[Logcheck-devel] Bug#588285: Bug#588285: logcheck: Additional rules to ignore successful kerberos authentication
On Tue, Jul 06, 2010 at 06:26:10PM -0700, Russ Allbery wrote:
I wonder if the right way of handling this would be to instead install a
logcheck rule as part of the libpam-krb5 package that looks something
like:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [[:alnum:]]+(\[[0-9]+\])?:
pam_krb5\([[:alnum:]]+:auth\): user [[:alnum:]-]+ authenticated as
[[:alnum:]...@-]+$
Ok works fine for me now.
Your rule matches all pam_krb5 success messages on my systems besides
dovecot, because it uses dovecot-auth as the process name.
I propose to enhance the rule to:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [[:alnum:]-]+(\[[0-9]+\])?:
pam_krb5\([[:alnum:]]+:auth\): user [[:alnum:]-]+ authenticated as
[[:alnum:]...@-]+$
___
Logcheck-devel mailing list
Logcheck-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#588285: Bug#588285: logcheck: Additional rules to ignore successful kerberos authentication
Michel Messerschmidt wrote:
On Tue, Jul 06, 2010 at 06:26:10PM -0700, Russ Allbery wrote:
I wonder if the right way of handling this would be to instead install a
logcheck rule as part of the libpam-krb5 package that looks something
like:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [[:alnum:]]+(\[[0-9]+\])?:
pam_krb5\([[:alnum:]]+:auth\): user [[:alnum:]-]+ authenticated as
[[:alnum:]...@-]+$
Ok works fine for me now.
Your rule matches all pam_krb5 success messages on my systems besides
dovecot, because it uses dovecot-auth as the process name.
I propose to enhance the rule to:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [[:alnum:]-]+(\[[0-9]+\])?:
pam_krb5\([[:alnum:]]+:auth\): user [[:alnum:]-]+ authenticated as
[[:alnum:]...@-]+$
Valid point. Fixed in e786dd9.
Greetings
Hannes
___
Logcheck-devel mailing list
Logcheck-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#588285: Bug#588285: logcheck: Additional rules to ignore successful kerberos authentication
On Tue, Jul 06, 2010 at 06:26:10PM -0700, Russ Allbery wrote: I wonder if the right way of handling this would be to instead install a logcheck rule as part of the libpam-krb5 package that looks something This would be the preferred solution for me. I just haven't found a way to configure logcheck to match log messages from one daemon against arbitrary rule files. For example, log messages from sudo will be matched against /etc/logcheck/ignore.d.server/sudo but not against /etc/logcheck/ignore.d.server/libpam. ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#588285: Bug#588285: logcheck: Additional rules to ignore successful kerberos authentication
Michel Messerschmidt li...@michel-messerschmidt.de writes: On Tue, Jul 06, 2010 at 06:26:10PM -0700, Russ Allbery wrote: I wonder if the right way of handling this would be to instead install a logcheck rule as part of the libpam-krb5 package that looks something This would be the preferred solution for me. I just haven't found a way to configure logcheck to match log messages from one daemon against arbitrary rule files. For example, log messages from sudo will be matched against /etc/logcheck/ignore.d.server/sudo but not against /etc/logcheck/ignore.d.server/libpam. Hm, that doesn't sound right to me; I've dropped additional files into that directory before and have had them match a variety of daemon names. Also, note the Postfix rules and how they match all sorts of different daemon names. I think something else might have been broken. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ ___ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
[Logcheck-devel] Bug#588285: Bug#588285: logcheck: Additional rules to ignore successful kerberos authentication
Michel Messerschmidt li...@michel-messerschmidt.de writes:
Many of my logcheck reports are triggered by regular user authentication
against kerberos enabled services.
Here are rules to ignore authentication success messages for some common
daemons.
violations.ignore.d/logcheck-sudo:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5+\(sudo:auth\): user
[[:alnum:]-]+ authenticated as [[:alnum:]...@-]+$
ignore.d.server/cups-lpd:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cupsd: pam_krb5\(cups:auth\): user
[[:alnum:]-]+ authenticated as [[:alnum:]...@-]+$
ignore.d.server/ssh:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]:
pam_krb5\(sshd:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]...@-]+$
ignore.d.workstation/gdm:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: pam_krb5\(gdm:auth\):
user [[:alnum:]-]+ authenticated as [[:alnum:]...@-]+$
I wonder if the right way of handling this would be to instead install a
logcheck rule as part of the libpam-krb5 package that looks something
like:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [[:alnum:]]+(\[[0-9]+\])?:
pam_krb5\([[:alnum:]]+:auth\): user [[:alnum:]-]+ authenticated as
[[:alnum:]...@-]+$
or if that would be too general.
--
Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/
___
Logcheck-devel mailing list
Logcheck-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
