Logwatch Auswertung

noname2k · May 21, 2011

Hallo,

wir haben einen kleinen vServer der zum Datenaustausch und Lagern von Projekten dient. Der Admin hat wegen seines Studiums gerade kaum Zeit den Server zu warten, deshalb habe ich zurzeit alle Login Daten.

Um zu schauen was auf dem Server so los ist, hab ich mal logwatch installiert. Habe zwar einige Erfahrungen mit Linux, aber habe mich nie mit Logfile Auswertungen beschäftigt, da ich es nie gebraucht hatte.
Wäre nett wenn da mal jemand drüber schauen kann.

Code:

 ################### Logwatch 7.3.6+cvs20080702-debian (07/02/08) ####################
        Processing Initiated: Sat May 21 19:06:43 2011
        Date Range Processed: yesterday
                              ( 2011-May-20 )
                              Period is day.
        Detail Level of Output: 0
        Type of Output/Format: stdout / text
        Logfiles for Host: XXXXXXXXX
  ##################################################################

 --------------------- Amavisd-new Begin ------------------------

 10 messages checked and passed.

 ---------------------- Amavisd-new End -------------------------


 --------------------- clam-update Begin ------------------------


 Last ClamAV update process started at Fri May 20 23:05:34 2011

 Last Status:
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.94.2 Recommended version: 0.97
    DON'T PANIC! Read http://www.clamav.net/support/faq
    main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
    Trying host database.clamav.net (85.214.XXX.XXX)...
    WARNING: getfile: daily-12951.cdiff not found on remote server (IP: 85.214.XXX.XXX)
    WARNING: getpatch: Can't download daily-12951.cdiff from database.clamav.net
    Trying host database.clamav.net (85.214.XXX.XXX)...
    WARNING: getfile: daily-12951.cdiff not found on remote server (IP: 85.214.XXX.XXX)
    WARNING: getpatch: Can't download daily-12951.cdiff from database.clamav.net
    Trying host database.clamav.net (85.214.XXX.XXX)...
    WARNING: getfile: daily-12951.cdiff not found on remote server (IP: 85.214.XXX.XXX)
    WARNING: getpatch: Can't download daily-12951.cdiff from database.clamav.net
    Trying host database.clamav.net (85.214.XXX.XXX)...
    WARNING: getfile: daily-12951.cdiff not found on remote server (IP: 85.214.XXX.XXX)
    WARNING: getpatch: Can't download daily-12951.cdiff from database.clamav.net
    Trying host database.clamav.net (85.214.XXX.XXX)...
    WARNING: getfile: daily-12951.cdiff not found on remote server (IP: 85.214.XXX.XXX)
    ERROR: getpatch: Can't download daily-12951.cdiff from database.clamav.net
    WARNING: Incremental update failed, trying to download daily.cvd
    Trying host database.clamav.net (85.214.XXX.XXX)...
    WARNING: getfile: daily.cvd not found on remote server (IP: 85.214.XXX.XXX)
    ERROR: Can't download daily.cvd from database.clamav.net
    Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/support/mirror-problem for possible reasons.
    Received signal: wake up

 ---------------------- clam-update End -------------------------


 --------------------- httpd Begin ------------------------


 Requests with error response codes
    404 Not Found
       /favicon.ico: 4 Time(s)
       /robots.txt: 1 Time(s)
       /up/XXXXX: 1 Time(s)
       /up/XXXXX: 1 Time(s)

 ---------------------- httpd End -------------------------


 --------------------- pam_unix Begin ------------------------

 pop3:
    Unknown Entries:
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=backup: 3 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root: 2 Time(s)

 su:
    Sessions Opened:
       root -> amavis: 1 Time(s)

 vsftpd:
    Unknown Entries:
       authentication failure; logname= uid=0 euid=0 tty=ftp ruser=web1 rhost=194.6.XXX.XXX  user=web1: 1 Time(s)
       authentication failure; logname= uid=0 euid=0 tty=ftp ruser=web2 rhost=194.6.XXX.XXX  user=web2: 1 Time(s)


 ---------------------- pam_unix End -------------------------


 --------------------- POP-3 Begin ------------------------


 **Unmatched Entries**
    Disconnected, ip=[::ffff:74.63.XXX.XXX]: 170 Time(s)
    LOGIN FAILED, user=access, ip=[::ffff:74.63.XXX.XXX]: 7 Time(s)
    LOGIN FAILED, user=account, ip=[::ffff:74.63.XXX.XXX]: 7 Time(s)
    LOGIN FAILED, user=admin, ip=[::ffff:74.63.XXX.XXX]: 12 Time(s)
    LOGIN FAILED, user=administrator, ip=[::ffff:74.63.XXX.XXX]: 6 Time(s)
    LOGIN FAILED, user=backup, ip=[::ffff:74.63.XXX.XXX]: 9 Time(s)
    LOGIN FAILED, user=data, ip=[::ffff:74.63.XXX.XXX]: 7 Time(s)
    LOGIN FAILED, user=informix, ip=[::ffff:74.63.XXX.XXX]: 9 Time(s)
    LOGIN FAILED, user=lizdy, ip=[::ffff:74.63.XXX.XXX]: 6 Time(s)
    LOGIN FAILED, user=oracle, ip=[::ffff:74.63.XXX.XXX]: 8 Time(s)
    LOGIN FAILED, user=oracle8, ip=[::ffff:74.63.XXX.XXX]: 8 Time(s)
    LOGIN FAILED, user=pwrchute, ip=[::ffff:74.63.XXX.XXX]: 16 Time(s)
    LOGIN FAILED, user=root, ip=[::ffff:74.63.XXX.XXX]: 6 Time(s)
    LOGIN FAILED, user=server, ip=[::ffff:74.63.XXX.XXX]: 12 Time(s)
    LOGIN FAILED, user=sybase, ip=[::ffff:74.63.XXX.XXX]: 9 Time(s)
    LOGIN FAILED, user=test, ip=[::ffff:74.63.XXX.XXX]: 14 Time(s)
    LOGIN FAILED, user=user, ip=[::ffff:74.63.XXX.XXX]: 8 Time(s)
    LOGIN FAILED, user=web, ip=[::ffff:74.63.XXX.XXX]: 8 Time(s)
    LOGIN FAILED, user=webmaster, ip=[::ffff:74.63.XXX.XXX]: 4 Time(s)
    LOGIN FAILED, user=www, ip=[::ffff:74.63.XXX.XXX]: 5 Time(s)
    Maximum connection limit reached for ::ffff:74.63.XXX.XXX: 117 Time(s)

 ---------------------- POP-3 End -------------------------


 --------------------- Postfix Begin ------------------------

   16.832K  Bytes accepted                            17,236
    8.080K  Bytes sent via SMTP                        8,274
    8.752K  Bytes delivered                            8,962
 ========   ================================================

       20   Accepted                                 100.00%
 --------   ------------------------------------------------
       20   Total                                    100.00%
 ========   ================================================

       10   Connections made
       10   Disconnections
       20   Removed from queue
        9   Delivered
       11   Sent via SMTP



 ---------------------- Postfix End -------------------------


 --------------------- SSHD Begin ------------------------


 Illegal users from:
    95.173.XXX.XXX (server203.nt138.datacenter.ni.net.tr): 2 times

 ---------------------- SSHD End -------------------------


 --------------------- Disk Space Begin ------------------------

 Filesystem            Size  Used Avail Use% Mounted on
 /dev/hda1             7.2G  1.7G  5.2G  25% /


 ---------------------- Disk Space End -------------------------


 ###################### Logwatch End #########################

Das Clamav outdated ist und beim pop3 fehlerhafte Logins waren kann ich rauslesen aber beim Rest würde ich gerne wissen ob alles ok ist oder es Probleme gibt.

Vielen Dank schonmal für Hilfe.

blupp1 · May 21, 2011

Scheint zu passen.

Schonmal versucht die Detailtiefe zu erhöhen?

noname2k · May 21, 2011

blupp1 said:
Scheint zu passen.

Schonmal versucht die Detailtiefe zu erhöhen?

Wollte ich auch schon machen aber hab in "/etc/logwatch/conf/" keine Config Datei gefunden. Alle Unterordner im Logwatch Ordner sind leer.

blupp1 · May 21, 2011

/usr/share/logwatch/default.conf/logwatch.conf

Da sollte es sein...

noname2k · May 21, 2011

Jetzt ist die Detailstufe auf "High".

Code:

 ################### Logwatch 7.3.6+cvs20080702-debian (07/02/08) #################### 
        Processing Initiated: Sat May 21 20:26:40 2011
        Date Range Processed: yesterday
                              ( 2011-May-20 )
                              Period is day.
        Detail Level of Output: 10
        Type of Output/Format: file / text
        Logfiles for Host: XXXXXXX
  ################################################################## 
 
 --------------------- Amavisd-new Begin ------------------------ 

 10 messages checked and passed.
 
 ---------------------- Amavisd-new End ------------------------- 

 
 --------------------- clam-update Begin ------------------------ 

 
 The ClamAV update process was started 230 time(s)
 
 Last ClamAV update process started at Fri May 20 23:05:34 2011
 
 Last Status:
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.94.2 Recommended version: 0.97
    DON'T PANIC! Read http://www.clamav.net/support/faq
    main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
    Trying host database.clamav.net (85.214.XXX.XXX)...
    WARNING: getfile: daily-12951.cdiff not found on remote server (IP: 85.214.XXX.XXX)
    WARNING: getpatch: Can't download daily-12951.cdiff from database.clamav.net
    Trying host database.clamav.net (85.214.XXX.XXX)...
    WARNING: getfile: daily-12951.cdiff not found on remote server (IP: 85.214.XXX.XXX)
    WARNING: getpatch: Can't download daily-12951.cdiff from database.clamav.net
    Trying host database.clamav.net (85.214.XXX.XXX)...
    WARNING: getfile: daily-12951.cdiff not found on remote server (IP: 85.214.XXX.XXX)
    WARNING: getpatch: Can't download daily-12951.cdiff from database.clamav.net
    Trying host database.clamav.net (85.214.XXX.XXX)...
    WARNING: getfile: daily-12951.cdiff not found on remote server (IP: 85.214.XXX.XXX)
    WARNING: getpatch: Can't download daily-12951.cdiff from database.clamav.net
    Trying host database.clamav.net (85.214.XXX.XXX)...
    WARNING: getfile: daily-12951.cdiff not found on remote server (IP: 85.214.XXX.XXX)
    ERROR: getpatch: Can't download daily-12951.cdiff from database.clamav.net
    WARNING: Incremental update failed, trying to download daily.cvd
    Trying host database.clamav.net (85.214.XXX.XXX)...
    WARNING: getfile: daily.cvd not found on remote server (IP: 85.214.XXX.XXX)
    ERROR: Can't download daily.cvd from database.clamav.net
    Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/support/mirror-problem for possible reasons.
    Received signal: wake up
 
 The following ERRORS and/or WARNINGS were detected when
 running the ClamAV update process.  If these ERRORS and/or
 WARNINGS do not show up in the "Last Status" section above,
 then their underlying cause has probably been corrected.
 
 ERRORS:
    getpatch: Can't download daily-12951.cdiff from database.clamav.net: 23 Time(s)
    getpatch: Can't download daily-12951.cdiff from db.de.clamav.net: 23 Time(s)
    getfile: Unknown response from remote server (IP: 130.59.XXX.XXX): 4 Time(s)
    Can't download daily.cvd from db.de.clamav.net: 23 Time(s)
    Can't download daily.cvd from database.clamav.net: 23 Time(s)
 
 WARNINGS:
    getpatch: Can't download daily-12951.cdiff from db.de.clamav.net: 552 Time(s)
    Can't download daily.cvd from database.clamav.net: 92 Time(s)
    getfile: daily-12951.cdiff not found on remote server (IP: 85.214.XXX.XXX): 1025 Time(s)
    Your ClamAV installation is OUTDATED!: 230 Time(s)
    getfile: daily.cvd not found on remote server (IP: 85.214.XXX.XXX): 205 Time(s)
    getpatch: Can't download daily-12951.cdiff from database.clamav.net: 552 Time(s)
    getfile: Unknown response from remote server (IP: 130.59.XXX.XXX): 62 Time(s)
    Can't download daily.cvd from db.de.clamav.net: 92 Time(s)
    Incremental update failed, trying to download daily.cvd: 230 Time(s)
    Local version: 0.94.2 Recommended version: 0.97: 230 Time(s)
 
 ---------------------- clam-update End ------------------------- 

 
 --------------------- courier mail services Begin ------------------------ 

 
 Connections: 161 Times
   Protocol POP3 - 161 Times
      Host 74.63.XXX.XXX - 161 Times
 
 
 
 ---------------------- courier mail services End ------------------------- 

 
 --------------------- Cron Begin ------------------------ 

 
 
 Commands Run:
    User amavis:
       test -e /usr/sbin/amavisd-new-cronjob && /usr/sbin/amavisd-new-cronjob sa-sync: 8 Time(s)
    User root:
          cd / && run-parts --report /etc/cron.hourly: 24 Time(s)
         [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -delete: 48 Time(s)
       /etc/reoback/run_reoback.sh | mail -s "automatisches Backup" orXXXX@gmail.com: 1 Time(s)
       /root/confixx/admin/contrib/auto_reg.pl >> /dev/null 2>&1: 48 Time(s)
       /root/confixx/confixx_counterscript.pl >> /dev/null 2>&1: 1440 Time(s)
       ntpdate -u ptbtime1.ptb.de >> /dev/null 2>&1: 1 Time(s)
       test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ): 1 Time(s)
    User www-data:
       [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null: 144 Time(s)
 
 ---------------------- Cron End ------------------------- 

 
 --------------------- httpd Begin ------------------------ 

 0.10 MB transferred in 38 responses  (1xx 0, 2xx 29, 3xx 2, 4xx 7, 5xx 0) 
    18 Images (0.01 MB),
     1 Documents (0.08 MB),
    17 Content pages (0.01 MB),
     1 Redirects (0.00 MB),
     1 Other (0.00 MB) 
 
 Requests with error response codes
    404 Not Found
       /favicon.ico: 4 Time(s)
       /robots.txt: 1 Time(s)
       /up/XXXXX: 1 Time(s)
       /up/XXXXX: 1 Time(s)
 
 A total of 1 ROBOTS were logged 
    Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) 2 Time(s) 
 
 ---------------------- httpd End ------------------------- 

 
 --------------------- pam_unix Begin ------------------------ 

 cron:
    Sessions Opened:
       root: 1563 Time(s)
       www-data: 144 Time(s)
       amavis: 8 Time(s)
 
 pop3:
    Unknown Entries:
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=backup: 3 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root: 2 Time(s)
 
 su:
    Sessions Opened:
       root -> amavis: 1 Time(s)
 
 vsftpd:
    Unknown Entries:
       authentication failure; logname= uid=0 euid=0 tty=ftp ruser=web1 rhost=194.6.XXX.XXX  user=web1: 1 Time(s)
       authentication failure; logname= uid=0 euid=0 tty=ftp ruser=web2 rhost=194.6.XXX.XXX  user=web2: 1 Time(s)
 
 
 ---------------------- pam_unix End ------------------------- 

 
 --------------------- POP-3 Begin ------------------------ 

 
 [POP3] Connections:
 =========================
                                                          Host | Connections
 ------------------------------------------------------------- | -----------
                                          ::ffff:74.63.XXX.XXX |         170
 ---------------------------------------------------------------------------
                                                                         170
 
 
 
 **Unmatched Entries**
    Disconnected, ip=[::ffff:74.63.XXX.XXX]: 170 Time(s)
    LOGIN FAILED, user=access, ip=[::ffff:74.63.XXX.XXX]: 7 Time(s)
    LOGIN FAILED, user=account, ip=[::ffff:74.63.XXX.XXX]: 7 Time(s)
    LOGIN FAILED, user=admin, ip=[::ffff:74.63.XXX.XXX]: 12 Time(s)
    LOGIN FAILED, user=administrator, ip=[::ffff:74.63.XXX.XXX]: 6 Time(s)
    LOGIN FAILED, user=backup, ip=[::ffff:74.63.XXX.XXX]: 9 Time(s)
    LOGIN FAILED, user=data, ip=[::ffff:74.63.XXX.XXX]: 7 Time(s)
    LOGIN FAILED, user=informix, ip=[::ffff:74.63.XXX.XXX]: 9 Time(s)
    LOGIN FAILED, user=lizdy, ip=[::ffff:74.63.XXX.XXX]: 6 Time(s)
    LOGIN FAILED, user=oracle, ip=[::ffff:74.63.XXX.XXX]: 8 Time(s)
    LOGIN FAILED, user=oracle8, ip=[::ffff:74.63.XXX.XXX]: 8 Time(s)
    LOGIN FAILED, user=pwrchute, ip=[::ffff:74.63.XXX.XXX]: 16 Time(s)
    LOGIN FAILED, user=root, ip=[::ffff:74.63.XXX.XXX]: 6 Time(s)
    LOGIN FAILED, user=server, ip=[::ffff:74.63.XXX.XXX]: 12 Time(s)
    LOGIN FAILED, user=sybase, ip=[::ffff:74.63.XXX.XXX]: 9 Time(s)
    LOGIN FAILED, user=test, ip=[::ffff:74.63.XXX.XXX]: 14 Time(s)
    LOGIN FAILED, user=user, ip=[::ffff:74.63.XXX.XXX]: 8 Time(s)
    LOGIN FAILED, user=web, ip=[::ffff:74.63.XXX.XXX]: 8 Time(s)
    LOGIN FAILED, user=webmaster, ip=[::ffff:74.63.XXX.XXX]: 4 Time(s)
    LOGIN FAILED, user=www, ip=[::ffff:74.63.XXX.XXX]: 5 Time(s)
    Maximum connection limit reached for ::ffff:74.63.XXX.XXX: 117 Time(s)
 
 ---------------------- POP-3 End ------------------------- 

 
 --------------------- Postfix Begin ------------------------ 

 ****** Summary *************************************************************************************
 
   16.832K  Bytes accepted                            17,236
    8.080K  Bytes sent via SMTP                        8,274
    8.752K  Bytes delivered                            8,962
 ========   ================================================
 
       20   Accepted                                 100.00%
 --------   ------------------------------------------------
       20   Total                                    100.00%
 ========   ================================================
 
       10   Connections made      
       10   Disconnections        
       20   Removed from queue    
        9   Delivered             
       11   Sent via SMTP         
 
 
 ****** Detail **************************************************************************************
 
        9   Delivered -------------------------------------------------------------------------------
        9      sys.XXXXX.de
 
       11   Sent via SMTP ---------------------------------------------------------------------------
        9      sys.XXXXX.de
        2      gmail.com
 
 
 ======================================================================================================================
 Delays Percentiles              0%         25%         50%         75%         90%         95%         98%        100%
 ----------------------------------------------------------------------------------------------------------------------
 1: Pre qmgr                  0.010       0.010       0.370       0.547       0.701       1.746      11.498      18.000
 2: In qmgr                   0.010       0.010       0.010       0.013       0.020       0.020       0.020       0.020
 3: Connection setup          0.000       0.000       0.000       0.000       0.001       0.016       0.078       0.120
 4: Xmit time                 0.100       0.120       0.875       1.200       1.240       1.670       2.468       3.000
 ======================================================================================================================
 
 ---------------------- Postfix End ------------------------- 

 
 --------------------- SSHD Begin ------------------------ 

 
 Didn't receive an ident from these IPs:
    178.234.XXX.XXX (X75.bbn07-142.lipetsk.ru): 1 Time(s)
    78.169.XXX.XXX: 1 Time(s)
    88.83.XXX.XXX (fa98.203.fix-addr.vsi.ru): 1 Time(s)
    91.122.XXX.XXX (ppp91-122-25-53.pppoe.avangarddsl.ru): 1 Time(s)
    95.139.XXX.XXX (node-95-139-217-44.domolink.tula.net): 1 Time(s)
 
 Illegal users from:
    95.173.XXX.XXX (server203.nt138.datacenter.ni.net.tr): 2 times
       oracle: 1 time
       test: 1 time
 
 ---------------------- SSHD End ------------------------- 

 
 --------------------- Syslogd Begin ------------------------ 

 
 Syslogd started 1 Time(s)
 
 ---------------------- Syslogd End ------------------------- 

 
 --------------------- Disk Space Begin ------------------------ 

 Filesystem            Size  Used Avail Use% Mounted on
 /dev/hda1             7.2G  1.7G  5.2G  25% /
 
 
 ---------------------- Disk Space End ------------------------- 

 
 ###################### Logwatch End #########################

blupp1 · May 21, 2011

Jo passt schon.

noname2k · May 21, 2011

Ok, danke.

Logwatch Auswertung

noname2k

New Member

blupp1

Guest

noname2k

New Member

blupp1

Guest

noname2k

New Member

blupp1

Guest

noname2k

New Member

We value your privacy