[Logcheck-devel] Bug#588312: Bug#588312: logcheck-database: updated rules for many packages

[Hannes von Haugwitz]

Hi,

Like Gerfried said, please file different bug reports for different 
packages the next time.

Some comments about your rule suggestions:

Radosław Antoniuk wrote:
#dkimproxy
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkimproxy.out\[[0-9]+\]: connect from .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkimproxy.out\[[0-9]+\]: DKIM signing - 
signed; .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkimproxy.out\[[0-9]+\]: DKIM signing - 
skipped; .*$

No rules at all.


Jul  7 12:39:21 hosting dkimproxy.out[1508]: DKIM signing - skipped;
message-id=<cb42d0dfb3a2eb598e162cfe3b6ea...@www.xyz.com>,
from=<em...@dot.com>
Jul  7 12:39:21 hosting dkimproxy.out[1508]: DKIM signing - signed;
message-id=<cb42d0dfb3a2eb598e162cfe3b6ea...@www.xyz.com>,
from=<em...@dot.com>
Jul  7 12:39:21 hosting dkimproxy.out[1508]: connect from 127.0.0.1


I don't see the need of wildchar .* here.


#ssh
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: error writing 
/proc/self/oom_adj: Operation not permitted$

Not there.


Looks like an error for me, maybe #555625?

#ntp
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync status 
change 4001

No config at all


This message shouldn't occur anymore (see #498992).


#syslog-ng
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslog-ng\[[0-9]+\]: Log statistics;.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslog-ng\[[0-9]+\]: Configuration reload 
request received, reloading configuration;$


syslog-ng[31823]: Log statistics; processed='destination(d_error)=3',
processed='destination(d_messages)=298',
processed='src.internal(s_src#1)=90',
stamp='src.internal(s_src#1)=1278499023',
processed='destination(d_syslog)=90', processed='center(received)=0',
processed='destination(d_xconsole)=3',
processed='destination(d_newscrit)=0',
processed='destination(d_auth)=1452',
processed='destination(d_daemon)=1',
processed='global(payload_reallocs)=0',
processed='global(msg_clones)=0', processed='destination(d_mail)=64',
processed='destination(d_cron)=711',
processed='destination(d_kern)=132',
processed='destination(d_uucp)=0', processed='destination(d_debug)=4',
processed='destination(d_lpr)=0', processed='destination(d_user)=76',
processed='center(queued)=0', processed='global(sdata_updates)=0',
processed='destination(d_newsnotice)=0',
processed='destination(d_console_all)=3',
processed='destination(d_console)=1', processed='source(s_src)=2530',
processed='destination(d_newserr)=0'



Also no need of wildchar .* .

#shorewall
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Shorewall:.*$

Shorewall can log to an outside file. Logging to syslog is causing
every packet drop to be in logcheck.
Example:

Jul  7 12:40:04 dev kernel: Shorewall:net2fw:DROP:IN=venet0 OUT=
PHYSIN=eth0 MAC= SRC=X.Y.Z.A DST=A.B.C.D LEN=404 TOS=0x00 PREC=0x00
TTL=32 ID=54796 PROTO=UDP SPT=2368 DPT=1434 LEN=384


If you enable syslog logging you should know what you're doing. If not, 
disable the feature.

#libpam-cracklib
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cracklib: no dictionary update necessary.$

Not there.

Rule is part of the cracklib-runtime package 
(/etc/logcheck/ignore.d.paranoid/cracklib-runtime).


#modprobe?
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ modprobe: WARNING: Not loading blacklisted 
module ipv6.$

Should be in fact:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ modprobe: WARNING: Not loading
blacklisted module [:alnum:]+$


I tend to not add this rule by default. The user should be informed at 
least once about the blacklisted module, so he can react accordingly 
(for instance by adding the rule above to the local rule set).


#rsyncd
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: file has vanished: .*$


Not there.

I guess the wildchar .* represents a file name; so here, too, no need of 
wildchar.



#netatalk
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: server_child[[:xdigit:]+] 
[:xdigit:]+ exited 1$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam.c :PAM: PAM 
Success$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam.c :PAM: PAM 
Auth OK!$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: login [:alpha:]+ (uid 
[:xdigit:]+, gid [:xdigit:]+) AFP3.1$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dhx login: [:alpha:]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: ipc_read: command: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: Setting clientid .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: pc_get_session: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: bad function .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: ASIP session:.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_alarm: child timed out$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [:alpha:]+ read, [:alpha:]+ 
written$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: Connection terminated$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: server_child[[:xdigit:]+] 
[:xdigit:]+ exited 1$

No rules at all.


There are rule files in the netatalk package 
(/etc/logcheck/ignore.d.server/netatalk, 
/etc/logcheck/violations.ignore.d/netatalk).

Greetings,

Hannes



_______________________________________________
Logcheck-devel mailing list
Logcheck-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel