On 1/2/06, Charles Howse <chowse@xxxxxxxxxxx> wrote: > > On 1/1/06, John Summerfied <debian@xxxxxxxxxxxxxxxxxxxxxx> wrote: > >> Dotan Cohen wrote: > >>> I haven't read root's email in about a month. Now that I get around to > >>> it, I am suprised to see things that I have never seen before, such > >>> as: > >>> --------------------- pam_unix Begin ------------------------ > >>> kde-np: > >>> Unknown Entries: > >>> session opened for user dotancohen by (uid=0): 1 Time(s) > >>> ---------------------- pam_unix End ------------------------- > >>> > >>> --------------------- Smartd Begin ------------------------ > >>> **Unmatched Entries** > >>> smartd received signal 15: Terminated > >>> smartd is exiting (exit status 0) > >>> ---------------------- Smartd End ------------------------- > >>> > >>> --------------------- Selinux Audit Begin ------------------------ > >>> Number of audit daemon starts: 1 > >>> Number of audit daemon stops: 2 > >>> *** Logs which could mean a bug *** > >>> major=252 name_count=0: freeing multiple contexts (1) > >>> major=113 name_count=0: freeing multiple contexts (2) > >>> ---------------------- Selinux Audit End ------------------------- > >>> > >>> --------------------- SSHD Begin ------------------------ > >>> SSHD Killed: 1 Time(s) > >>> SSHD Started: 1 Time(s) > >> Normal restart stuff here and in some other places. > >> > > > > Do you mean that this is logged when the computer restarts? Because I > > have never restarted SSH. > > Yes, logged when computer restarts. > > >>> ---------------------- SSHD End ------------------------- > >>> > >>> --------------------- httpd Begin ------------------------ > >>> Requests with error response codes > >>> 404 Not Found > >>> /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 > >>> Time(s) > >>> /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 > >>> Time(s) > >>> /favicon.ico: 32 Time(s) > >>> /javascript/HM_Arrays.js: 1 Time(s) > >>> /javascript/HM_ScriptDOM.js: 1 Time(s) > >>> /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 > >>> Time(s) > >>> /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 > >>> Time(s) > >>> ---------------------- httpd End ------------------------- > >>> > >>> --------------------- pam_unix Begin ------------------------ > >>> kde: > >>> Unknown Entries: > >>> session closed for user dotancohen: 3 Time(s) > >>> session opened for user dotancohen by (uid=0): 3 Time(s) > >> This looks like you logging in and out three times. > >> > > > > Should that concern me if I don' think that I had EVER logged out and > > then back in? This is a one-man box. > > If you've ever restarted the computer, then you've logged out. > > Let me suggest some further research for you: > Find on your computer, and learn, everything about logging and LogWatch. > This command: > $ ls /usr/share/doc/logwatch* > will show you what onboard documentation there is for logwatch. Read those > files. > $ man logwatch > will also be helpful, but probably only the part where it shows you which > files are used for configuration. > > /etc/syslog.conf is the file that controls what the computer logs and where. > I would study that file. > $ man syslog.conf > is a pretty good place to start reading, also. > > Useful ways to see exactly what is going on: > If I want to find out what is causing this: > session closed for user dotancohen > then I would make note of the time, then log out, log back in, and, as root: > # tail /var/log/messages > You should see something similar to this: > Jan 2 05:01:01 shemp crond(pam_unix)[7970]: session closed for user root > Jan 2 06:01:01 shemp crond(pam_unix)[8219]: session opened for user root by > (uid=0) > Of course, I got this from my system, so your output will be different, but > the point is that you can compare the time you logged out to the time of the > log entry, and see what a simple logout or restart will generate in the > logfiles. > > Sorry to be so verbose, and also sorry to suggest reading so many boring man > pages, but I think I've given you a good nudge in the right direction. :) > In other words, I should familiarize myself with the NORMAL log entries, so that I can pick out the abnormal ones. That is good advice- and that is what I will be doing more often. I only wish that I had the time to invest in this that it deserves. In any case, I do have the old logs to refer to, so that I can see that there are no log entries that look different from those that were before. Thank you very, very much. I will be reading TFM a good deal this evening. Dotan Cohen http://technology-sleuth.com/question/what_is_a_cellphone.html -+ []
