1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
---|
2 | <html><head>
|
---|
3 | <title>Frequently Asked Questions for Samhain</title>
|
---|
4 | <meta name="author" content="Rainer Wichmann">
|
---|
5 |
|
---|
6 | <style type="text/css">
|
---|
7 | <!--
|
---|
8 |
|
---|
9 | html { background: #eee; color: #000; }
|
---|
10 |
|
---|
11 | body { background: #eee; color: #000; margin: 0; padding: 0;}
|
---|
12 |
|
---|
13 | div.body {
|
---|
14 | background: #fff; color: #000;
|
---|
15 | margin: 0 1em 0 1em; padding: 1em;
|
---|
16 | font-family: serif;
|
---|
17 | font-size: 1em; line-height: 1.2em;
|
---|
18 | border-width: 0 1px 0 1px;
|
---|
19 | border-style: solid;
|
---|
20 | border-color: #aaa;
|
---|
21 | }
|
---|
22 |
|
---|
23 | div.block {
|
---|
24 | background: #b6c5f2; color: #000;
|
---|
25 | margin: 1em; padding: 0 1em 0 1em;
|
---|
26 | border-width: 1px;
|
---|
27 | border-style: solid;
|
---|
28 | border-color: #2d4488;
|
---|
29 | }
|
---|
30 |
|
---|
31 | div.warnblock {
|
---|
32 | background: #b6c5f2; color: #000;
|
---|
33 | margin: 1em; padding: 0 1em 0 1em;
|
---|
34 | border-width: 1px;
|
---|
35 | border-style: solid;
|
---|
36 | border-color: #FF9900;
|
---|
37 | }
|
---|
38 |
|
---|
39 | table {
|
---|
40 | background: #F8F8F8; color: #000;
|
---|
41 | margin: 1em;
|
---|
42 | border-width: 0 0 0 1px;
|
---|
43 | border-style: solid;
|
---|
44 | border-color: #C0C0C0;
|
---|
45 | }
|
---|
46 |
|
---|
47 | td {
|
---|
48 | border-width: 0 1px 1px 0;
|
---|
49 | border-style: solid;
|
---|
50 | border-color: #C0C0C0;
|
---|
51 | }
|
---|
52 |
|
---|
53 | th {
|
---|
54 | background: #F8F8FF;
|
---|
55 | border-width: 1px 1px 2px 0;
|
---|
56 | border-style: solid;
|
---|
57 | border-color: #C0C0C0;
|
---|
58 | }
|
---|
59 |
|
---|
60 |
|
---|
61 | /* body text, headings, and rules */
|
---|
62 |
|
---|
63 | p { margin: 0; text-indent: 0em; margin: 0 0 0.5em 0 }
|
---|
64 |
|
---|
65 | h1, h2, h3, h4, h5, h6 {
|
---|
66 | color: #206020; background: transparent;
|
---|
67 | font-family: Optima, Arial, Helvetica, sans-serif;
|
---|
68 | font-weight: normal;
|
---|
69 | }
|
---|
70 |
|
---|
71 | h1 { font-size: 1.69em; margin: 1.4em 0 0.4em 0; }
|
---|
72 | h2 { font-size: 1.44em; margin: 1.4em 0 0.4em 0; }
|
---|
73 | h3 { font-size: 1.21em; margin: 1.4em 0 0.4em 0; }
|
---|
74 | h4 { font-size: 1.00em; margin: 1.4em 0 0.4em 0; }
|
---|
75 | h5 { font-size: 0.81em; margin: 1.4em 0 0.4em 0; }
|
---|
76 | h6 { font-size: 0.64em; margin: 1.4em 0 0.4em 0; }
|
---|
77 |
|
---|
78 | hr {
|
---|
79 | color: transparent; background: transparent;
|
---|
80 | height: 0px; margin: 0.6em 0;
|
---|
81 | border-width: 1px ;
|
---|
82 | border-style: solid;
|
---|
83 | border-color: #999;
|
---|
84 | }
|
---|
85 |
|
---|
86 | /* bulleted lists and definition lists */
|
---|
87 |
|
---|
88 | ul { margin: 0 1em 0.6em 2em; padding: 0; }
|
---|
89 | li { margin: 0.4em 0 0 0; }
|
---|
90 |
|
---|
91 | dl { margin: 0.6em 1em 0.6em 2em; }
|
---|
92 | dt { color: #285577; }
|
---|
93 |
|
---|
94 | tt { color: #602020; }
|
---|
95 |
|
---|
96 | /* links */
|
---|
97 |
|
---|
98 | a.link {
|
---|
99 | color: #33c; background: transparent;
|
---|
100 | text-decoration: none;
|
---|
101 | }
|
---|
102 |
|
---|
103 | a:hover {
|
---|
104 | color: #000; background: transparent;
|
---|
105 | }
|
---|
106 |
|
---|
107 | body > a {
|
---|
108 | font-family: Optima, Arial, Helvetica, sans-serif;
|
---|
109 | font-size: 0.81em;
|
---|
110 | }
|
---|
111 |
|
---|
112 | h1, h2, h3, h4, h5, h6 {
|
---|
113 | color: #2d5588; background: transparent;
|
---|
114 | font-family: Optima, Arial, Helvetica, sans-serif;
|
---|
115 | font-weight: normal;
|
---|
116 | }
|
---|
117 |
|
---|
118 | -->
|
---|
119 | </style></head>
|
---|
120 | <body>
|
---|
121 | <div class="body">
|
---|
122 | <p style="text-align: center; background: #ccc; border: 1px solid #2d5588;"><a
|
---|
123 | style="text-decoration: none;"
|
---|
124 | href="http://www.la-samhna.de/samhain/">samhain file integrity
|
---|
125 | scanner</a> | <a style="text-decoration: none;"
|
---|
126 | href="http://www.la-samhna.de/samhain/s_documentation.html">online
|
---|
127 | documentation</a></p>
|
---|
128 | <br><center><h1><a name="FAQ-top">Frequently Asked Questions for Samhain</a></h1></center>
|
---|
129 | <br><center><h2>Rainer Wichmann</h2></center>
|
---|
130 | <hr>
|
---|
131 | <p><i>FAQ Revised: Tuesday 31 January 2006 21:28:35</i></p>
|
---|
132 | <hr><h2>Table of Contents</h2>
|
---|
133 | <dl>
|
---|
134 | <dt><b>1. Most frequently</b></dt>
|
---|
135 | <dd><ul>
|
---|
136 | <li><a href="#Most frequently0">1.1. Owner not trustworthy / Group writeable and member not trustworthy</a></li>
|
---|
137 | <li><a href="#Most frequently1">1.2. samhain exits with the message "Untrusted path" for config/log/pid/database files</a></li>
|
---|
138 | <li><a href="#Most frequently2">1.3. It does not log anything / Can't stop logging to console</a></li>
|
---|
139 | <li><a href="#Most frequently3">1.4. Client cannot self-resolve, but nslookup works fine</a></li>
|
---|
140 | </ul></dd>
|
---|
141 | <dt><b>2. Build and install</b></dt>
|
---|
142 | <dd><ul>
|
---|
143 | <li><a href="#Build and install0">2.1. [Fedora Core] Cannot compile with --enable-khide</a></li>
|
---|
144 | <li><a href="#Build and install1">2.2. [Fedora Core] Cannot compile with --with-kcheck</a></li>
|
---|
145 | <li><a href="#Build and install2">2.3. "make" loops infinitely !</a></li>
|
---|
146 | <li><a href="#Build and install3">2.4. Why does static compiling (<code>--enable-static</code>) on Solaris fail ?</a></li>
|
---|
147 | <li><a href="#Build and install4">2.5. Compilation fails with '/usr/bin/ld: cannot find -lnss_files'</a></li>
|
---|
148 | <li><a href="#Build and install5">2.6. The executable is corrupted after installation</a></li>
|
---|
149 | <li><a href="#Build and install6">2.7. --enable-xml-log has no effect</a></li>
|
---|
150 | <li><a href="#Build and install7">2.8. ./install-sh: strip: not found (Solaris)</a></li>
|
---|
151 | <li><a href="#Build and install8">2.9. What is sh_tiger1.s?</a></li>
|
---|
152 | </ul></dd>
|
---|
153 | <dt><b>3. File checking</b></dt>
|
---|
154 | <dd><ul>
|
---|
155 | <li><a href="#File checking0">3.1. How can I exclude a (sub-)directory ?</a></li>
|
---|
156 | <li><a href="#File checking1">3.2. In messages about policy violations, what does the code after POLICY [XYZ]
|
---|
157 | mean ?</a></li>
|
---|
158 | <li><a href="#File checking2">3.3. Does samhain support prelink ?</a></li>
|
---|
159 | <li><a href="#File checking3">3.4. I get error messages about 'subdirectory count != hardlinks'</a></li>
|
---|
160 | </ul></dd>
|
---|
161 | <dt><b>4. Client/Server</b></dt>
|
---|
162 | <dd><ul>
|
---|
163 | <li><a href="#Client/Server0">4.1. I don't want to poke a hole into my firewall to let the client connect to the server !</a></li>
|
---|
164 | <li><a href="#Client/Server1">4.2. The client sends 127.0.0.1 (or some other numerical address) as its name to the log server</a></li>
|
---|
165 | <li><a href="#Client/Server2">4.3. The server wants to send rc.ip-adress rather than rc.fqdn to the client</a></li>
|
---|
166 | <li><a href="#Client/Server3">4.4. Cannot resolve client name host=XXX</a></li>
|
---|
167 | <li><a href="#Client/Server4">4.5. Cannot resolve socket peer IP for client host=XXX peer=YYY</a></li>
|
---|
168 | <li><a href="#Client/Server5">4.6. Reverse lookup of socket peer failed host=XXX peer=YYY obj=ZZZ</a></li>
|
---|
169 | <li><a href="#Client/Server6">4.7. No socket peer alias matches client name host=XXX peer=YYY</a></li>
|
---|
170 | <li><a href="#Client/Server7">4.8. Session key negotiation failed</a></li>
|
---|
171 | <li><a href="#Client/Server8">4.9. Invalid connection attempt: Not in client list</a></li>
|
---|
172 | <li><a href="#Client/Server9">4.10. Invalid connection attempt: Session key mismatch</a></li>
|
---|
173 | <li><a href="#Client/Server10">4.11. How do I update the file signature database ?</a></li>
|
---|
174 | <li><a href="#Client/Server11">4.12. Time limit exceeded</a></li>
|
---|
175 | <li><a href="#Client/Server12">4.13. Invalid connection attempt: Signature mismatch</a></li>
|
---|
176 | <li><a href="#Client/Server13">4.14. [Server] PANIC .. Address already in use subroutine=bind</a></li>
|
---|
177 | </ul></dd>
|
---|
178 | <dt><b>5. Email</b></dt>
|
---|
179 | <dd><ul>
|
---|
180 | <li><a href="#Email0">5.1. Reverse lookup failed</a></li>
|
---|
181 | <li><a href="#Email1">5.2. From daemon@example.com</a></li>
|
---|
182 | <li><a href="#Email2">5.3. How do I define more than one email addresses ?</a></li>
|
---|
183 | </ul></dd>
|
---|
184 | <dt><b>6. Misc</b></dt>
|
---|
185 | <dd><ul>
|
---|
186 | <li><a href="#Misc0">6.1. Error message: "Invalid line XYZ in configuration file"</a></li>
|
---|
187 | <li><a href="#Misc1">6.2. Why do I get a local logfile if I log to the server ?</a></li>
|
---|
188 | <li><a href="#Misc2">6.3. Why is there no NIS support with a static samhain executable on Linux ?</a></li>
|
---|
189 | <li><a href="#Misc3">6.4. Why do I get hundreds of messages about modified CTIME ?</a></li>
|
---|
190 | <li><a href="#Misc4">6.5. PANIC — File not accessible</a></li>
|
---|
191 | <li><a href="#Misc5">6.6. How can I avoid error messages for invalid UIDs (no such user) ?</a></li>
|
---|
192 | <li><a href="#Misc6">6.7. [Redhat] The /etc/init.d/(samhain|yule) init script hangs</a></li>
|
---|
193 | <li><a href="#Misc7">6.8. The /etc/init.d/(samhain|yule) init script exits with: execvp: No such file or directory</a></li>
|
---|
194 | <li><a href="#Misc8">6.9. Why am I not receiving the "BEGIN LOGKEY" message by email ?</a></li>
|
---|
195 | <li><a href="#Misc9">6.10. Why does console logging fail if I compile with
|
---|
196 | <code>--enable-(micro-)stealth</code> ?</a></li>
|
---|
197 | <li><a href="#Misc10">6.11. I need a list for my schedule !</a></li>
|
---|
198 | <li><a href="#Misc11">6.12. The hiding kernel module has no effect !</a></li>
|
---|
199 | <li><a href="#Misc12">6.13. What does the message "Large lstat/open overhead" mean ?</a></li>
|
---|
200 | <li><a href="#Misc13">6.14. What does the message "Device not available path=/dev/random" mean ? I have /dev/random !</a></li>
|
---|
201 | <li><a href="#Misc14">6.15. Logging to an external program fails; the program receives no data
|
---|
202 | on stdin !</a></li>
|
---|
203 | <li><a href="#Misc15">6.16. SIGILL on AIX</a></li>
|
---|
204 | </ul></dd>
|
---|
205 | <dt><b>7. Database</b></dt>
|
---|
206 | <dd><ul>
|
---|
207 | <li><a href="#Database0">7.1. Why are client messages corrupted / incompletely stored in the DB ?</a></li>
|
---|
208 | <li><a href="#Database1">7.2. I want / don't want the server timestamps (for client messages) in the SQL database</a></li>
|
---|
209 | <li><a href="#Database2">7.3. I don't want the client TIMESTAMP messages in the SQL database</a></li>
|
---|
210 | <li><a href="#Database3">7.4. What does the log_ref field mean ?</a></li>
|
---|
211 | <li><a href="#Database4">7.5. How can I check what is in the database ?</a></li>
|
---|
212 | </ul></dd>
|
---|
213 | </dl>
|
---|
214 | <hr><h2>1. Most frequently</h2>
|
---|
215 | <dl>
|
---|
216 | <dt><b><a name="Most frequently0">1.1. Owner not trustworthy / Group writeable and member not trustworthy</a></b></dt>
|
---|
217 | <dd>An untrusted user (might be an untrusted group member
|
---|
218 | for group writeable files/directories) owns or can write to an
|
---|
219 | element in the path listed in the error message. This concerns
|
---|
220 | the configuration file, the log file, and the database file.
|
---|
221 | The offending element in the path is identified as obj=/xxx in the
|
---|
222 | error message.
|
---|
223 | To fix the problem, see next entry.<br><br></dd>
|
---|
224 | <dt><b><a name="Most frequently1">1.2. samhain exits with the message "Untrusted path" for config/log/pid/database files</a></b></dt>
|
---|
225 | <dd>Paths to critical
|
---|
226 | files (e.g. the configuration file) must be writeable by trusted users
|
---|
227 | only.
|
---|
228 | If a path element is group writeable, all group members must be trusted.
|
---|
229 | By default, only <i>root</i> and the (effective) <i>user</i> of
|
---|
230 | the program are trusted. To add trusted users, use the compile time
|
---|
231 | option
|
---|
232 | <div class="block"><pre>
|
---|
233 | $ ./configure --with-trusted=0,...
|
---|
234 | </pre></div>
|
---|
235 | or the configure file option:
|
---|
236 | <div class="block"><pre>
|
---|
237 | [Misc]
|
---|
238 | TrustedUser=username
|
---|
239 | </pre></div>
|
---|
240 | If the path to the configuration file itself is writeable
|
---|
241 | by other users than <i>root</i> and the
|
---|
242 | <i>effective user</i>
|
---|
243 | these must be defined as trusted already
|
---|
244 | at compile time.<br><br></dd>
|
---|
245 | <dt><b><a name="Most frequently2">1.3. It does not log anything / Can't stop logging to console</a></b></dt>
|
---|
246 | <dd>(1) There is a section in the manual dealing with
|
---|
247 | logging and filtering.<br />
|
---|
248 |
|
---|
249 | (2) To log to the console:
|
---|
250 | <div class="block"><pre>
|
---|
251 | $ samhain -p info ...
|
---|
252 | </pre></div>
|
---|
253 | or in the configuration file:
|
---|
254 | <div class="block"><pre>
|
---|
255 | [Log]
|
---|
256 | PrintSeverity=info
|
---|
257 | </pre></div>
|
---|
258 |
|
---|
259 | To <i>stop</i> logging to the console:
|
---|
260 | <div class="block"><pre>
|
---|
261 | $ samhain -p none ...
|
---|
262 | </pre></div>
|
---|
263 | or in the configuration file:
|
---|
264 | <div class="block"><pre>
|
---|
265 | [Log]
|
---|
266 | PrintSeverity=none
|
---|
267 | </pre></div>
|
---|
268 | Defining <tt>/dev/null</tt> as console device works as well, but
|
---|
269 | is a bad idea, because samhain will open the device and write (i.e. it is
|
---|
270 | a very inefficient method).<br><br></dd>
|
---|
271 | <dt><b><a name="Most frequently3">1.4. Client cannot self-resolve, but nslookup works fine</a></b></dt>
|
---|
272 | <dd><ul>
|
---|
273 | <li>Nslookup is a program to query Internet domain name servers.
|
---|
274 | </li>
|
---|
275 | <li>Applications (like samhain) are not supposed to query DNS servers
|
---|
276 | directly. Rather, they are supposed to query the resolver library that:
|
---|
277 | <ul>
|
---|
278 | <li>is provided by the operating system,</li>
|
---|
279 | <li>configured by the system administrator,</li>
|
---|
280 | <li>may use several different method to determine host names, as
|
---|
281 | configured in <tt>/etc/nsswitch.conf</tt>, and</li>
|
---|
282 | <li>usually is configured to give precedence to
|
---|
283 | the <tt>/etc/hosts</tt> file.</li>
|
---|
284 | </ul>
|
---|
285 | </li>
|
---|
286 | <li>Therefore, whether nslookup gives correct answers may be completely
|
---|
287 | irrelevant. For self-resolving the own hostname, the resolver
|
---|
288 | library probably will use <tt>/etc/hosts</tt>, rather than
|
---|
289 | querying a DNS server.
|
---|
290 | </li>
|
---|
291 | </ul>
|
---|
292 | <p>
|
---|
293 | Below you can find some examples of good and bad <tt>/etc/hosts</tt> files:
|
---|
294 | </p>
|
---|
295 | <div class="block"><pre>
|
---|
296 | # CORRECT
|
---|
297 | #
|
---|
298 | 127.0.0.1 localhost
|
---|
299 | xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
|
---|
300 | </pre></div>
|
---|
301 |
|
---|
302 | <div class="block"><pre>
|
---|
303 | # CORRECT
|
---|
304 | #
|
---|
305 | 127.0.0.1 localhost.localdomain localhost
|
---|
306 | xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
|
---|
307 | </pre></div>
|
---|
308 |
|
---|
309 | <div class="block"><pre>
|
---|
310 | # BAD
|
---|
311 | #
|
---|
312 | 127.0.0.1 myhost.mydomain.tld localhost
|
---|
313 | xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
|
---|
314 | </pre></div>
|
---|
315 |
|
---|
316 | <div class="block"><pre>
|
---|
317 | # BAD
|
---|
318 | #
|
---|
319 | 127.0.0.1 localhost myhost
|
---|
320 | xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
|
---|
321 | </pre></div><br><br></dd>
|
---|
322 | </dl>
|
---|
323 | <hr><h2>2. Build and install</h2>
|
---|
324 | <dl>
|
---|
325 | <dt><b><a name="Build and install0">2.1. [Fedora Core] Cannot compile with --enable-khide</a></b></dt>
|
---|
326 | <dd>The Fedora Core kernel is patched to unconditionally deny reading
|
---|
327 | from /dev/kmem. Compiling the stealth kernel modules is not possible
|
---|
328 | under these circumstances.<br><br></dd>
|
---|
329 | <dt><b><a name="Build and install1">2.2. [Fedora Core] Cannot compile with --with-kcheck</a></b></dt>
|
---|
330 | <dd>The Fedora Core kernel is patched to unconditionally deny reading
|
---|
331 | from /dev/kmem. Checking the kernel for the presence of rootkits is
|
---|
332 | not possible under these circumstances.<br><br></dd>
|
---|
333 | <dt><b><a name="Build and install2">2.3. "make" loops infinitely !</a></b></dt>
|
---|
334 | <dd>This may happen (e.g. when building via NFS for multiple architectures)
|
---|
335 | if the relative timestamps in the source directory are
|
---|
336 | wrong (time not in sync on different machines) or some intermediate
|
---|
337 | target is unusable (up-to-date, but built for a different OS). Use
|
---|
338 | "touch * && make distclean" in the source directory
|
---|
339 | to recover.<br><br></dd>
|
---|
340 | <dt><b><a name="Build and install3">2.4. Why does static compiling (<code>--enable-static</code>) on Solaris fail ?</a></b></dt>
|
---|
341 | <dd>Ingo Rogalsky has provided the following information: It isn't possible
|
---|
342 | to link Samhain statically with Solaris. This
|
---|
343 | is a Solaris issue (see Sun Infodoc ID12624) and not a samhain problem.<br><br></dd>
|
---|
344 | <dt><b><a name="Build and install4">2.5. Compilation fails with '/usr/bin/ld: cannot find -lnss_files'</a></b></dt>
|
---|
345 | <dd>For Linux, this is a known problem with --enable-static if you compile
|
---|
346 | in MySQL support. The problem is that the
|
---|
347 | <tt>mysql_config</tt> that comes as part of the MySQL
|
---|
348 | distribution script incorrectly lists dependencies on
|
---|
349 | the libnss_files and libnss_dns libraries which are only available as
|
---|
350 | shared libraries, so the linker cannot find the static libraries.
|
---|
351 |
|
---|
352 | You can check this by inspecting the output of
|
---|
353 | <code>mysql_config --libs</code>. The version of
|
---|
354 | <tt>mysql_config</tt> that comes with the RedHat mysql
|
---|
355 | RPM (RedHat 9) does not have this bug; the one distributed by the MySQL
|
---|
356 | people has. You can fix the problem by editing
|
---|
357 | <tt>mysql_config</tt>: search for the
|
---|
358 | <i>client_libs</i> variable, and remove all instances
|
---|
359 | of <i>-lnss_files</i> and <i>-lnss_dns</i>.<br><br></dd>
|
---|
360 | <dt><b><a name="Build and install5">2.6. The executable is corrupted after installation</a></b></dt>
|
---|
361 | <dd>The executable will get stripped during the installation. On
|
---|
362 | suitable systems (i386 Linux/FreeBSD currently), additionally
|
---|
363 | the "sstrip"
|
---|
364 | utility (copyright 1999 by Brian Raiter, under the GNU GPL)
|
---|
365 | will be used to strip the executable even more, to prevent
|
---|
366 | debugging with the GNU "gdb" debugger.
|
---|
367 | The "strip" utility cannot handle the resulting
|
---|
368 | executable, therefore trying to strip manually after installation
|
---|
369 | will corrupt the executable.<br><br></dd>
|
---|
370 | <dt><b><a name="Build and install6">2.7. --enable-xml-log has no effect</a></b></dt>
|
---|
371 | <dd>If you have compiled for stealth, you won't see much, because if
|
---|
372 | obfuscated, then both a 'normal' and an XML logfile look,
|
---|
373 | well ... obfuscated. Use <code>samhain -jL /path/to/logfile</code>
|
---|
374 | to view the logfile.<br><br></dd>
|
---|
375 | <dt><b><a name="Build and install7">2.8. ./install-sh: strip: not found (Solaris)</a></b></dt>
|
---|
376 | <dd>Install the SUNWbtool package.<br><br></dd>
|
---|
377 | <dt><b><a name="Build and install8">2.9. What is sh_tiger1.s?</a></b></dt>
|
---|
378 | <dd>This is a precompiled assembly file for the i386 architecture
|
---|
379 | generated from sh_tiger1.c using gcc 3.4.0 with the following options,
|
---|
380 | that were found to generate the fastest code:
|
---|
381 | <pre>
|
---|
382 | -O1 -fno-delayed-branch -fexpensive-optimizations -fstrength-reduce
|
---|
383 | -fpeephole2 -fschedule-insns2 -fregmove -frename-registers -fweb
|
---|
384 | -momit-leaf-frame-pointer -funroll-loops
|
---|
385 | </pre>
|
---|
386 | These options were determined using
|
---|
387 | <a href="http://www.coyotegulch.com/products/acovea/">acovea</a> 5.1.1
|
---|
388 | by Scott Robert Ladd. The file is provided as precompiled assembly
|
---|
389 | because different versions of gcc can have very different performance,
|
---|
390 | require different options to compile optimal code, and
|
---|
391 | it would be impossible to maintain a library of optimal compile options
|
---|
392 | for every version of gcc.<br><br></dd>
|
---|
393 | </dl>
|
---|
394 | <hr><h2>3. File checking</h2>
|
---|
395 | <dl>
|
---|
396 | <dt><b><a name="File checking0">3.1. How can I exclude a (sub-)directory ?</a></b></dt>
|
---|
397 | <dd><div class="block"><pre>
|
---|
398 | [IgnoreAll]
|
---|
399 | dir=-1/ignore/this/subdirectory
|
---|
400 | </pre></div><br><br></dd>
|
---|
401 | <dt><b><a name="File checking1">3.2. In messages about policy violations, what does the code after POLICY [XYZ]
|
---|
402 | mean ?</a></b></dt>
|
---|
403 | <dd>This code indicates which items are modified (e.g. C = checksum). You can
|
---|
404 | find a description in section 5.4.9 in the user manual. It is there because
|
---|
405 | then you can see in the message list of the Beltane web console what has been
|
---|
406 | modified, without the need to look at the message in detail.<br><br></dd>
|
---|
407 | <dt><b><a name="File checking2">3.3. Does samhain support prelink ?</a></b></dt>
|
---|
408 | <dd>Yes. There is a special checking policy [Prelink]. Directories with
|
---|
409 | prelinked executables / shared libraries (see /etc/prelink.conf) should be
|
---|
410 | placed under this policy, rather than under the [ReadOnly] policy.<br><br></dd>
|
---|
411 | <dt><b><a name="File checking3">3.4. I get error messages about 'subdirectory count != hardlinks'</a></b></dt>
|
---|
412 | <dd>Some filesystems do not always follow the rule that the number
|
---|
413 | of directory
|
---|
414 | hardlinks equals the number of subdirectories. E.g. the root directory of
|
---|
415 | reiserfs partitions generally seems to have two additional hardlinks.
|
---|
416 | To account for such exceptions, you can either switch off the
|
---|
417 | hardlink check globally, or specify exceptions:
|
---|
418 | <div class="block"><pre>
|
---|
419 | [Misc]
|
---|
420 | # Switch off hardlink check
|
---|
421 | #
|
---|
422 | UseHardlinkCheck=no
|
---|
423 | </pre></div>
|
---|
424 | <div class="block"><pre>
|
---|
425 | [Misc]
|
---|
426 | # Specify exceptions for the hardlink check
|
---|
427 | #
|
---|
428 | HardlinkOffset=N:/path
|
---|
429 | </pre></div>
|
---|
430 | Here, N is the numerical offset (actual - expected hardlinks) for
|
---|
431 | '/path'. For multiple exceptions, use
|
---|
432 | this options multiple times (note that '/path N:/path2' would itself be a valid
|
---|
433 | path, so using the option only once with multiple exceptions on the same line
|
---|
434 | would be ambiguous).<br><br></dd>
|
---|
435 | </dl>
|
---|
436 | <hr><h2>4. Client/Server</h2>
|
---|
437 | <dl>
|
---|
438 | <dt><b><a name="Client/Server0">4.1. I don't want to poke a hole into my firewall to let the client connect to the server !</a></b></dt>
|
---|
439 | <dd>Pat Smith has posted the following solution. On the client, create
|
---|
440 | an iptable rule as follows (<i>note: you probably don't need this if you
|
---|
441 | configure / compile in 127.0.0.1 as the server address</i>):
|
---|
442 | <div class="block"><pre>
|
---|
443 | iptables -t nat -A OUTPUT -p tcp -m tcp --dport 49777 -d <i>server-ip</i> -j REDIRECT
|
---|
444 | </pre></div>
|
---|
445 |
|
---|
446 | On the server, create an ssh tunnel for each client outside the firewall:
|
---|
447 |
|
---|
448 | <div class="block"><pre>
|
---|
449 | ssh -f -C -R 49777:localhost:49777 -N <i>client-ip</i>
|
---|
450 | </pre></div>
|
---|
451 |
|
---|
452 | It is necessary that each client has a distinct name, and that the server
|
---|
453 | knows the name of the client. With the setup above, each client will appear
|
---|
454 | as "localhost" to the server, thus the server
|
---|
455 | needs to trust the client name
|
---|
456 | as reported by the client itself, and suppress all eroors on resolving
|
---|
457 | this name to the apparent address. In the server configuration:
|
---|
458 |
|
---|
459 | <div class="block"><pre>
|
---|
460 | [Misc]
|
---|
461 | SetClientFromAccept = false
|
---|
462 | SeverityLookup = debug
|
---|
463 | </pre></div>
|
---|
464 |
|
---|
465 | Obviously, self-resolving must work on the client machine, otherwise
|
---|
466 | you are in trouble (see next issue).<br><br></dd>
|
---|
467 | <dt><b><a name="Client/Server1">4.2. The client sends 127.0.0.1 (or some other numerical address) as its name to the log server</a></b></dt>
|
---|
468 | <dd>See 'Client cannot self-resolve' in the 'Most frequently' section<br><br></dd>
|
---|
469 | <dt><b><a name="Client/Server2">4.3. The server wants to send rc.ip-adress rather than rc.fqdn to the client</a></b></dt>
|
---|
470 | <dd>The client self-resolves to its ip address.
|
---|
471 | See 'Client cannot self-resolve' in the 'Most frequently' section<br><br></dd>
|
---|
472 | <dt><b><a name="Client/Server3">4.4. Cannot resolve client name host=XXX</a></b></dt>
|
---|
473 | <dd><div class="block"><pre>
|
---|
474 | The server must be able to determine the client name.
|
---|
475 | This is because only authenticated connections from registered
|
---|
476 | clients are allowed, and
|
---|
477 | the server must be able to check the client hostname against the list of
|
---|
478 | allowed hosts, and look up the password verifier for that
|
---|
479 | host.
|
---|
480 | </pre></div>
|
---|
481 | There are two different ways to accomplish this. Unfortunately, judging
|
---|
482 | from customer feedback as well from common sense, both do not work very well
|
---|
483 | with a messed up local DNS (including /etc/hosts files) and/or
|
---|
484 | überparanoid or misconfigured firewalls (in case of connections
|
---|
485 | across one).
|
---|
486 | <ul>
|
---|
487 | <li>
|
---|
488 | <p>
|
---|
489 | <i>First method: Determine client name on client, and
|
---|
490 | try to cross-check on server</i>
|
---|
491 | <p>
|
---|
492 | <p>
|
---|
493 | This does not work for a number of people because (1) the
|
---|
494 | <tt>/etc/hosts</tt> file on the client machine has errors
|
---|
495 | (yes, there are plenty machines with a completely
|
---|
496 | messed up <tt>/etc/hosts</tt> file), (2) the
|
---|
497 | server cannot resolve the client address because the local DNS is
|
---|
498 | f***ed up, or (3) the client machine has multiple network interfaces, and
|
---|
499 | the interface used is not the one the client name resolves to.
|
---|
500 | </p>
|
---|
501 | <p>
|
---|
502 | If the client uses the wrong interface on a multi-interface machine,
|
---|
503 | there is a config file option
|
---|
504 | <tt>SetBindAddress=</tt><i>IP address</i>
|
---|
505 | that allows to choose the interface the client will use for
|
---|
506 | outgoing connections.
|
---|
507 | </p>
|
---|
508 | <p>
|
---|
509 | If you want to download the config file from the server, you
|
---|
510 | should instead use the corresponding command line
|
---|
511 | <tt>--bind-address=</tt><i>IP address</i>
|
---|
512 | to select the interface.
|
---|
513 | </p>
|
---|
514 |
|
---|
515 | <p>
|
---|
516 | If you encounter problems, you may (1) fix your
|
---|
517 | <tt>/etc/hosts</tt> file(s), (2) fix your local DNS, or
|
---|
518 | (3) switch to the second method.
|
---|
519 | </p>
|
---|
520 | <p>
|
---|
521 | Errors in name resolving/cross-checking can be avoided by setting a
|
---|
522 | very low severity (lower than the logging threshold), e.g.
|
---|
523 | </p>
|
---|
524 | <p>
|
---|
525 | <tt>SeverityLookup=</tt><i>debug</i>
|
---|
526 | </p>
|
---|
527 | <p>
|
---|
528 | in the <i>Misc</i> section of the server configuration,
|
---|
529 | if you prefer running <i>unsafe</i> at any speed
|
---|
530 | instead of fixing the problem (you have been warned). Doing so will
|
---|
531 | allow an attacker to pose as the client.
|
---|
532 | </p>
|
---|
533 | </li>
|
---|
534 | <li>
|
---|
535 | <p><i>Second method: Use address of connecting entity as
|
---|
536 | known to the communication layer</i></p>
|
---|
537 | <p>
|
---|
538 | This has been dropped as default
|
---|
539 | long ago because it may not always be the
|
---|
540 | address of the client machine.
|
---|
541 | To enable this method, use
|
---|
542 | </p>
|
---|
543 | <p>
|
---|
544 | <tt>SetClientFromAccept=</tt><i>true</i>
|
---|
545 | </p>
|
---|
546 | <p>
|
---|
547 | in the <i>Misc</i> section of the server configuration
|
---|
548 | file. If the address cannot be resolved, or reverse lookup of the
|
---|
549 | resolved name fails, <i>no</i> error message will be issued,
|
---|
550 | but the numerical address will be used.
|
---|
551 | </p>
|
---|
552 | </li>
|
---|
553 | </ul><br><br></dd>
|
---|
554 | <dt><b><a name="Client/Server4">4.5. Cannot resolve socket peer IP for client host=XXX peer=YYY</a></b></dt>
|
---|
555 | <dd>See above<br><br></dd>
|
---|
556 | <dt><b><a name="Client/Server5">4.6. Reverse lookup of socket peer failed host=XXX peer=YYY obj=ZZZ</a></b></dt>
|
---|
557 | <dd>See above<br><br></dd>
|
---|
558 | <dt><b><a name="Client/Server6">4.7. No socket peer alias matches client name host=XXX peer=YYY</a></b></dt>
|
---|
559 | <dd>See above<br><br></dd>
|
---|
560 | <dt><b><a name="Client/Server7">4.8. Session key negotiation failed</a></b></dt>
|
---|
561 | <dd>See the document <a href="HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a><br><br></dd>
|
---|
562 | <dt><b><a name="Client/Server8">4.9. Invalid connection attempt: Not in client list</a></b></dt>
|
---|
563 | <dd>See the document <a href="HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a><br><br></dd>
|
---|
564 | <dt><b><a name="Client/Server9">4.10. Invalid connection attempt: Session key mismatch</a></b></dt>
|
---|
565 | <dd>See the document <a href="HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a><br><br></dd>
|
---|
566 | <dt><b><a name="Client/Server10">4.11. How do I update the file signature database ?</a></b></dt>
|
---|
567 | <dd>If you keep the file signature database on the server,
|
---|
568 | the database is supposed to be updated on the server, using the
|
---|
569 | <a href="http://www.la-samhna.de/beltane/">beltane</a>
|
---|
570 | web-based console (currently in beta) and the
|
---|
571 | log messages from the client.
|
---|
572 | <p>
|
---|
573 | Alternatively, you can <code>scp</code> the database
|
---|
574 | to the client, run <code>samhain -t update -l none</code> (you
|
---|
575 | need to avoid logging because otherwise you will get in conflict with
|
---|
576 | the running samhain daemon), and then <code>scp</code> the
|
---|
577 | database back to the server. Actually, with a properly set up
|
---|
578 | "ssh", using RSA/DSA authentication
|
---|
579 | and ssh-agent you could write a script to automate this.<br><br></dd>
|
---|
580 | <dt><b><a name="Client/Server11">4.12. Time limit exceeded</a></b></dt>
|
---|
581 | <dd>The respective client for that this message is generated has not
|
---|
582 | sent anything for some interval of time (default 84600 sec = 1 day).
|
---|
583 | The interval can be set as follows:
|
---|
584 | <div class="block"><pre>
|
---|
585 | [Misc]
|
---|
586 | # unit is seconds
|
---|
587 | SetClientTimeLimit=NNN
|
---|
588 | </pre></div>
|
---|
589 |
|
---|
590 | This feature has the purpose to detect if a client is dead. You
|
---|
591 | might want to ensure that timestamps are sent to the server:
|
---|
592 | <div class="block"><pre>
|
---|
593 | [Log]
|
---|
594 | ExportSeverity=mark
|
---|
595 | </pre></div>
|
---|
596 | If you don't want to use this feature, set the time limit to some
|
---|
597 | very large value.<br><br></dd>
|
---|
598 | <dt><b><a name="Client/Server12">4.13. Invalid connection attempt: Signature mismatch</a></b></dt>
|
---|
599 | <dd>Clients sign their messages using a session key negotiated
|
---|
600 | with the server. The message indicates that the server could
|
---|
601 | not verify the signature. This may be caused by a running two
|
---|
602 | instances of samhain on the same client machine, both of them
|
---|
603 | accessing the server (and negotiating different session keys
|
---|
604 | ...). The system will recover automatically from the problem
|
---|
605 | by forcing the failed client to negotiate a fresh session key.<br><br></dd>
|
---|
606 | <dt><b><a name="Client/Server13">4.14. [Server] PANIC .. Address already in use subroutine=bind</a></b></dt>
|
---|
607 | <dd>The server cannot bind to its port because the port is already used.
|
---|
608 | Maybe you have accidentially already an instance of the
|
---|
609 | server running.<br><br></dd>
|
---|
610 | </dl>
|
---|
611 | <hr><h2>5. Email</h2>
|
---|
612 | <dl>
|
---|
613 | <dt><b><a name="Email0">5.1. Reverse lookup failed</a></b></dt>
|
---|
614 | <dd>Fix your DNS (reverse lookup: numerical IP address to FQDN, to verify
|
---|
615 | FQDN to numerical IP address).
|
---|
616 | <div class="block"><pre>
|
---|
617 | Whether "nslookup" works is not very informative, because
|
---|
618 | "nslookup" does not use the resolver library of the operating
|
---|
619 | system. Therefore,
|
---|
620 | it is not exactly the
|
---|
621 | best tool for debugging name resolving problems (see the book
|
---|
622 | "DNS and bind").
|
---|
623 | </pre></div><br><br></dd>
|
---|
624 | <dt><b><a name="Email1">5.2. From daemon@example.com</a></b></dt>
|
---|
625 | <dd>samhain fails to resolve the
|
---|
626 | self-address of the host.
|
---|
627 | See 'Client cannot self-resolve' in the 'Most frequently' section.<br><br></dd>
|
---|
628 | <dt><b><a name="Email2">5.3. How do I define more than one email addresses ?</a></b></dt>
|
---|
629 | <dd>Use <tt>SetMailAddress=...</tt> multiple times (upt to eight addresses
|
---|
630 | are possible, with at most 63 characters per address):
|
---|
631 | <div class="block"><pre>
|
---|
632 | [Misc]
|
---|
633 | SetMailAddress=aaa@foo.com
|
---|
634 | SetMailAddress=bbb@foo.com
|
---|
635 | </pre></div><br><br></dd>
|
---|
636 | </dl>
|
---|
637 | <hr><h2>6. Misc</h2>
|
---|
638 | <dl>
|
---|
639 | <dt><b><a name="Misc0">6.1. Error message: "Invalid line XYZ in configuration file"</a></b></dt>
|
---|
640 | <dd>This message indicates that line XYZ in the configuration file contains
|
---|
641 | an unrecognized directive. The primary reasons are:<br />
|
---|
642 |
|
---|
643 | (a) The directive should be placed into a particular section of the
|
---|
644 | configuration file, but the section header is not present (or you forgot
|
---|
645 | to uncomment it).<br />
|
---|
646 |
|
---|
647 | (b) Samhain is compiled without support for this directive.<br />
|
---|
648 |
|
---|
649 | (c) You have a typo in the directive.<br /><br><br></dd>
|
---|
650 | <dt><b><a name="Misc1">6.2. Why do I get a local logfile if I log to the server ?</a></b></dt>
|
---|
651 | <dd>Because you can use all log facilities in parallel. You should
|
---|
652 | switch off in the config file what you don't want/need:
|
---|
653 | <div class="block"><pre>
|
---|
654 | [Log]
|
---|
655 | # local log file
|
---|
656 | LogSeverity=none
|
---|
657 | </pre></div><br><br></dd>
|
---|
658 | <dt><b><a name="Misc2">6.3. Why is there no NIS support with a static samhain executable on Linux ?</a></b></dt>
|
---|
659 | <dd>Some functions (including NIS) require
|
---|
660 | libraries that are only available as shared libraries
|
---|
661 | with modern GLIBC versions. While you can always compile a static
|
---|
662 | executable, normally it would still open the shared library at runtime.
|
---|
663 | As of version 1.8.11, samhain avoids this by providing replacement
|
---|
664 | functions from uClibc. However, these do not include NIS support.<br><br></dd>
|
---|
665 | <dt><b><a name="Misc3">6.4. Why do I get hundreds of messages about modified CTIME ?</a></b></dt>
|
---|
666 | <dd>This happens because some
|
---|
667 | backup applications reset the atime/mtime timestamps, which causes
|
---|
668 | the ctime timestamp to be modified (rootkits avoid this by
|
---|
669 | temporarily resetting the system clock to the original ctime ...).
|
---|
670 | <p>
|
---|
671 | To fix this problem, read the manual of your backup application, or
|
---|
672 | redefine the ReadOnly policy to <i>not</i> check
|
---|
673 | the ctime timestamp:
|
---|
674 | <div class="block"><pre>
|
---|
675 | [Misc]
|
---|
676 | RedefReadOnly=-CTM
|
---|
677 | </pre></div>
|
---|
678 | <div class="warnblock"><pre>
|
---|
679 | Order matters - you must <i>first</i> redefine
|
---|
680 | ReadOnly <i>before</i> you use it
|
---|
681 | </pre></div><br><br></dd>
|
---|
682 | <dt><b><a name="Misc4">6.5. PANIC — File not accessible</a></b></dt>
|
---|
683 | <dd>Most likely permission denied because of unsufficient privileges.<br><br></dd>
|
---|
684 | <dt><b><a name="Misc5">6.6. How can I avoid error messages for invalid UIDs (no such user) ?</a></b></dt>
|
---|
685 | <dd>Set SeverityNames to a low value
|
---|
686 | <div class="block"><pre>
|
---|
687 | [EventSeverity]
|
---|
688 | SeverityNames=debug
|
---|
689 | </pre></div><br><br></dd>
|
---|
690 | <dt><b><a name="Misc6">6.7. [Redhat] The /etc/init.d/(samhain|yule) init script hangs</a></b></dt>
|
---|
691 | <dd>Redhat uses "initlog" (see
|
---|
692 | <code>man initlog</code>) in initscripts. If it hangs, most probably
|
---|
693 | samhain/yule runs in the foreground rather than as daemon. Set
|
---|
694 | daemon mode in the configuration file:
|
---|
695 | <div class="block"><pre>
|
---|
696 | [Misc]
|
---|
697 | Daemon=yes
|
---|
698 | </pre></div><br><br></dd>
|
---|
699 | <dt><b><a name="Misc7">6.8. The /etc/init.d/(samhain|yule) init script exits with: execvp: No such file or directory</a></b></dt>
|
---|
700 | <dd>Either the program is not installed, or it is not in the PATH (the one
|
---|
701 | used by the init script, which may be different from your PATH).<br><br></dd>
|
---|
702 | <dt><b><a name="Misc8">6.9. Why am I not receiving the "BEGIN LOGKEY" message by email ?</a></b></dt>
|
---|
703 | <dd>This message (which contains the key to verify the log file) is generated
|
---|
704 | when logging to the log file starts. It has the severity "ALRT",
|
---|
705 | thus you should make sure that you have set the logging threshold for
|
---|
706 | email correctly to receive it.<br><br></dd>
|
---|
707 | <dt><b><a name="Misc9">6.10. Why does console logging fail if I compile with
|
---|
708 | <code>--enable-(micro-)stealth</code> ?</a></b></dt>
|
---|
709 | <dd>The default logging options are more "stealthy". Set the
|
---|
710 | threshold explicitely rather than relying on the default.<br><br></dd>
|
---|
711 | <dt><b><a name="Misc10">6.11. I need a list for my schedule !</a></b></dt>
|
---|
712 | <dd>You can have the same effect with a list of schedules. See the section
|
---|
713 | "Timing file checks" in the manual.<br><br></dd>
|
---|
714 | <dt><b><a name="Misc11">6.12. The hiding kernel module has no effect !</a></b></dt>
|
---|
715 | <dd>Most probably you compiled using the wrong "System.map" file.<br><br></dd>
|
---|
716 | <dt><b><a name="Misc12">6.13. What does the message "Large lstat/open overhead" mean ?</a></b></dt>
|
---|
717 | <dd>Your system needs several seconds to proceed from an lstat() system call
|
---|
718 | to an open() system call. This is a tremenduous overhead, and
|
---|
719 | indicates that either your system has a really severe performance problem,
|
---|
720 | or someone tries to slow down samhain.<br><br></dd>
|
---|
721 | <dt><b><a name="Misc13">6.14. What does the message "Device not available path=/dev/random" mean ? I have /dev/random !</a></b></dt>
|
---|
722 | <dd>/dev/random blocks unless there is some entropy it can deliver. Samhain
|
---|
723 | will time out and fall back on /dev/urandom after some seconds to avoid
|
---|
724 | hanging for a potentially long time. It will try /dev/random again next
|
---|
725 | time it needs entropy.<br><br></dd>
|
---|
726 | <dt><b><a name="Misc14">6.15. Logging to an external program fails; the program receives no data
|
---|
727 | on stdin !</a></b></dt>
|
---|
728 | <dd>Probably your program is not designed to <i>wait for input</i>, but exits
|
---|
729 | if reading fails (because there is no data <i>yet</i>). You may want to
|
---|
730 | let your program wait for the terminating "[EOF]" line.<br><br></dd>
|
---|
731 | <dt><b><a name="Misc15">6.16. SIGILL on AIX</a></b></dt>
|
---|
732 | <dd>For each scanned file, samhain needs to
|
---|
733 | store some information in memory (e.g. to recognize changes that have
|
---|
734 | already been reported, and avoid duplicate reports). On AIX, if you are
|
---|
735 | checking a <i>really huge</i> number of files,
|
---|
736 | memory usage may exceed the default limit of 256 MB, and the process may
|
---|
737 | terminate with SIGILL.
|
---|
738 | <p>
|
---|
739 | The problem can be solved by linking with the flag
|
---|
740 | <code>-bmaxdata:0x80000000</code>. This allows the application to
|
---|
741 | access up to 8 segments (where each segment is 256MB).
|
---|
742 | <p>
|
---|
743 | If you are using gcc, you need to use instead
|
---|
744 | the flag <code>-Wl,bmaxdata:0x80000000</code>, which tells
|
---|
745 | gcc to pass on the
|
---|
746 | <i>bmaxdata</i>
|
---|
747 | flag to the AIX linker. You can use the LDFLAGS environment variable to
|
---|
748 | pass linker flags to the configure script:
|
---|
749 | <div class="block"><pre>
|
---|
750 | export LDFLAGS="-Wl,bmaxdata:0x80000000"
|
---|
751 | </pre></div><br><br></dd>
|
---|
752 | </dl>
|
---|
753 | <hr><h2>7. Database</h2>
|
---|
754 | <dl>
|
---|
755 | <dt><b><a name="Database0">7.1. Why are client messages corrupted / incompletely stored in the DB ?</a></b></dt>
|
---|
756 | <dd>Because the messages are not in XML format, and therefore incorrectly
|
---|
757 | parsed. The most frequent reasons are:
|
---|
758 | <div class="block"><pre>
|
---|
759 | 1.) Your server is compiled with --enable-xml-log, but your client(s)
|
---|
760 | is/are not.
|
---|
761 |
|
---|
762 | 2.) In your client or server configuration file, you are using
|
---|
763 | the option for a custom message header, but without paying attention
|
---|
764 | to preserving the XML format.
|
---|
765 | </pre></div><br><br></dd>
|
---|
766 | <dt><b><a name="Database1">7.2. I want / don't want the server timestamps (for client messages) in the SQL database</a></b></dt>
|
---|
767 | <dd><div class="block"><pre>
|
---|
768 | [Database]
|
---|
769 | SetDBServerTstamp = true/false
|
---|
770 | </pre></div>
|
---|
771 |
|
---|
772 | This will enable/disable logging of the server timestamp for client
|
---|
773 | messages. The server timestamp will be written to a seperate record,
|
---|
774 | with <i>log_ref</i> set to the value of
|
---|
775 | <i>log_index</i> of the corresponding client message.<br><br></dd>
|
---|
776 | <dt><b><a name="Database2">7.3. I don't want the client TIMESTAMP messages in the SQL database</a></b></dt>
|
---|
777 | <dd><div class="block"><pre>
|
---|
778 | Sending timestamps from the client allows the server to detect if
|
---|
779 | a client is not running anymore (use SetClientTimeLimit=NNN in the
|
---|
780 | [Misc] section of the server config file to set the number of seconds
|
---|
781 | after which the server will issue an error message if no timestamp has
|
---|
782 | been received).
|
---|
783 | </pre></div>
|
---|
784 |
|
---|
785 | However, you might not want to log these timestamps to the database
|
---|
786 | (or other log facilities). To filter them, you can use two methods
|
---|
787 | (examples are for the SQL database).
|
---|
788 | The first
|
---|
789 | one has the disadvantage that only messages of
|
---|
790 | severity <i>err</i> or higher will be logged:
|
---|
791 | <div class="block"><pre>
|
---|
792 | [Misc]
|
---|
793 | UseClientSeverity=yes
|
---|
794 |
|
---|
795 | [Log]
|
---|
796 | DatabaseSeverity=err
|
---|
797 | </pre></div>
|
---|
798 |
|
---|
799 | The second method is more specific — log everything not
|
---|
800 | belonging to the STAMP class of messages:
|
---|
801 | <div class="block"><pre>
|
---|
802 | [Misc]
|
---|
803 | UseClientClass=yes
|
---|
804 |
|
---|
805 | [Log]
|
---|
806 | DatabaseClass=PANIC RUN FIL TCP ERR ENET EINPUT
|
---|
807 | </pre></div><br><br></dd>
|
---|
808 | <dt><b><a name="Database3">7.4. What does the log_ref field mean ?</a></b></dt>
|
---|
809 | <dd>NULL are client messages. Nonzero integer is a server timestamp
|
---|
810 | for a client message (where log_ref indicates the log_index entry
|
---|
811 | number of the corresponding client message). Zero indicates a message
|
---|
812 | by the server itself (e.g. the server's start message).<br><br></dd>
|
---|
813 | <dt><b><a name="Database4">7.5. How can I check what is in the database ?</a></b></dt>
|
---|
814 | <dd>Use a command line client to login to the database and query it:
|
---|
815 | <div class="block"><pre>
|
---|
816 | sh$ mysql -u <user_name> -p <database_name>
|
---|
817 | Enter password: ****
|
---|
818 | mysql> SELECT log_index,log_ref,log_host,log_sev,log_msg,path FROM <table_name> WHERE entry_status = 'NEW' ORDER BY log_index;
|
---|
819 | ....
|
---|
820 | mysql> \q
|
---|
821 | </pre></div><br><br></dd>
|
---|
822 | </dl>
|
---|
823 | <hr>
|
---|
824 |
|
---|
825 | <p>Copyright (c) 2004 Rainer Wichmann</p>
|
---|
826 |
|
---|
827 | <p><i>This list of questions and answers was generated by
|
---|
828 | <a href="http://www.makefaq.org/">makefaq</a>.</i>
|
---|
829 |
|
---|
830 | </div>
|
---|
831 | </body>
|
---|
832 | </html>
|
---|