Logwatch question.

Brian Gaynor briang at pmccorp.com
Wed Oct 12 21:21:10 UTC 2005

On Wed, 2005-10-12 at 07:37 +0200, Tomas Larsson wrote:
> What does the entry
> A total of 1 sites probed the server 
>     192.138.xxx.xxx
> Mean, Is it something I should be worried over
> With best regards
> Tomas Larsson

Logwatch uses a set of "bad thing" rules for each logfile in manages.
The message you are seeing just means Logwatch saw something in your
logs that matched one of these rule patterns. Most of the time I find
Logwatch's concerns to be valid, after all there are plenty of script
kiddies out there probing for vulnerable systems. But just because
Logwatch is concerned and the attack is real does not mean you have been
rooted, it just means that something happened that looked like an

Some of the things it looks for are Windows specific attacks. These are
harmless to your Linux system, but it doesn't hurt to know who the bad
guys are and what they're up to.

If you're interested you could search your logfiles for the offending IP
to see what they were up to. The actual Logwatch scripts are
in /etc/log.d/scripts/. Have a look at them if you are interested in
seeing what Logwatch is looking for.

Brian Gaynor
FC4/Linux on DELL Inspiron 5160 3.0Ghz 
canis 14:05:37 up 2:15, 1 user, 
load average: 0.09, 0.10, 0.08 

More information about the fedora-list mailing list