
And what are all the rest of the messages?

Your help will be sincerely appreciated.

Regards:

Jack
0
Comment
Question by:JackNaif
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9749697
> Is this bad or good? If it's bad: how do I fix it?
the first mail informs you that tripwire is configure and seems to run. that's good.
But it complains that it misses a configuration. To fix this you need to do what the mail describes (and be an expert, for tripwire at least, somehow:-)

The 2'nd mail lists you some information from Samba logfiles.
I've seen these messages on my systems too, and never checked for them, think they are harmless.
To give more details about it, you need to post Your samba version.
0
 
LVL 1

Author Comment

by:JackNaif
ID: 9750897
ahoffman,
thank you for your reply. As I said, I'm not an expert, but I am bold enough, so I gave it a try anyway.  :-)

Look at what the very wicked answered:

[root@firewall root]# tripwire --init
### Error: File could not be opened.
### Filename: /etc/tripwire/tw.cfg
### No such file or directory
### Configuration file could not be read.
### Exiting...

How bad is it if Tripwire is not running, or not properly configured? Is there a "Tripwire for dummies" page somewhere?


I'm not sure about how to determine the version of samba that's running. The man page says

VERSION
       This  man  page  is  correct  for version 2.2 of the Samba
       suite.

so I guess it must be v2.2 but I guess there's got to be a better way...
Is that "smb_panic" really usual? I mean: "kernel panic" is about as good as "your machine is dead" Isn't "smb_panic" like "your samba has its days counted" or "your disk is fry"?
And all that stuff about "local master announce": Is somebody trying to hack our network? Is it just a W98 box that doesn't know it's place on this earth?
Where can I find out the meaning of this messages?

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9767106
hmm, wher is the problem in understanding what tripwire reports?

   [root@firewall root]# tripwire --init
   ### Error: File could not be opened.
   ### Filename: /etc/tripwire/tw.cfg
   ### No such file or directory
   ### Configuration file could not be read.

it says that there is no /etc/tripwire/tw.cfg, and you simply can proof this with:

  /bin/ls -lF /etc/tripwire/tw.cfg

I'd suggest that you search for your tw.cfg, for example like.

  find -name tw.cfg -print

then start your tripwire with an appropriate -c option
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:JackNaif
ID: 9772832
Thanks once again for your answer, ahoffmann. But, hey, be gentle on me! When it comes to Linux, I'm a complete rookie. I'm a programmer, but a Windows (as oposed to Linux) programmer.

Now, /etc/tripwire/tw.cfg doesn't exist.

And the find command you suggested didn't return nothing. (It was very helpful however, because I didn't understand how the find command could be used to find a file).

However, I found a /etc/tripwire/twcfg.txt file:

[root@firewall tripwire]# less twcfg.txt
ROOT                   =/usr/sbin
POLFILE                =/etc/tripwire/tw.pol
DBFILE                 =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE             =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE            =/etc/tripwire/site.key
LOCALKEYFILE           =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR                 =/bin/vi
LATEPROMPTING          =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS       =true
EMAILREPORTLEVEL       =3
REPORTLEVEL            =3
MAILMETHOD             =SENDMAIL
SYSLOGREPORTING        =false
MAILPROGRAM            =/usr/sbin/sendmail -oi -t
twcfg.txt (END)

By copying it to tw.cfg would I be fixing the problem, or entirely scrambling the whole system?
From the man page for tripwire I guess it checks to see no one's changed a system file but first I should have a database of the system. And in spite of having read the man page, I'm not at all sure about how to build it.
Isn't there really a more friendly manual for tripwire than the man page? (Of course I could Google for it, but I want one that comes with a recomendation).

And all those messages from samba: I read somewhere that an administrator should always read the log files to check for intrusions. Could this messages be a clue about intrusions or attempts to intrude? Or is it other logs that I should read, instead of this messages? Or is it just science-fiction to think that an admin will actually read the logs?

Regards:

Jack
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 150 total points
ID: 9775179
no, twcfg.txt is different to tw.cfg.
Docs for tripwire either come with the tarball (tripwire*.tar.gz), or can be found at http://www.tripwire.com/
Note that tripwire up to version 1.x was free, while starting with 2.x it's commercial.
Configuration, and so docs, also changed from 1.x to 2.x, so first check which version you have.
0
 
LVL 1

Author Comment

by:JackNaif
ID: 9788794
OK. No renaming twcfg.txt then.

A link in tripwire.com took me to the right page in source-forge and there I found a manual which is a whole lot clearer than the man page and though I haven't gone over the whole of it yet, the parts I've seen are clear enough.
I'm sure that with it I'm going to be able to get it running right. (At least I've already understood what it does).

Points thankfully awarded.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question