Need help dechipering logs/fixing the problems they "describe".

Hello, everybody.

I'm a programmer, not a network administrator, but in the absence of anyone better qualified, I'm managing (well... sort of) my company's network.

We have a Linux server setup in our network. It's a Red Hat 7.2 and it is a file server, PDC, and FireWall all in one.

PDC and file sharing soft: Samba.
FireWall soft: ShoreWall (Shoreline Firewall).

But it was setup by the gods, when mankind was young and now we don't have anyone with enough Linux skills to really manage it, so it's a lucky thing that Linux is so robust and stable.

In the /root directory, I've put a .forward file with my e-mail address and everyday I get two mails. One is always exactly the same. It's from the Cron Daemon, has subject "Cron <root@firewall> run-parts /etc/cron.daily" and says:


****    Error: Tripwire database for firewall not found.    ****
**** Run /etc/tripwire/ and/or tripwire --init. ****

Is this bad or good? If it's bad: how do I fix it?

The other mail is from root (also *to* root). Subject: Log watch for firewall. And it looks like this:

 ################## LogWatch 2.6 Begin #####################

 --------------------- Samba Begin ------------------------

**Unmatched Entries**
[2003/11/13 07:55:06, 0] lib/util_sock.c:read_data(436)
 : 1 Time(s)
[2003/11/13 09:12:30, 0] lib/util.c:smb_panic(1094)
 : 4 Time(s)
[2003/11/13 09:12:30, 0] lib/util_sec.c:assert_gid(111)
 : 4 Time(s)
[2003/11/13 09:12:33, 0] lib/util.c:smb_panic(1094)
 : 4 Time(s)
[2003/11/13 09:12:33, 0] lib/util_sec.c:assert_gid(111)
 : 4 Time(s)
[2003/11/13 10:02:22, 0] lib/util_sock.c:read_data(436)
 : 1 Time(s)
[2003/11/13 12:16:41, 0] lib/util_sock.c:read_data(436)
 : 1 Time(s)
[2003/11/13 14:17:05, 0] smbd/chgpasswd.c:check_oem_password(817)
 : 1 Time(s)
[2003/11/13 16:37:51, 0] lib/util_sock.c:read_data(436)
 : 1 Time(s)
[2003/11/13 18:52:59, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(154)
 : 1 Time(s)
[2003/11/13 18:52:59, 0] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(312)
 : 1 Time(s)
[2003/11/13 18:53:16, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(404)
 : 1 Time(s)
[2003/11/13 18:53:59, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(154)
 : 1 Time(s)
[2003/11/13 18:53:59, 0] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(312)
 : 1 Time(s)
[2003/11/13 18:54:16, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(404)
 : 1 Time(s)
[2003/11/13 18:55:00, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(154)
 : 1 Time(s)
[2003/11/13 18:55:00, 0] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(312)
 : 1 Time(s)
[2003/11/13 18:55:17, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(404)
 : 1 Time(s)
[2003/11/13 18:56:13, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(154)
 : 1 Time(s)
[2003/11/13 18:56:13, 0] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(312)
 : 1 Time(s)

[A lot more lines like this]

[2003/11/13 23:58:06, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(154)
 : 1 Time(s)
[2003/11/13 23:58:06, 0] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(312)
 : 1 Time(s)
[2003/11/13 23:58:23, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(404)
 : 1 Time(s)

 ---------------------- Samba End -------------------------

 ---------------- Connections (secure-log) Begin -------------------

**Unmatched Entries**
useradd[7335]: new user: name=s250$, uid=586, gid=101, home=/dev/null, shell=/bin/false

 ----------------- Connections (secure-log) End --------------------

 --------------------- sendmail Begin ------------------------

1774 bytes transferred
2 messages sent
 ---------------------- sendmail End -------------------------

 ###################### LogWatch End #########################

The list of messages is never the same. It changes from day to day, but this is pretty representative.

What do all those messages mean?
Does smb_panic mean SoMeBody should be PANICing? Is it about a problem in the disk?
And what are all the rest of the messages?

Your help will be sincerely appreciated.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

> Is this bad or good? If it's bad: how do I fix it?
the first mail informs you that tripwire is configure and seems to run. that's good.
But it complains that it misses a configuration. To fix this you need to do what the mail describes (and be an expert, for tripwire at least, somehow:-)

The 2'nd mail lists you some information from Samba logfiles.
I've seen these messages on my systems too, and never checked for them, think they are harmless.
To give more details about it, you need to post Your samba version.
JackNaifAuthor Commented:
thank you for your reply. As I said, I'm not an expert, but I am bold enough, so I gave it a try anyway.  :-)

Look at what the very wicked answered:

[root@firewall root]# tripwire --init
### Error: File could not be opened.
### Filename: /etc/tripwire/tw.cfg
### No such file or directory
### Configuration file could not be read.
### Exiting...

How bad is it if Tripwire is not running, or not properly configured? Is there a "Tripwire for dummies" page somewhere?

I'm not sure about how to determine the version of samba that's running. The man page says

       This  man  page  is  correct  for version 2.2 of the Samba

so I guess it must be v2.2 but I guess there's got to be a better way...
Is that "smb_panic" really usual? I mean: "kernel panic" is about as good as "your machine is dead" Isn't "smb_panic" like "your samba has its days counted" or "your disk is fry"?
And all that stuff about "local master announce": Is somebody trying to hack our network? Is it just a W98 box that doesn't know it's place on this earth?
Where can I find out the meaning of this messages?

hmm, wher is the problem in understanding what tripwire reports?

   [root@firewall root]# tripwire --init
   ### Error: File could not be opened.
   ### Filename: /etc/tripwire/tw.cfg
   ### No such file or directory
   ### Configuration file could not be read.

it says that there is no /etc/tripwire/tw.cfg, and you simply can proof this with:

  /bin/ls -lF /etc/tripwire/tw.cfg

I'd suggest that you search for your tw.cfg, for example like.

  find -name tw.cfg -print

then start your tripwire with an appropriate -c option
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

JackNaifAuthor Commented:
Thanks once again for your answer, ahoffmann. But, hey, be gentle on me! When it comes to Linux, I'm a complete rookie. I'm a programmer, but a Windows (as oposed to Linux) programmer.

Now, /etc/tripwire/tw.cfg doesn't exist.

And the find command you suggested didn't return nothing. (It was very helpful however, because I didn't understand how the find command could be used to find a file).

However, I found a /etc/tripwire/twcfg.txt file:

[root@firewall tripwire]# less twcfg.txt
ROOT                   =/usr/sbin
POLFILE                =/etc/tripwire/tw.pol
DBFILE                 =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE             =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE            =/etc/tripwire/site.key
LOCALKEYFILE           =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR                 =/bin/vi
LATEPROMPTING          =false
REPORTLEVEL            =3
MAILPROGRAM            =/usr/sbin/sendmail -oi -t
twcfg.txt (END)

By copying it to tw.cfg would I be fixing the problem, or entirely scrambling the whole system?
From the man page for tripwire I guess it checks to see no one's changed a system file but first I should have a database of the system. And in spite of having read the man page, I'm not at all sure about how to build it.
Isn't there really a more friendly manual for tripwire than the man page? (Of course I could Google for it, but I want one that comes with a recomendation).

And all those messages from samba: I read somewhere that an administrator should always read the log files to check for intrusions. Could this messages be a clue about intrusions or attempts to intrude? Or is it other logs that I should read, instead of this messages? Or is it just science-fiction to think that an admin will actually read the logs?


no, twcfg.txt is different to tw.cfg.
Docs for tripwire either come with the tarball (tripwire*.tar.gz), or can be found at
Note that tripwire up to version 1.x was free, while starting with 2.x it's commercial.
Configuration, and so docs, also changed from 1.x to 2.x, so first check which version you have.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JackNaifAuthor Commented:
OK. No renaming twcfg.txt then.

A link in took me to the right page in source-forge and there I found a manual which is a whole lot clearer than the man page and though I haven't gone over the whole of it yet, the parts I've seen are clear enough.
I'm sure that with it I'm going to be able to get it running right. (At least I've already understood what it does).

Points thankfully awarded.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.