Re: [Logcheck-devel] Logcheck database updates on stable
Hi, On Thu, Mar 17, 2016 at 02:46:43PM +0100, Enrico Zini wrote: > Would it be possible to have updates of logcheck rules for stable, > either via backports or proposed-updates, so that it can be useful by > default on stable systems? I'll look after logcheck within the next weeks. Best regards Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/logcheck-devel
Re: [Logcheck-devel] [PATCH] Set VERSION to the current version (i.e. 1.3.16).
fixed in 3b37edb, thanks ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/logcheck-devel
Re: [Logcheck-devel] Opinion on #742069
Hi, On Thu, Apr 03, 2014 at 11:31:42AM +0200, Martín Ferrari wrote: On a similar note. I have already accumulated a few regexes to add to postfix. In my case, I have plenty of lines for postfix/submission/smtpd. I don't know how's postfix criteria to create these log lines, but it seems it is using the port name. So maybe it should be postfix/([^[:space]]+/)?smtpd The master.cf file on my sid system has two lines affecting the syslog name[0]. So I would recommend to use 'postfix/(submission/|smtps/)?smtpd' and update all rules. Best regards Hannes [0] # grep 'syslog_name=' /etc/postfix/master.cf # -o syslog_name=postfix/submission # -o syslog_name=postfix/smtps ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/logcheck-devel
Re: [Logcheck-devel] logcheck and bash
Hi, On Wed, May 16, 2012 at 01:40:48AM +0900, Drey Tee wrote: Sorry for bothering you, but I can't find a solution for my problem. I installed 1.3.14 on freebsd from src, followed install instructions, but stuck on starting because bash is installed in /usr/local/bin/bash and not in /bin/bash I've changed '#!/bin/bash' to '#!/usr/bin/env bash', so logcheck should run also on freebsd now[0]. Best regards Hannes [0] http://anonscm.debian.org/gitweb/?p=logcheck/logcheck.git;a=commit;h=6d97af6 ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#712941: logcheck-database: logcheck triggers a fatal error in egrep
tags 712941 unreproducible moreinfo thanks Hello, On Thu, Jun 20, 2013 at 07:33:51PM -0400, shiz...@vif.com wrote: Since I upgraded to wheezy in may, logcheck reports contain only one line: egrep: character class syntax is [[:space:]], not [:space:] I'm not able to reproduce this issue on Debian wheezy with the standard rule set from logcheck-database package. Please provide more information about how to reproduce this issue. Configuration Files: /etc/logcheck/ignore.d.server/samba changed [not included] Maybe this change or the rule file from another package is causing this issue. Can you please check that and report back if the issue still exist? Best regards Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#652148: Bug#652148: Please add rules for dropbear
# fixed in 20a68db tags 652148 + pending thanks Hello, Thanks for your contribution. I've added the rules to git[0]. Best regards Hannes [0] http://anonscm.debian.org/gitweb/?p=logcheck/logcheck.git;a=commit;h=20a68dbcc687700e37fdcefdc423bdc24822f4ad ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/logcheck-devel
Re: [Logcheck-devel] small amavisd logcheck match
On Sat, Jul 09, 2011 at 05:00:01PM -0700, John Clements wrote: It turns out that on my machine, amavisd-new doesn't necessarily include a Message-ID field in its log lines. Also, it now appears to place quarantined messages into subdirectories indexed by a single character. Thanks for your contribution. Fixed in git 312ed5a[0]. Greetings Hannes [0] http://anonscm.debian.org/gitweb/?p=logcheck/logcheck.git;a=commit;h=312ed5a ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#613124: Bug#613124: rule update for changed snmp log messages
On Wed, Aug 31, 2011 at 04:48:05PM +0200, Uwe Storbeck wrote: For me these log messages contain a space at the end of the line (snmpd version 5.4.3~dfsg-2). So this rule may need an additional ? or * at the end to work for all cases: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snmpd\[[0-9]+\]: Connection from UDP: \[[.0-9]{7,15}\]:[0-9]{4,5}-\[[.0-9]{7,15}\] ?$ I couldn't reproduce your issue. Does logcheck really report those log lines? Actually logcheck removes all trailing whitespaces before applying the rules. Greetings Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/logcheck-devel
Re: [Logcheck-devel] Shell Expansion in logcheck.logfiles
On Mon, Jul 11, 2011 at 03:36:35PM +0200, Florian Mutter wrote: Jeff Jansen bamakoj...@gmail.com Wed Jan 30 02:02:01 UTC 2008: [...] I found this old mail and wanted to ask, if there is any plan to include this patch? I think there is also a little bug in the patch. It needs to be 'ls -1 $file' instead of 'ls -1 $file' See #616103[0] (fixed in d076526[1]). Greetings Hannes [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616103 [1] http://anonscm.debian.org/gitweb/?p=logcheck/logcheck.git;a=commit;h=d076526 ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/logcheck-devel
Re: [Logcheck-devel] Requesting clarification on a few things
On Fri, Jul 08, 2011 at 12:24:54AM -0400, Jeremy L. Gaddis wrote: One thing that Hannes mentioned was in response to commits 5f7da05[1] and cf5e9d3[2] which I made to address bug #590559[3]. As he mentioned in his email, webmin was removed from the Debian archive over five years ago[4]. He Cc:'d madduck asking what the policy is for rules for packages that have been removed from Debian. My personal thought was that since they were still there, they might as well be updated. For clarification and future reference, I am interested in knowing what the policy is as well. As far as I know there is no policy for that. The problem with keeping rules of obsolete packages or package versions is that each (obsolete) rule slows down logcheck (at least as long as #602494 has not been fixed). Additionally it implies more work for the maintainers. Furthermore there are some criteria in the SUBMITTING RULES section of README.logcheck-database.gz: Unfortunately, we don't have the time to add and update rules for everything, therefore the following exceptions apply: * Debug messages * Messages produced by software not included in Debian * Temporary messages which are due to a bug in the package * Messages related to daemon startups and shutdowns Please do not file bugs related to these messages. Following point two the webmin rule should be deleted. Maybe we can work out a policy about which rules should be included in logcheck-database and which not? Regarding commit 6a4bf69[5] to close bug #616616[6], I updated a rule to reflect an upstream change in the log message. In this case, the old rule was for a (Postfix) package version that is no longer supported in Debian, so it was removed and the new rule added. In cases where this occurs and the old version is still supported, I assume the right thing to do would be to add the new rule and keep the old one as well (until the package version is no longer supported). Please correct me if that is wrong. In my opinion we should keep the rules as long as the package version is supported in oldstable. Currently, I am trying to figure out the proper thing to do with regard to bug #621373[7]. This is a request for two rules related to log messages generated by avahi-daemon. As of now, there are no rules in logcheck-database for Avahi. Is there some process for deciding if it is appropriate to add them or do we just go ahead (which seems like the logical decision to me). Assuming this is correct, it should only be a matter of creating the avahi-daemon file and adding the two rules I have created (slightly modified from the original bug report). For the first rule please see my answer to your Ho do you decide? question below. For the second rule you might consider to adjust the rule in i.d.p/logcheck to be more generic. Related to that, can I assume that the proper file to create would be i.d.s/avahi-daemon instead of i.d.w/avahi-daemon? Avahi is often present on both servers and workstations so it would seem appropriate to put it under i.d.s since those rules will get applied when REPORTLEVEL is set to workstation as well as server. Using avahi-daemon on a server is unusual, so I would tend to put the rules to i.d.w/avahi-daeomn. My next question is how is it decided whether or not to add, delete, or update (whatever the case may be) rules in response to a request/bug report? I have read some bug reports (e.g. #564063[8]) where the correct decision is not obvious. Do we add the rules or not? How do you decide? In my opinion logcheck should filter only such messages which are informational and aren't caused by an error. In other words messages which could require any reaction by the administrator (eg adding local rules or fix the causing issue) should not be filtered by default. I close only such bugs for packages which I know, so I can estimate if the message is only informational. Bug #617232[9] mentions rules which match on IPv4 addresses but will not match IPv6 addresses. Should we begin updating rules so that both IPv4 and IPv6 addresses will be matched? Is there a preferred methodology for doing this, or is it okay to simply start working on it now? Before replacing the patterns randomly, #174331 should be fixed. On a side note, is it appropriate to add my own name to the list on the main logcheck page[10]? Maybe it's a little narcisstic, but I like seeing my own name. :) You contribute to logcheck, so I think it is reasonable to add yourself to the list of active developers. Greetings Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#609649: cron-apt: Insufficient logcheck patterns
Hi, Thanks for your contribution. Could you please provide some example log lines showing the new format? Greetings Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#609649: cron-apt: Insufficient logcheck patterns
On Thu, Jan 13, 2011 at 05:57:25PM +0100, Kiss Gabor (Bitman) wrote: I've asked you for some example log lines so I can test my rule changes before committing them to the git repository. If you want you can send me the log lines in private if they should contain any confidential information. Well. Here you are: Jan 2 04:21:11 oai cron-apt: Fetched 23.8 kB in 0s (0 B/s) Jan 9 04:48:17 oai cron-apt: Need to get 10.6 MB/14.7 MB of archives. Jan 11 04:16:20 oai cron-apt: Need to get 1804 kB of archives. Jan 11 04:16:20 oai cron-apt: After this operation, 4096 B of additional disk space will be used. Jan 11 04:16:20 oai cron-apt: Get:1 http://ftp.bme.hu/OS/Linux/dist/debian/ squeeze/main ncurses-bin i386 5.7+20100313-5 [317 kB] Jan 11 04:16:20 oai cron-apt: Fetched 1804 kB in 0s (14.3 MB/s) Thanks. You've added * to the rules but as far as I can see only one whitespace is added. So wouldn't it be sufficient to add ?? Greetings Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#588312: Bug#588312: logcheck-database: updated rules for many packages
Hi, Like Gerfried said, please file different bug reports for different packages the next time. Some comments about your rule suggestions: Radosław Antoniuk wrote: #dkimproxy ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkimproxy.out\[[0-9]+\]: connect from .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkimproxy.out\[[0-9]+\]: DKIM signing - signed; .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkimproxy.out\[[0-9]+\]: DKIM signing - skipped; .*$ No rules at all. Jul 7 12:39:21 hosting dkimproxy.out[1508]: DKIM signing - skipped; message-id=cb42d0dfb3a2eb598e162cfe3b6ea...@www.xyz.com, from=em...@dot.com Jul 7 12:39:21 hosting dkimproxy.out[1508]: DKIM signing - signed; message-id=cb42d0dfb3a2eb598e162cfe3b6ea...@www.xyz.com, from=em...@dot.com Jul 7 12:39:21 hosting dkimproxy.out[1508]: connect from 127.0.0.1 I don't see the need of wildchar .* here. #ssh ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: error writing /proc/self/oom_adj: Operation not permitted$ Not there. Looks like an error for me, maybe #555625? #ntp ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync status change 4001 No config at all This message shouldn't occur anymore (see #498992). #syslog-ng ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslog-ng\[[0-9]+\]: Log statistics;.*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslog-ng\[[0-9]+\]: Configuration reload request received, reloading configuration;$ syslog-ng[31823]: Log statistics; processed='destination(d_error)=3', processed='destination(d_messages)=298', processed='src.internal(s_src#1)=90', stamp='src.internal(s_src#1)=1278499023', processed='destination(d_syslog)=90', processed='center(received)=0', processed='destination(d_xconsole)=3', processed='destination(d_newscrit)=0', processed='destination(d_auth)=1452', processed='destination(d_daemon)=1', processed='global(payload_reallocs)=0', processed='global(msg_clones)=0', processed='destination(d_mail)=64', processed='destination(d_cron)=711', processed='destination(d_kern)=132', processed='destination(d_uucp)=0', processed='destination(d_debug)=4', processed='destination(d_lpr)=0', processed='destination(d_user)=76', processed='center(queued)=0', processed='global(sdata_updates)=0', processed='destination(d_newsnotice)=0', processed='destination(d_console_all)=3', processed='destination(d_console)=1', processed='source(s_src)=2530', processed='destination(d_newserr)=0' Also no need of wildchar .* . #shorewall ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Shorewall:.*$ Shorewall can log to an outside file. Logging to syslog is causing every packet drop to be in logcheck. Example: Jul 7 12:40:04 dev kernel: Shorewall:net2fw:DROP:IN=venet0 OUT= PHYSIN=eth0 MAC= SRC=X.Y.Z.A DST=A.B.C.D LEN=404 TOS=0x00 PREC=0x00 TTL=32 ID=54796 PROTO=UDP SPT=2368 DPT=1434 LEN=384 If you enable syslog logging you should know what you're doing. If not, disable the feature. #libpam-cracklib ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cracklib: no dictionary update necessary.$ Not there. Rule is part of the cracklib-runtime package (/etc/logcheck/ignore.d.paranoid/cracklib-runtime). #modprobe? ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ modprobe: WARNING: Not loading blacklisted module ipv6.$ Should be in fact: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ modprobe: WARNING: Not loading blacklisted module [:alnum:]+$ I tend to not add this rule by default. The user should be informed at least once about the blacklisted module, so he can react accordingly (for instance by adding the rule above to the local rule set). #rsyncd ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: file has vanished: .*$ Not there. I guess the wildchar .* represents a file name; so here, too, no need of wildchar. #netatalk ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: server_child[[:xdigit:]+] [:xdigit:]+ exited 1$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam.c :PAM: PAM Success$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam.c :PAM: PAM Auth OK!$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: login [:alpha:]+ (uid [:xdigit:]+, gid [:xdigit:]+) AFP3.1$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dhx login: [:alpha:]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: ipc_read: command: .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: Setting clientid .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: pc_get_session: .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: bad function .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: ASIP session:.*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_alarm: child timed out$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [:alpha:]+ read, [:alpha:]+ written$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: Connection terminated$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: server_child[[:xdigit:]+] [:xdigit:]+ exited 1$ No rules at all. There are rule files in the netatalk package
[Logcheck-devel] Bug#588285: Bug#588285: logcheck: Additional rules to ignore successful kerberos authentication
Michel Messerschmidt wrote: On Tue, Jul 06, 2010 at 06:26:10PM -0700, Russ Allbery wrote: I wonder if the right way of handling this would be to instead install a logcheck rule as part of the libpam-krb5 package that looks something like: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [[:alnum:]]+(\[[0-9]+\])?: pam_krb5\([[:alnum:]]+:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]...@-]+$ Ok works fine for me now. Your rule matches all pam_krb5 success messages on my systems besides dovecot, because it uses dovecot-auth as the process name. I propose to enhance the rule to: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [[:alnum:]-]+(\[[0-9]+\])?: pam_krb5\([[:alnum:]]+:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]...@-]+$ Valid point. Fixed in e786dd9. Greetings Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
Re: [Logcheck-devel] Question about logcheck on redhat
Juan Manuel Perrote wrote: Hello my name is Juan Manuel. I interested on install logcheck on RedHat Linux 64 bit, please can you tell if is logcheck compatible with this operating system, and where I can download the latest version. You can download the latest source tarball using the source package link found on the logcheck package page [1]. Greetings, Hannes [1] http://packages.debian.org/unstable/logcheck ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#583600: Bug#583600: ignore individual entries but write summaries
tag 583600 +wontfix thanks Hi, interesting feature request, but due to the current design of logcheck it is not practicable. So I tag this bug as wontfix. Greetings Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#583155: Bug#583155: logcheck-database: Please create rules for amavis(d-new)
reassign 583155 amavisd-new thanks Hi, amavisd-new has its own rules for logcheck. So I reassign this bug to amavisd-new. However the current version of amavisd-new does not contain the rules, due to the missing taking back of changeset 7899d57341c4 (while changeset a08df29d4ad7 has been reverted in 2bfe769618b5). By the way, you can use dh_installlogcheck to install logcheck rulefiles. Greetings Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#578749: Bug#578749: logcheck-database: ignore.d.server/schroot fails to detect session opened
Didier Raboud wrote: The /etc/logcheck/ignore.d.server/schroot fails to detect the session opened messages that are IMHO completely normal. The attached patch solves this. Can you please provide some sample log lines and/or a patch against the HEAD code in the logcheck git? Thanks Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#574858: Bug#574858: logcheck: Does not ignore unresolvable hostname
tags 574858 +moreinfo thanks Bob Proulx wrote: I believe what was intended was the following: # Hostname either fully qualified or not. if [ $FQDN -eq 1 ]; then HOSTNAME=$(hostname --fqdn 2/dev/null) else HOSTNAME=$(hostname --short 2/dev/null) fi Fixed in 1.3.8. However this will still fail to produce a correct hostnames in the face of an unresolvable hostname in DNS. And I will guess that the short hostname is the more typical case these days since it is the default in Debian. Therefore it would be better if for the short case the hostname is received and then truncated at the first dot if one exists. This will avoid this error for the short case entirely. Because the script is already a #!/bin/bash script it is safe to use a POSIX shell parameter expansion construct. Here is an improvement. # Hostname either fully qualified or not. if [ $FQDN -eq 1 ]; then HOSTNAME=$(hostname --fqdn 2/dev/null) test -z $HOSTNAME HOSTNAME=$(hostname) else HOSTNAME=$(hostname) HOSTNAME=${HOSTNAME%%.*} fi With the above fix the error message shouldn't occur any longer. Why should logcheck bypass an unresolvable hostname? Wouldn't it be better if the administrator fixed the hostname issue instead? Greetings Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
Re: [Logcheck-devel] [PATCH] commit 941a3c38cccde0b30dfd3b641e40f6a6f35ce3b3 Author: Kerstin Puschke kpusc...@zedat.fu-berlin.de Date: Wed Mar 17 18:58:27 2010 +0100
Applied to git, thanks for contribution. Greetings Hannes Kerstin Puschke wrote: logcheck cd's to $STATEDIR before cleaning up temp dir Now you can run logcheck as a user who has no permissions for /var/lib/logcheck (where logcheck used to cd to) Signed-off-by: Kerstin Puschke kpusc...@zedat.fu-berlin.de --- src/logcheck |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/logcheck b/src/logcheck index 2bc0995..3622f95 100755 --- a/src/logcheck +++ b/src/logcheck @@ -108,7 +108,7 @@ cleanup() { if [ -d $TMPDIR ]; then # Remove the tmp directory if [ $NOCLEANUP -eq 0 ];then - cd /var/lib/logcheck + cd $STATEDIR debug cleanup: Removing - $TMPDIR rm -r $TMPDIR else ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
Re: [Logcheck-devel] [PATCH] commit 9a4c9f8949768da31520dd8b4780875dc2da231d Author: Kerstin Puschke kpusc...@zedat.fu-berlin.de Date: Tue Mar 23 11:12:01 2010 +0100
Applied to git, thanks for contribution. Greetings Hannes Kerstin Puschke wrote: Look for header.txt and footer.txt in $RULEDIR instead of hardcoded /etc/logcheck This makes header.txt. and footer.txt customizable even if using a non-default rule directory. Signed-off-by: Kerstin Puschke kpusc...@zedat.fu-berlin.de --- src/logcheck |8 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/logcheck b/src/logcheck index 2bc0995..c23cd5f 100755 --- a/src/logcheck +++ b/src/logcheck @@ -188,8 +188,8 @@ EOF # Add an identification line at the beginning of the sent mail setintro() { -if [ -f /etc/logcheck/header.txt -a -r /etc/logcheck/header.txt ] ; then - $CAT /etc/logcheck/header.txt $TMPDIR/report \ +if [ -f $RULEDIR/header.txt -a -r $RULEDIR/header.txt ] ; then + $CAT $RULEDIR/header.txt $TMPDIR/report \ || error Could not append header to $TMPDIR/report. fi } @@ -197,8 +197,8 @@ setintro() { # Add a footer to the report. setfooter() { -if [ -f /etc/logcheck/footer.txt -a -r /etc/logcheck/footer.txt ] ; then - $CAT /etc/logcheck/footer.txt $TMPDIR/report \ +if [ -f $RULEDIR/footer.txt -a -r $RULEDIR/footer.txt ] ; then + $CAT $RULEDIR/footer.txt $TMPDIR/report \ || error Could not append footer to $TMPDIR/report. fi } ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#569843: Bug#569843: logcheck-database: acpid filter misses trailing white space
tags 569843 +unreproducible +moreinfo thanks Mats Erik Andersson wrote: The syslog messages for acpid when a window client connects or disconnect all have a trailing single space at each line. Therefore the existing two patterns in /etc/logcheck/ignore.d.server/acpid fail to filter out the events. I tried to reproduce this in squeeze and sid with no success, but the log lines don't contain a trailing space. So I'm tagging this bug as unreproducible. Please provide more info (e.g. acpid version or example log lines) about howto reproduce this behaviour, if its still reproducible by you. Furthermore, the disconnect message includes a PID-numbered client, which is not present in the pattern at all. This has been fixed in 53f7a7b. Greetings, Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
Re: [Logcheck-devel] dnsmasq-(dhcp|tftp) missing from dnsmasq ignores
Michał Sawicz wrote: I'd like to point out that currently dnsmasq (as of version 2.48, see http://www.thekelleys.org.uk/dnsmasq/CHANGELOG) marks the log messages with the subsystem, so currently messages from dhcp look like so: Mar 30 17:14:24 media dnsmasq-dhcp[1420]: DHCPREQUEST(eth1) 192.168.0.22 00:19:d2:4e:8c:27 fixed in b7077fb, thanks for the hint. Greetings Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#568468: Bug#568468: logcheck: ignore wpa_supplicant scan results
Hi, This message should be filtered in workstation level. Please ensure that you use this level (set REPORTLEVEL in /etc/logcheck/logcheck.conf to workstation) and provide feedback if that solves your problem. Thanks, Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#534724: Enhanced kernel rules
Michael Tautschnig m...@debian.org wrote: Sorry for the late reply. I'm absolutely willing to submit small and useful bits, I'm just a bit unclear about the policy. If bootup messages are intentionally excluded, then some of the current rules should in fact be dropped as well. Does bootup also mean that hot-pluggable stuff should be excluded? These messages will be the same in non-bootup contexts... Sorry for the delay. No, you can submit rules for hot-pluggable stuff. If you submit smaller bug reports, please don't forget to include the relevant log lines. Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#547182: Bug#547182: logcheck-database: violations.d/sudo not catching calls to /usr/bin/sudo
tags #547182 +unreproducible +moreinfo thanks Hi, I tried to reproduce this in squeeze and sid with no success. The log line contains only sudo not the full path /usr/bin/sudo. So I'm tagging this bug as unreproducible. Please provide more info about howto reproduce this behaviour, if its still reproducible by you. Thanks, Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#565858: Bug #565858 [sslh] sslh: Please add logcheck file
Hi, We prefer if package maintainers take care of the rules themselves and they are distributed with the package to which they apply. So if you are willing to include the rule in sslh itself it would be great, otherwise I would include it in logcheck-database. I've adjusted the rule to be a bit more strict. Greetings, Hannes ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sslh\[[[:digit:]]+\]: connection from (([0-9]|([1-9]|1[0-9]|2[0-4])[0-9]|25[0-5])\.){3}([0-9]|([1-9]|1[0-9]|2[0-4])[0-9]|25[0-5]):([0-9]|([1-9]|([1-9]|([1-9]|[1-5][0-9]|6[0-4])[0-9]|65[0-4])[0-9]|655[0-2])[0-9]|6553[0-5]) forwarded to (SSH|SSL)$ ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#534724: Bug#534724: Enhanced kernel rules
Frédéric Brière fbri...@fbriere.net wrote: Thanks for your contribution. Unfortunately, I don't think anyone has the time to go through these 599 rules and sort out that big pile. From a quick glance, most of these appear to be bootup messages, which are willingly not included in logcheck-database. What about a ignore.d.restart folder which contains bootup rules and is only parsed when logcheck is called with -R option? Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#542536: logcheck: [PATCH] new ntpd rule - kernel time sync status change
Hi, at first we should clarify how to handle debian bug #498992. Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#542663: Bug#542663: logcheck: /etc/cron.d/logcheck runs too often (now every 2 hours)
Frédéric Brière fbri...@fbriere.net wrote: On Thu, Aug 20, 2009 at 08:51:21PM +0300, Jari Aalto wrote: A more appropriate default would be every 24h (once a day). I can't speak for other people, but when I was sysadmin, I wanted to be informed of any problems *now*, not the day after. I quite agree. Hannes ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#535976: patch
Package: logcheck-database Version: 1.3.3 Severity: normal Tags: patch Hi, the attached patch adds ignore.d.server/apcupsd to ignore messages like these Aug 7 18:15:53 berlin apcupsd[2155]: UPS Self Test switch to battery. Aug 7 18:16:00 berlin apcupsd[2155]: UPS Self Test completed: Battery OK The other messages are important and shouldn't be ignored. Hannes -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30.5 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- no debconf information --- /etc/logcheck/ignore.d.server/apcupsd.orig 1970-01-01 01:00:00.0 +0100 +++ /etc/logcheck/ignore.d.server/apcupsd 2009-08-19 18:03:11.0 +0200 @@ -0,0 +1 @@ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ apcupsd\[[[:digit:]]+\]: UPS Self Test (switch to battery.|completed: Battery OK)$ ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#542273: please add rule for ext3 writeback data mode
Package: logcheck-database Version: 1.3.3 Severity: wishlist Tags: patch Hi, the attached patch modifies ignore.d.server/kernel to also ignore messages like this Aug 18 20:19:51 t400 kernel: [25946.743205] EXT3-fs: mounted filesystem with writeback data mode. Hannes -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30.5 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- no debconf information --- /etc/logcheck/ignore.d.server/kernel.orig 2009-08-07 07:33:06.0 +0200 +++ /etc/logcheck/ignore.d.server/kernel2009-08-07 07:33:24.0 +0200 @@ -16,7 +16,7 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? Copyright \(C\) 20[[:digit:]]+( ?- ?[[:digit:]]+)? MontaVista Software - IPMI Powerdown via sys_reboot\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? Device not ready\. Make sure there is a disc in the drive\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? EXT3 FS on [^[:space:]]+, internal journal$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? EXT3-fs: mounted filesystem with ordered data mode\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? EXT3-fs: mounted filesystem with (ordered|writeback) data mode\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? Ending clean XFS mount for filesystem: [[:alnum:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? IPMI System Interface driver\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? IPMI Watchdog: driver initialized$ ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel