Hi,
Like Gerfried said, please file different bug reports for different
packages the next time.
Some comments about your rule suggestions:
Radosław Antoniuk wrote:
#dkimproxy
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkimproxy.out\[[0-9]+\]: connect from .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkimproxy.out\[[0-9]+\]: DKIM signing -
signed; .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkimproxy.out\[[0-9]+\]: DKIM signing -
skipped; .*$
No rules at all.
Jul 7 12:39:21 hosting dkimproxy.out[1508]: DKIM signing - skipped;
message-id=<cb42d0dfb3a2eb598e162cfe3b6ea...@www.xyz.com>,
from=<em...@dot.com>
Jul 7 12:39:21 hosting dkimproxy.out[1508]: DKIM signing - signed;
message-id=<cb42d0dfb3a2eb598e162cfe3b6ea...@www.xyz.com>,
from=<em...@dot.com>
Jul 7 12:39:21 hosting dkimproxy.out[1508]: connect from 127.0.0.1
I don't see the need of wildchar .* here.
#ssh
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: error writing
/proc/self/oom_adj: Operation not permitted$
Not there.
Looks like an error for me, maybe #555625?
#ntp
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync status
change 4001
No config at all
This message shouldn't occur anymore (see #498992).
#syslog-ng
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslog-ng\[[0-9]+\]: Log statistics;.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslog-ng\[[0-9]+\]: Configuration reload
request received, reloading configuration;$
syslog-ng[31823]: Log statistics; processed='destination(d_error)=3',
processed='destination(d_messages)=298',
processed='src.internal(s_src#1)=90',
stamp='src.internal(s_src#1)=1278499023',
processed='destination(d_syslog)=90', processed='center(received)=0',
processed='destination(d_xconsole)=3',
processed='destination(d_newscrit)=0',
processed='destination(d_auth)=1452',
processed='destination(d_daemon)=1',
processed='global(payload_reallocs)=0',
processed='global(msg_clones)=0', processed='destination(d_mail)=64',
processed='destination(d_cron)=711',
processed='destination(d_kern)=132',
processed='destination(d_uucp)=0', processed='destination(d_debug)=4',
processed='destination(d_lpr)=0', processed='destination(d_user)=76',
processed='center(queued)=0', processed='global(sdata_updates)=0',
processed='destination(d_newsnotice)=0',
processed='destination(d_console_all)=3',
processed='destination(d_console)=1', processed='source(s_src)=2530',
processed='destination(d_newserr)=0'
Also no need of wildchar .* .
#shorewall
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Shorewall:.*$
Shorewall can log to an outside file. Logging to syslog is causing
every packet drop to be in logcheck.
Example:
Jul 7 12:40:04 dev kernel: Shorewall:net2fw:DROP:IN=venet0 OUT=
PHYSIN=eth0 MAC= SRC=X.Y.Z.A DST=A.B.C.D LEN=404 TOS=0x00 PREC=0x00
TTL=32 ID=54796 PROTO=UDP SPT=2368 DPT=1434 LEN=384
If you enable syslog logging you should know what you're doing. If not,
disable the feature.
#libpam-cracklib
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cracklib: no dictionary update necessary.$
Not there.
Rule is part of the cracklib-runtime package
(/etc/logcheck/ignore.d.paranoid/cracklib-runtime).
#modprobe?
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ modprobe: WARNING: Not loading blacklisted
module ipv6.$
Should be in fact:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ modprobe: WARNING: Not loading
blacklisted module [:alnum:]+$
I tend to not add this rule by default. The user should be informed at
least once about the blacklisted module, so he can react accordingly
(for instance by adding the rule above to the local rule set).
#rsyncd
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: file has vanished: .*$
Not there.
I guess the wildchar .* represents a file name; so here, too, no need of
wildchar.
#netatalk
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: server_child[[:xdigit:]+]
[:xdigit:]+ exited 1$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam.c :PAM: PAM
Success$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam.c :PAM: PAM
Auth OK!$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: login [:alpha:]+ (uid
[:xdigit:]+, gid [:xdigit:]+) AFP3.1$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dhx login: [:alpha:]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: ipc_read: command: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: Setting clientid .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: pc_get_session: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: bad function .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: ASIP session:.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_alarm: child timed out$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [:alpha:]+ read, [:alpha:]+
written$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: Connection terminated$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: server_child[[:xdigit:]+]
[:xdigit:]+ exited 1$
No rules at all.
There are rule files in the netatalk package
(/etc/logcheck/ignore.d.server/netatalk,
/etc/logcheck/violations.ignore.d/netatalk).
Greetings,
Hannes
_______________________________________________
Logcheck-devel mailing list
Logcheck-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel