Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5

Thread: Logwatch 404

  1. #1
    Regular Coder
    Join Date
    Sep 2007
    Posts
    264
    Thanks
    19
    Thanked 0 Times in 0 Posts

    Logwatch 404

    I have a ton of logwatch errors, that show they are 404ed, yet the files exist! I really have doubts about this feature, so I was wondering if it was possible to completly remove the 404 logging and keep the rest. It would even be ok to remove the httpd Begin logging since thats where the 404 messages are locating from. Here is a copy of my logwatch. If anyone sees anything suspicious or can help me, please let me know.

    Code:
    > 
    > ################### Logwatch 7.3 (03/24/06) ####################
    >        Processing Initiated: Sun May  8 04:03:04 2011
    >        Date Range Processed: yesterday
    >                              ( 2011-May-07 )
    >                              Period is day.
    >      Detail Level of Output: 0
    >              Type of Output: unformatted
    >          Logfiles for Host: 68-168-104-37.phx.codero.com
    >  ##################################################################
    > 
    > --------------------- Selinux Audit Begin ------------------------ 
    >  Number of audit daemon stops: 1
    > 
    > ---------------------- Selinux Audit End ------------------------- 
    > 
    > --------------------- Automount Begin ------------------------ 
    > 
    > **Unmatched Entries**
    > lookup_read_master: lookup(nisplus): couldn't locate nis+ table auto.master: 1 Time(s)
    > 
    > ---------------------- Automount End ------------------------- 
    > 
    > --------------------- httpd Begin ------------------------ 
    > 
    > Requests with error response codes
    >    400 Bad Request
    >      /: 2 Time(s)
    >      /forums/clientscript/vbulletin_css/style00 ... ss?d=1304559947: 3 Time(s)
    >      /forums/clientscript/yui/yuiloader-dom-eve ... -event.js?v=413: 1 Time(s)
    >      /forums/customavatars/avatar12638_3.gif: 1 Time(s)
    >      /forums/customavatars/avatar16846_3.gif: 1 Time(s)
    >      /forums/customavatars/avatar5441_4.gif: 1 Time(s)
    >      /forums/dbtech/thanks/clientscript/thanks.js?v=1000: 1 Time(s)
    >      /forums/images/Styles/Blackend/buttons/reputation-40b.png: 1 Time(s)
    >      /forums/images/Styles/Blackend/misc/rss_40b.png: 1 Time(s)
    >      /forums/images/Styles/Blackend/misc/subscribed_40b.png: 1 Time(s)
    >      /forums/images/Styles/Blackend/site_icons/homepage.png: 1 Time(s)
    >      /forums/wanted-items/9835-busa-adjustable-cam-sprockets.html: 1 Time(s)
    >      /garage-sale/53065-1990-gsxr-1100-2500-00-may-trade.html: 2 Time(s)
    >      /images/smile.gif: 1 Time(s)
    >      /phpMyAdmin/scripts/setup.php: 1 Time(s)
    >      /printout.php?articleid=14: 1 Time(s)
    >      /robots.txt: 4 Time(s)
    >      /tech_supension: 1 Time(s)
    >      /top-stories/freedom-watch-incorporates-the-new-media: 1 Time(s)
    >      /w00tw00t.at.blackhats.romanian.anti-sec:): 1 Time(s)
    > 
    > ---------------------- httpd End ------------------------- 
    > 
    > --------------------- Named Begin ------------------------ 
    > 
    > **Unmatched Entries**
    >    found 4 CPUs, using 4 worker threads: 1 Time(s)
    >    max open files (1024) is smaller than max sockets (4096): 1 Time(s)
    >    the working directory is not writable: 4 Time(s)
    >    using default UDP/IPv4 port range: [1024, 65535]: 4 Time(s)
    >    using default UDP/IPv6 port range: [1024, 65535]: 4 Time(s)
    >    using up to 4096 sockets: 1 Time(s)
    >    zone psychobike.com/IN: zone serial unchanged: 3 Time(s)
    > 
    > ---------------------- Named End ------------------------- 
    > 
    > --------------------- pam_unix Begin ------------------------ 
    > runuser-l:
    >    Unknown Entries:
    >      session closed for user postgres: 2 Time(s)
    >      session opened for user postgres by (uid=0): 2 Time(s)
    > 
    > su:
    >    Sessions Opened:
    >      (uid=0) -> psych011: 1 Time(s)
    > 
    > 
    > ---------------------- pam_unix End ------------------------- 
    > 
    > --------------------- proftpd-messages Begin ------------------------ 
    > 
    > **Unmatched Entries**
    > 127.0.0.1 (117.68.66.107[117.68.66.107]) - Login timeout exceeded, disconnected
    > 127.0.0.1 (117.68.66.107[117.68.66.107]) - Session timed out, disconnected
    > 127.0.0.1 (117.68.66.107[117.68.66.107]) - Login timeout exceeded, disconnected
    > 127.0.0.1 (117.68.66.107[117.68.66.107]) - Session timed out, disconnected
    > 
    > ---------------------- proftpd-messages End ------------------------- 
    > 
    > --------------------- Smartd Begin ------------------------ 
    > 
    > **Unmatched Entries**
    > Problem creating device name scan list
    > Device /dev/sda: using '-d sat' for ATA disk behind SAT layer.
    > 
    > ---------------------- Smartd End ------------------------- 
    > 
    > --------------------- SSHD Begin ------------------------ 
    > 
    > SSHD Killed: 1 Time(s)
    > 
    > SSHD Started: 1 Time(s)
    > 
    > Failed logins from:
    >    59.46.88.4: 524 times
    >    113.108.197.67: 18 times
    >    201.148.157.185 (host157185.metrored.net.mx): 1 time
    >    218.241.236.109: 45 times
    >    221.2.163.252: 5 times
    > 
    > Illegal users from:
    >    59.46.88.4: 1 time
    >    113.108.197.67: 131 times
    >    218.241.236.109: 682 times
    > 
    > Locked account login attempts:
    >    mysql : 2 Time(s)
    >    postgres : 3 Time(s)
    >    rpc : 1 Time(s)
    >    rpcuser : 1 Time(s)
    >    sshd : 1 Time(s)
    > 
    > Users logging in through sshd:
    >    root:
    >      68.169.185.24 (host-68-169-185-24.EPSOLT2.epbfi.com): 2 times
    >      98.226.123.82 (c-98-226-123-82.hsd1.in.comcast.net): 1 time
    > 
    > 
    > Received disconnect:
    >    11: Bye Bye : 1661 Time(s)
    > 
    > Could not get shadow information for:
    >    NOUSER : 814 Time(s)
    > 
    > SFTP subsystem requests: 4 Time(s)
    > 
    > **Unmatched Entries**
    > reverse mapping checking getaddrinfo for host157185.metrored.net.mx failed - POSSIBLE BREAK-IN ATTEMPT! : 1 time(s)
    > 
    > ---------------------- SSHD End ------------------------- 
    > 
    > --------------------- Disk Space Begin ------------------------ 
    > Filesystem            Size  Used Avail Use% Mounted on
    > /dev/sda3            913G  268G  600G  31% /
    > /dev/sda2              84M  24M  56M  30% /boot
    > 
    > 
    > ---------------------- Disk Space End ------------------------- 
    > 
    > ###################### Logwatch End #########################

  • #2
    Regular Coder
    Join Date
    Sep 2007
    Posts
    264
    Thanks
    19
    Thanked 0 Times in 0 Posts
    Anyone?

    If possible I want to ignore all 404 messages as they are false positives. If I can I just want to ignore all lines from
    ---------------------- httpd Begin -------------------------

    to

    ---------------------- httpd End -------------------------

  • #3
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,642
    Thanks
    2
    Thanked 405 Times in 397 Posts
    Those are 400, not 404. And you shouldn't ignore them. Check the Logwatch config to see if you can, but I doubt it.

  • #4
    Regular Coder
    Join Date
    Sep 2007
    Posts
    264
    Thanks
    19
    Thanked 0 Times in 0 Posts
    How can I ignore them?

    I don't know how to turn the errors into regex for the ignore.config
    /forums/customavatars/avatar12638_3.gif

    I mean I don't see any reason they would post a 400 error since it loads fine everytime. All it does is clutter my email...

  • #5
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,642
    Thanks
    2
    Thanked 405 Times in 397 Posts
    Quote Originally Posted by IFeelYourPain View Post
    How can I ignore them?

    I don't know how to turn the errors into regex for the ignore.config
    /forums/customavatars/avatar12638_3.gif

    I mean I don't see any reason they would post a 400 error since it loads fine everytime. All it does is clutter my email...
    It isn't loading fine every time, you just don't notice when something doesn't load. If you have mod_security enabled that is likely the culprit. You would have to check the man pages for Logwatch to find out the syntax. I don't remember what it is, but I think you can use simple asterisk wildcards.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •