[wellylug] messages file - was: traffic accounting]
William Hamilton
william.hamilton at gmail.com
Sun Jan 7 19:50:26 NZDT 2007
Cliff Pratt wrote:
> William Hamilton wrote:
>> Cliff Pratt wrote:
>>> William Hamilton wrote:
>>>>
>>>> William Hamilton wrote:
>>>>> Hi all looking for some comments as to what traffic accounting
>>>>> software people are using. I have a client with multiple machines
>>>>> internally with a shorewall firewall. They would like to start
>>>>> accounting for traffic volumes, volume and type of data.
>>>>>
>>>>> Any suggestions. I can use accounting in shorewall but is there
>>>>> anything better and easier to report on?
>>>>>
>>>> >Adding to my own email.. they are looking to track usage down to
>>>> each
>>>> >internal machine.
>>>>
>>>> Once again adding to my email BUT a new one almost. Having setup
>>>> accounting within shorewall I found that /var/log/messages is being
>>>> created as a directory NOT as a file (this making logging difficult).
>>>>
>>>> Any ideas as to why this is happening and how to fix? The setup is
>>>> fairly new, not far of base Debian stable build (addition of a
>>>> firewall packages etc).
>>>>
>>> Strange! I have a standard Debian setup with Shorewall and I don't
>>> see that. What is in the /var/log/messages directory?
>>
>> Empty.. been taking a better look at it and it is looking much
>> darker. Unable to add users as shadow cannot be read and a number of
>> things. I am taking a blat through it now to see what else I can
>> find. At first glance everything looks fine but will compare to
>> another machine and see what I come up with.
>>
>> sysklogd being used for logging, pretty much just shorewall and squid
>> installed (that I can see so far). I will prob look at adding snort
>> incase they have had a dodgy happening.
>>
> I suggest you check the syslog conf. At least part of mine says:
>
> *.=info;*.=notice;*.=warn;\
> auth,authpriv.none;\
> cron,daemon.none;\
> mail,news.none -/var/log/messages
>
> A trailing '/' in the name might confuse it, for example. I don't know
> for sure.
>
> >
>> The client is back on board tomorrow so would be nice to tell them I
>> fixed a few other things when I was doing the accounting stuff :)
>>
>> BTW Cliff your package from your website was not able to be found.
>>
> OK< I can probably find it if you wish, but much of the guts is in the
> article.
No worries.. I just thought I would mention it.
I have got the machine going almost properly now it seemed to have
bounced quite a fw time and I wonder if that corrupted some files.. I
have suggested a few times that a UPS would be nice.. this may drive the
decision :)
I am getting the following error now when trying to install snort...
looking to tighten the box a bit..
williamh at spherical:~$ sudo apt-get install snort
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
snort
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/398kB of archives.
After unpacking 893kB of additional disk space will be used.
Preconfiguring packages ...
(Reading database ... 27932 files and directories currently installed.)
Unpacking snort (from .../snort_2.3.2-3_i386.deb) ...
usermod: cannot open shadow password file
dpkg: error processing /var/cache/apt/archives/snort_2.3.2-3_i386.deb
(--unpack):
subprocess pre-installation script returned error exit status 1
Errors were encountered while processing:
/var/cache/apt/archives/snort_2.3.2-3_i386.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
Rights and ownership look ok to me.
williamh at spherical:~$ ls -lh /etc/shadow
-rw-r----- 1 root shadow 777 2006-12-19 15:58 /etc/shadow
Thanks
W
More information about the wellylug
mailing list