[sclug] Gumpf in logcheck

Tue Jun 17 19:19:02 UTC 2008

Hi Tim,

I found this if its any use to you tim - logcheck supports regexp, its just
a case of sussing out the correct syntax. To set a clause around if > 1000
maybe a fair task though;

http://www.linux.com/articles/57220

I quite often have to write perl regexp hacks for our app to process through
yarns of tomcat logs - Usually to collate response times of external nodes
and lay blame on someone else for a an SLA breach :) - but I don't think you
need to faff about to that level and reinvent the wheel when logcheck looks
tailor made for the job.

Cheers Luke

On Tue, Jun 17, 2008 at 7:59 PM, Tim Sutton <tim at linfiniti.com> wrote:

> Hi Luke & Andy
>
> Thanks for the insights. I guess what I'd kinda like to know is when
> say > 1000 syn packets are dropped within the hour period, otherwise
> its probably noise to me... but having scanned the logcheck man pages
> I dont have a clue how to do that yet...I'll go and google and see
> what I can find.
>
> Thanks
>
> Regards
>
> Tim
>
> 2008/6/17 Luke Hinds <lukehinds at gmail.com>:
> > *eletrohosting.com.br
> > <contatos at eletrohosting.com.br?subject=eletrohosting>*is sending you
> > SYN requests to initiate a connection to
> > 89.127.144.227 (your pubic interface?) port 32000 (which as far as I can
> > tell is normally used by a java service wrapper)
> >
> > It looks like you have a DENY in place for 32000 so no connection could
> be
> > established and thus no SYN-ACK is replied.
> >
> > Judging by the fair sized timestamp intervals it looks harmless (but
> don't
> > quote me on that!)
> >
> > If the tempo of requests were higher it could be deemed a syn flood;
> >
> > http://en.wikipedia.org/wiki/SYN_flood
> >
> > Luke
> >
> >
> > On Tue, Jun 17, 2008 at 4:21 PM, Tim Sutton <tim at linfiniti.com> wrote:
> >
> >> Hi all
> >>
> >> Every hour logcheck sends me an email report. For the most part I get
> >> stuff like this:
> >>
> >> Jun 17 02:04:08 linfiniti kernel: IN=eth0 OUT=
> >> MAC=00:13:20:17:d8:bb:00:1c:58:31:53:7f:08:00 SRC=64.246.48.73
> >> DST=89.127.144.227 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=4954 DF
> >> PROTO=TCP SPT=1780 DPT=32000 WINDOW=65535 RES=0x00 SYN URGP=0
> >> Jun 17 02:04:11 linfiniti kernel: IN=eth0 OUT=
> >> MAC=00:13:20:17:d8:bb:00:1c:58:31:53:7f:08:00 SRC=64.246.48.73
> >> DST=89.127.144.226 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=7454 DF
> >> PROTO=TCP SPT=1779 DPT=32000 WINDOW=65535 RES=0x00 SYN URGP=0
> >> Jun 17 02:42:27 linfiniti kernel: IN=eth0 OUT=
> >> MAC=00:13:20:17:d8:bb:00:1c:58:31:53:7f:08:00 SRC=222.1.40.116
> >> DST=89.127.144.227 LEN=404 TOS=0x00 PREC=0x00 TTL=108 ID=64061
> >> PROTO=UDP SPT=1100 DPT=1434 LEN=384
> >>
> >> My questions are:
> >>
> >> 1) what do they mean (in plain english)?
> >>
> >> 2) if they are no cause for concern, how can I get rid of them? I
> >> googled the subject and one option seems to be to use iptable_drop.
> >> This seems to be a kernel module, unavailable in apt and I dont want
> >> to start mucking arund with the kernel on my production debian server.
> >>
> >> I'm hoping to pare down the logcheck reports to include just things I
> >> should actually be concerned about....or maybe thats exactly what its
> >> doing ....
> >>
> >>
> >> Thanks!
> >>
> >> Regards
> >>
> >>
> >>
> >> --
> >> Tim Sutton
> >> QGIS Project Steering Committee Member - Release Manager
> >> Visit http://qgis.org for a great open source GIS
> >> openModeller Desktop Developer
> >> Visit http://openModeller.sf.net for a great open source ecological
> >> niche modelling tool
> >> Home Page: http://tim.linfiniti.com
> >> Skype: timlinux
> >> Irc: timlinux on #qgis at freenode.net
> >>
> >
>
>
>
> --
> Tim Sutton
> QGIS Project Steering Committee Member - Release Manager
> Visit http://qgis.org for a great open source GIS
> openModeller Desktop Developer
> Visit http://openModeller.sf.net for a great open source ecological
> niche modelling tool
> Home Page: http://tim.linfiniti.com
> Skype: timlinux
> Irc: timlinux on #qgis at freenode.net
>