Re: [mosquitto-dev] logcheck warning about reduced log file size

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mosquitto-dev] logcheck warning about reduced log file size

From: Dominik Reusser <domi_reusser@xxxxxxx>
Date: Tue, 8 Dec 2015 09:50:27 +0100
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/mosquitto-dev>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0

Hi Roger,
> Hi Dominik,
>
>> I just subscribed to the list - thank you very much for this excellent
>> MQTT implementation. It works very well.
> Thanks and welcome.
>
>> Now I received the following warning:
>> *************** This could indicate tampering.
>> *** WARNING ***: Log file /var/log/mosquitto/mosquitto.log is smaller
>> than last time checked!
>>
>> Now I'm wondering whether this may be caused by the logfile rotation
>> mechanism (rotation took place within the same period).
>>
>> If this is plausible, why do I receive such a warning after half a year
>> for the first time?
>>
>> If this is not plausible, how could I further track down what happened?
> Did you check the contents of the log files to make sure they look
> plausible? I think it's very likely it is down to to log rotation but
> I can't explain why you wouldn't have seen it before.

Nothing unusual in all the other log files. So either someone was very
thorough with cleaning up the log files or it is due to log rotation.
Cleaning up all the log files would require root-access.
>
>> Also, what would be potential ways for gaining unauthorized access
>> through mosquitto? Is there a good summary about security and mosquitto?
> Mosquitto isn't shy about disconnecting clients that are misbehaving
> (sending invalid data). It checks data input and all memory
> allocations. Having said that, if you're not using authentication (and
> encryption) then anybody could connect if they have the host details.
> At that point they are limited by whatever your local clients can do.
OK - the client has its own account with restricted rights. So I'm
concluding that the message was caused by the log rotation. If this
occurs more often, I'm going to investigate further to find a way to
suppress the message.
Thanks for your response.

For anyone interested to use logcheck with mosquitto, here are the rules
that filter the common expected messages - parts in {} need to be adjusted:
[[:digit:]]{10}: Socket error on client {pattern of expected client
names} disconnecting.
[[:digit:]]{10}: Socket error on client <unknown>, disconnecting.
[[:digit:]]{10}: New connection from {pattern describing your expected
IP range} on port 1883.
[[:digit:]]{10}: New client connected from {pattern describing your
expected IP range} as {pattern of expected client names}
[[:digit:]]{10}: Client {pattern of expected client names} disconnected.
[[:digit:]]{10}: Client {pattern of expected client names} already
connected. closing old connection.
[[:digit:]]{10}: Saving in-memory database to
/var/lib/mosquitto/mosquitto.db.


Greetings
Dominik

References:
- [mosquitto-dev] logcheck warning about reduced log file size
  - From: Dominik Reusser
- Re: [mosquitto-dev] logcheck warning about reduced log file size
  - From: Roger Light

Prev by Date: Re: [mosquitto-dev] Mosquitto Websockets w/ TLS
Next by Date: [mosquitto-dev] Mosquitto PSK configuration
Previous by thread: Re: [mosquitto-dev] logcheck warning about reduced log file size
Next by thread: [mosquitto-dev] OpenSSL error
Index(es):
- Date
- Thread

Breadcrumbs