Package: logcheck-database
Version: 1.2.54
Severity: wishlist
Here are two more ignore rules for cron-apt, when it is set to always
use syslog:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: CRON-APT LINE:
(/usr/bin/apt-get )?autoclean -y$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+
Package: logcheck-database
Version: 1.2.54
Severity: wishlist
Enabling reject_unknown_sender_domain allows one to filter out some of
the crap that spammers send, but it often generates one or two warnings.
Here are some ignore rules to weed those out:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+
Package: logcheck-database
Version: 1.2.54
Severity: wishlist
I have BIND set up as an authoritative server to the outside world, and
as a recursive server to myself. Once or twice a day, someone will try
to resolve some external hostname through me, which I disallow via
allow-query. BIND
Package: logcheck-database
Version: 1.2.54
Severity: wishlist
Every once in a while, someone will connect to my Postfix server and
issue an ETRN for a foreign domain. By default, Postfix only allows
ETRNs for $relay_domains, and will thus reject the request, issuing a
warnings that gets picked
Package: logcheck-database
Version: 1.2.54
Severity: normal
violations.ignore.d/logcheck-postfix includes the following rule:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
warning: [-._[:alnum:]]+\[[.[:digit:]]+\]: SASL
(LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP)
Package: logcheck-database
Version: 1.2.54
Severity: wishlist
In addition to seeing warnings from bind about REFUSED and SERVFAIL
unexpected RCODE, I'm also getting from 15 in my logs as well, from
various unrelated hosts. This doesn't occur nearly as frequently as the
other two, but still
Package: logcheck-database
Version: 1.2.54
Severity: normal
ignore.d.server/postfix includes this rule:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: no MX
host for [^[:space:]]+ has a valid A record$
I have two such warnings in my logs, but they say valid address
reopen 437752
retitle 437752 logcheck-database: backport postfix valid_hostname rules
thanks
On Tue, Aug 14, 2007 at 02:14:37PM -0400, Frédéric Brière wrote:
I see that all three rules were already added in 1.2.56. Thanks guys!
Dang. It would appear that postfix's wording changed between 2.3
On Mon, Sep 24, 2007 at 06:55:34PM -0400, Justin Pryzby wrote:
Aren't some of these worth reporting? eg. REFUSED and NOTAUTH are
probably okay for a workstation.
But regardless of whether that would be better or not, you can't let
them through at workstation level without opening the
Package: logcheck-database
Version: 1.2.62
Severity: wishlist
File: /etc/logcheck/ignore.d.workstation/kernel
Messages like these are triggered by the zaurus kernel module when I put
my Sharp Zaurus in its USB cradle, or when I take it out:
usb0: register 'zaurus' at usb-:00:07.2-2, Sharp
Package: logcheck
Version: 1.2.62
Severity: wishlist
Here are two rules for ddclient, a client for dynamic IP services such
as DynDNS or DynIP:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[[:digit:]]+\]: SUCCESS:
updating [._[:alnum:]-]+: good: IP address set to [:[:xdigit:].]+$
^\w{3} [
Package: logcheck
Version: 1.2.62
Severity: wishlist
Yeah, I know, I'm the only person left who's foolish enough to run
telnetd. g But just in case there's someone else out there, here are
two rules to weed out the boring stuff:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in\.telnetd\[[[:digit:]]+\]:
Package: logcheck-database
Version: 1.2.62
Severity: normal
File: /etc/logcheck/ignore.d.server/tftpd
This rule complements the other two added by #333456, and suppresses the
message issued when the requested filename is relative, or is treated as
such due to the -s switch:
^\w{3} [ :0-9]{11}
Package: logcheck-database
Version: 1.2.62
Severity: normal
File: /etc/logcheck/violations.ignore.d/logcheck-ssh
Somewhere between etch and now, ssh stopped reporting failed passwords
as error: PAM: Authentication failure for foo, and switched to Failed
password for foo, similar to what it
Package: logcheck-database
Version: 1.2.62
Severity: wishlist
File: /etc/logcheck/ignore.d.server/ssh
openssh issues a friendly warning when the remote IP maps back to a
hostname that looks just like an IP address. (For example, the address
206.251.174.31 currently maps back to the hostname
Package: logcheck-database
Version: 1.2.62
Severity: normal
File: /etc/logcheck/ignore.d.server/dspam
The dspam rulefile uses the [.0-9]+{7,15} pattern for IP addresses,
which wrongfully combines two quantifiers.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT
On Tue, Oct 02, 2007 at 10:58:32PM -0400, Frédéric Brière wrote:
Somewhere between etch and now, ssh stopped reporting failed passwords
as error: PAM: Authentication failure for foo, and switched to Failed
password for foo, similar to what it already did for unknown users, but
I was actually
Package: logcheck
Version: 1.2.62
Severity: wishlist
Yesterday, while running logcheck against all my syslogs for the week, I
started bemoaning how long the whole thing was taking (over 9 minutes
for 4 megs). I wondered if maybe one bad regex was stalling the whole
thing, but the debug output
Signed-off-by: Frédéric Brière [EMAIL PROTECTED]
---
rulefiles/linux/ignore.d.server/proftpd |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rulefiles/linux/ignore.d.server/proftpd
b/rulefiles/linux/ignore.d.server/proftpd
index 98d28bb..f7b9d3b 100644
--- a/rulefiles
Signed-off-by: Frédéric Brière [EMAIL PROTECTED]
---
rulefiles/linux/ignore.d.server/proftpd |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/rulefiles/linux/ignore.d.server/proftpd
b/rulefiles/linux/ignore.d.server/proftpd
index f7b9d3b..2c08335 100644
Signed-off-by: Frédéric Brière [EMAIL PROTECTED]
---
rulefiles/linux/ignore.d.workstation/proftpd |2 +-
.../linux/violations.ignore.d/logcheck-proftpd |8
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/rulefiles/linux/ignore.d.workstation/proftpd
b
Signed-off-by: Frédéric Brière [EMAIL PROTECTED]
---
rulefiles/linux/ignore.d.server/proftpd |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/rulefiles/linux/ignore.d.server/proftpd
b/rulefiles/linux/ignore.d.server/proftpd
index 2c08335..430bed7 100644
Signed-off-by: Frédéric Brière [EMAIL PROTECTED]
---
.../linux/violations.ignore.d/logcheck-proftpd |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-proftpd
b/rulefiles/linux/violations.ignore.d/logcheck-proftpd
index
Signed-off-by: Frédéric Brière [EMAIL PROTECTED]
---
rulefiles/linux/ignore.d.server/proftpd |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rulefiles/linux/ignore.d.server/proftpd
b/rulefiles/linux/ignore.d.server/proftpd
index 430bed7..be1433f 100644
--- a/rulefiles
Signed-off-by: Frédéric Brière [EMAIL PROTECTED]
---
rulefiles/linux/ignore.d.server/openvpn |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rulefiles/linux/ignore.d.server/openvpn
b/rulefiles/linux/ignore.d.server/openvpn
index 68ebf8f..c57e3cb 100644
--- a/rulefiles
This occurs when a peer issues a RST. There seem to be some bad DNS
servers out there; I'm getting a burst of these about once a week.
Signed-off-by: Frédéric Brière [EMAIL PROTECTED]
---
rulefiles/linux/ignore.d.server/bind |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff
This line is issued when first setting up a dynamic DNS zone; BIND will
then create a journal where it will log client updates.
Signed-off-by: Frédéric Brière [EMAIL PROTECTED]
---
rulefiles/linux/ignore.d.server/bind |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git
These are issued when attempting to remove an inexistant user with
saslpasswd2. (Actually, DB_NOTFOUND occurs when adding a new user as
well.) The message is already displayed on the command line, no need to
repeat it one hour later.
Signed-off-by: Frédéric Brière [EMAIL PROTECTED
I see that this openvpn rule has been modified to no longer attach the
:port part to [undef] -- probably to reflect a recent change in
openvpn. Unfortunately, the rule no longer matches in etch, thus
breaking the backport.
Here's a patch to match both versions.
Signed-off-by: Frédéric Brière
Here are two more error messages that can occur with a screwed-up
DIGEST-MD5 authentication. (And I'm sure there are many more.)
(BTW, just for the record, the preceding SASL rule should ideally be
case-insensitive.)
Signed-off-by: Frédéric Brière [EMAIL PROTECTED]
---
.../linux
This makes the PID part of PAM session rules optional, as sudo is now
calling pam_open_session() and pam_close_session() since 1.6.9, and does
not include a PID in its call to pam_start().
Signed-off-by: Frédéric Brière [EMAIL PROTECTED]
---
rulefiles/linux/ignore.d.server/logcheck |4
On Fri, Jan 25, 2008 at 12:53:13AM -0500, Frédéric Brière wrote:
This makes the PID part of PAM session rules optional, as sudo is now
Which won't do much good, since these rules only apply to root. (Well,
the open session one at least; the close session matches anyway.)
I guess I should copy
Here are rules to cover headsetd, included in bluetooth-alsa. (Despite
being a daemon, it's currently meant to be run by users, so I'm including
the start/stop messages in here.)
Signed-off-by: Frédéric Brière [EMAIL PROTECTED]
---
.../linux/ignore.d.workstation/bluetooth-alsa |9
---
rulefiles/linux/ignore.d.workstation/kernel |2 ++
1 files changed, 2 insertions(+), 0 deletions(-)diff --git a/rulefiles/linux/ignore.d.workstation/kernel b/rulefiles/linux/ignore.d.workstation/kernel
index ccb4aba..767196a 100644
--- a/rulefiles/linux/ignore.d.workstation/kernel
+++
---
rulefiles/linux/ignore.d.server/bind |1 -
rulefiles/linux/violations.ignore.d/logcheck-bind |2 +-
2 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/rulefiles/linux/ignore.d.server/bind
b/rulefiles/linux/ignore.d.server/bind
index a26e232..75ef149 100644
---
rulefiles/linux/ignore.d.server/tftpd |1 +
1 files changed, 1 insertions(+), 0 deletions(-)diff --git a/rulefiles/linux/ignore.d.server/tftpd b/rulefiles/linux/ignore.d.server/tftpd
index e45bce5..609715d 100644
--- a/rulefiles/linux/ignore.d.server/tftpd
+++
---
rulefiles/linux/ignore.d.server/ssh |1 +
1 files changed, 1 insertions(+), 0 deletions(-)diff --git a/rulefiles/linux/ignore.d.server/ssh b/rulefiles/linux/ignore.d.server/ssh
index 6c547de..30c0474 100644
--- a/rulefiles/linux/ignore.d.server/ssh
+++
---
rulefiles/linux/violations.ignore.d/logcheck-ssh |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)diff --git a/rulefiles/linux/violations.ignore.d/logcheck-ssh b/rulefiles/linux/violations.ignore.d/logcheck-ssh
index ce15db1..08407d5 100644
---
---
rulefiles/linux/ignore.d.paranoid/bind |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)diff --git a/rulefiles/linux/ignore.d.paranoid/bind b/rulefiles/linux/ignore.d.paranoid/bind
index 3391e47..2775af7 100644
--- a/rulefiles/linux/ignore.d.paranoid/bind
+++
---
rulefiles/linux/ignore.d.workstation/kernel |2 ++
1 files changed, 2 insertions(+), 0 deletions(-)diff --git a/rulefiles/linux/ignore.d.workstation/kernel b/rulefiles/linux/ignore.d.workstation/kernel
index ccb4aba..cb2aa6e 100644
--- a/rulefiles/linux/ignore.d.workstation/kernel
+++
---
rulefiles/linux/ignore.d.server/ddclient |2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
create mode 100644 rulefiles/linux/ignore.d.server/ddclientdiff --git a/rulefiles/linux/ignore.d.server/ddclient b/rulefiles/linux/ignore.d.server/ddclient
new file mode 100644
index
---
rulefiles/linux/ignore.d.server/telnetd |2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
create mode 100644 rulefiles/linux/ignore.d.server/telnetddiff --git a/rulefiles/linux/ignore.d.server/telnetd b/rulefiles/linux/ignore.d.server/telnetd
new file mode 100644
index
---
rulefiles/linux/ignore.d.server/dspam |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)diff --git a/rulefiles/linux/ignore.d.server/dspam b/rulefiles/linux/ignore.d.server/dspam
index 1f22fc9..96b671c 100644
--- a/rulefiles/linux/ignore.d.server/dspam
+++
---
rulefiles/linux/violations.ignore.d/logcheck-ssh |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)diff --git a/rulefiles/linux/violations.ignore.d/logcheck-ssh b/rulefiles/linux/violations.ignore.d/logcheck-ssh
index ce15db1..1b8f595 100644
---
Since version 1.6.9 (changeset 577), sudo calls pam_open_session() and
pam_close_session(). These rules were copied from logcheck-su.
---
rulefiles/linux/violations.ignore.d/logcheck-sudo |2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git
On Thu, Jan 24, 2008 at 04:16:25AM -0500, Frédéric Brière wrote:
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client [.#[:digit:]]+:
updating zone '[-._[:alnum:]]+/IN': (adding an RR|deleting rrset) at
'phentex.dynamic.gxd.ca' A$
Dammit. That was obviously meant to be '[-._[:alnum
There are nearly two dozen different possible error messages from the
various SASL modules used by postfix for authentication -- listing them
all would probably be a futile effort.
---
.../linux/violations.ignore.d/logcheck-postfix |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
Martin, I see you were already bitten by this with postfix last year.
Should we try to come up with a generic rule that matches any
application, since this comes from the bowels of libc6?
--
Being overloaded is the sign of a true Debian maintainer.
-- JHM on #Debian
This (useless, IMO) message is issued by libpam-mount when checking whether
or not a volume is already mounted.
Since pam_mount is typically invoked by various login services (login, ssh,
xdm, etc.), it's probably best to leave this field blank instead of trying
to list them all.
---
[Sorry 'bout the delay.]
On Wed, Mar 05, 2008 at 10:08:58AM +0100, martin f krafft wrote:
I think you should get an alioth account so that we can just let you
fbriere-guest. I've had an ITP rotting there since forever. g
commit directly to the Git tree.
I do like the warm fuzzy feeling of
Frédéric Brière [EMAIL PROTECTED] wrote:
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+
\([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) USER [-_.[:alnum:]]+: no such
user found from [.:_[:alnum:]-]+ \[[.:[:xdigit:]]+\] to
[.:[:xdigit:]]+:[[:digit:]]{2,5}$
+^\w{3
Frédéric Brière [EMAIL PROTECTED] wrote:
This makes the PID part of PAM session rules optional, as sudo is now
calling pam_open_session() and pam_close_session() since 1.6.9, and does
not include a PID in its call to pam_start().
Not anymore; 1.6.9p11-2 added pam_permit.so to sudo.pam, thus
On Wed, Oct 31, 2007 at 07:56:55PM -0400, Justin Pryzby wrote:
I am running postfix with postgrey for graylisting and I'm getting tons
of :
Oct 31 16:20:21 hermes postfix/smtpd[6778]: NOQUEUE: reject: RCPT from
$HOST[$IP]: 450 4.2.0 : Sender address rejected: Server unavailable.
# Commit acfc5abe39855886333fe545182c5d56f04e455e
tag 446356 pending
thanks
In article [EMAIL PROTECTED] you wrote:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: enforced delegation-only
for '[[:alnum:]]+' \([._[:alnum:]-]+/(A|)/IN\) from [0-9a-f.:]+#[0-9]+$
Thanks! I adjusted this
In article [EMAIL PROTECTED] you wrote:
here is an updated patch.
Could you provide a couple of sample log messages that are meant to be
matched by these rules? I'm trying to make them compatible with the
version in etch, and it's quite easy to get lost in them. Having a
reference would help
In article [EMAIL PROTECTED] you wrote:
Jan 4 12:40:46 niko xlock[7668]: Stop: niko, niko, :0.0, 40m 22s
Silly question: don't you get the matching Start rule as well? I can't
find a trace of xlock in the current database, so I want to make sure
this case isn't already covered elsewhere.
--
forcemerge 418393 447056
thanks
In article [EMAIL PROTECTED] you wrote:
dpkg: error processing
/var/cache/apt/archives/logcheck-database_1.2.63_all.deb (--unpack):
trying to overwrite `/etc/logcheck/ignore.d.server/lpr', which is
also in package lpr
Yes, this was reported against lpr in
severity 418393 serious
thanks
On Mon, Apr 09, 2007 at 01:49:01PM -0500, Adam Majer wrote:
Yes, definitely. The fix is just to remove the conffile from lpr. No
Seems to me like these two files should at least be merged, as they have
different rules.
As for which package should inherit from the
tags 453519 moreinfo
thanks
In article [EMAIL PROTECTED] you wrote:
Version: 1.2.63
The content of the file
/etc/logcheck/violations.ignore.d/logcheck-amavisd-new is contained
already in /etc/logcheck/violations.ignore.d/amavisd-new (this one
shipped with amavisd-new).
Both amavisd-new
In article [EMAIL PROTECTED] you wrote:
There is still one problem with the patch, i can't figure out how to
make it drop these messages.
That was because of 24_NOT_MX, which didn't match [[:alpha:]].
--
* JHM wonders what Joey did to earn I'd just like to say, for the record,
that Joey
In article [EMAIL PROTECTED] you wrote:
Attached is an example log, it should contain examples for all the
modifications i've made.
Thanks!
Your log didn't include an example for temporarily blocked and
multirecipient email, but those were clear enough anyway. I also
added please relay via
In article [EMAIL PROTECTED] you wrote:
Looking at those two lines, they could just be different versions of
the same thing, here are the commented differences:
Take my word: you'll live longer if you don't try to make sense of ssh
log messages. (I *swear* I once got different messages by
In article [EMAIL PROTECTED] you wrote:
Yep, the bug is related with a option in Bastille that forces system
Eee, Perl 4. :(
Logcheck (and bastille) should be aware about which uid are reserved for
system accounts and act properly.
It's not logcheck's place to know about system
# Commit eebd89b29a41e71a1d4878f217db626bae833177
tag 459061 pending
thanks
Alright, I've added rules for the three SYSLOG_INFO messages (start,
stop, logout). Seems to me there should be a rule for unlocked screen
as well, but this is filed at SYSLOG_NOTICE level, and it occurs five
times in
# Commit ed3eb5e1d8697c7c0b1447b1580c742cd8d12cad
tag 443886 pending
thanks
In article [EMAIL PROTECTED] you wrote:
I'm not sure how you'd prefer to handle this case, though, as there are
various other FTP daemons that do the same thing. Copy the same rule
over and over for each package?
# Commit ea37ead3d0c4b9595bfe502283199455daa19571
tag 445473 + pending
tag 445473 - moreinfo
thanks
In article [EMAIL PROTECTED] you wrote:
The client/helo/... is optional because it's not always included in the
decided action=PREPEND form. I faintly remember considering using 2
Not according
On Mon, Mar 17, 2008 at 12:33:48PM -0500, Adam Majer wrote:
Does this mean the bug should be reassigned to logcheck-database?
The appropriate action, IMO, would be to Replace: logcheck-database; we
can then remove that file at our leisure. (I for one am using l-d from
backports.org on my
martin f krafft madd...@debian.org wrote:
As part of ccc049c, most (all?) of ignore.d.workstation/kernel has
been merged into ignore.d.server/kernel. Was this intentional?
diff --git a/rulefiles/linux/ignore.d.workstation/winbind
b/rulefiles/linux/ignore.d.workstation/winbind
kernel !=
At this moment, 1.3.2 is only in experimental, even though the changelog
entry states otherwise. I think you may have forgotten to regenetate
the .changes file before the upload.
--
Overfiend whew.
Overfiend I really need to get some sleep.
Overfiend but it sure was fun talking guitars,
Frédéric Brière fbri...@fbriere.net wrote:
Bah, I'll go ahead and prepare a patch for you to review.
There's a couple of 'em, so I went ahead and created a kdup branch on
alioth, which you can review/merge/delete at your leisure.
At the head of kdup, you can verify that concatenating
martin f krafft madd...@debian.org wrote:
True. Maybe Hanspeter or you or someone else will submit some more
rules this weekend, then I'll upload 1.3.3 on Sunday night.
Sorry for the delay; I was waiting for the server/workstation mess to be
cleared up.
Last time I commited to logcheck, I
martin f krafft madd...@debian.org wrote:
Go ahead and open up 1.3.4.
Done.
--
Never trust an operating system you don't have sources for. ;-)
-- Unknown source
___
Logcheck-devel mailing list
Logcheck-devel@lists.alioth.debian.org
On Tue, Jun 02, 2009 at 10:00:49AM -0600, Bob Proulx wrote:
Lines from cron-apt such as this are not ignored.
Jun 2 08:31:42 joseki cron-apt: Fetched 20.9MB in 2min25s (143kB/s)
Thanks for your report. I've adapted your rule to still match etch's
apt, as well as 0.7.21 (which added yet
On Fri, Dec 12, 2008 at 06:17:31PM +0100, Yuri D'Elia wrote:
i'm just noting that logcheck can run on any posix-compatible shell by
simply changing one bashism. One bashism does not justity the need of
the whole bash.
That's not a bad point; I've therefore just removed the three (useless)
On Tue, Apr 07, 2009 at 10:52:11AM +0100, Karl E. Jorgensen wrote:
When re-installing the logcheck package (which was previously removed,
but not purged), dpkg will pass the version number of the most recently
configured version [1] - which in this case would be 1.2.69. And since
1.2.69 =
On Tue, Dec 09, 2008 at 12:28:25PM +0100, Paolo wrote:
ignore.d.server rules won't filter out security events. I guess it's
matched as such because of the contained /failure/ in the line. I'm not
FWIW, this will no longer be the case with logcheck 1.3.x.
which is fine for stock sysklogd,
On Wed, Mar 12, 2008 at 11:26:03AM +0200, Andrei Emeltchenko wrote:
Part of the header:
Content-Type: text/plain; charset=unknown-8bit
This was either inserted by your mailer or your mail reader; logcheck
does not specify any character encoding itself.
If it did, though, unknown-8bit would
On Thu, Mar 13, 2008 at 08:52:29PM +0100, martin f krafft wrote:
This is a design limitation in postfix. We might fix this by
removing the security alerts layer completely, but this problem
Which was actually done in 1.3.0. Rejoice!
--
Debian is the Jedi operating system: Always two there
On Tue, Jun 15, 2004 at 04:51:09PM +0530, Kapil Hari Paranjape wrote:
that is annoying to us logcheck users since it contains the word
failure which causes it to put up a violation flag with logcheck.
logcheck 1.3.x has gotten rid of its default violations.d/logcheck, so
this will no longer be
On Thu, Aug 21, 2008 at 06:07:35PM +0200, David Prüm wrote:
After installing Sympa on my machine i got a lot of logcheck mails
from seemingly normal sympa logmessages.
It seems the ruleset was made for a different version of sympa
This is quite possible: the rules file was added in 2006,
On Wed, Sep 17, 2008 at 09:44:29PM +0200, Stefan Tomanek wrote:
* OpenVPN does not print the full path to ifconfig or route (at least here)
That was due to a defective build (2.1~rc9-1). I'm surprised that you
got a log message out of it, since people reported that the invocation
of
On Thu, Dec 25, 2008 at 04:29:05PM +0100, Thomas Bader wrote:
If Postfix on port 587 is configured by the name 'submission' (which is
also used in /etc/services) that filter won't filter out statistics for
the anvil service, since it only matches on (smtp(s)?|25|587).
This is actually a
Since rsyslog now has its own ruleset, I'm reassigning this bug to it.
(If I'm not mistaken, it can then be closed, but I'll let Michael be the
final judge.)
--
asuffield a workstation is anything you can stick on somebodies desk
and con them into using
-- in
On Thu, Nov 20, 2008 at 06:19:04PM +0100, Robert Ewald wrote:
the placeholder for the process name (scponly) is missing and
/usr/lib/sftp-server is not considered as valid.
There were actually a couple more commands missing, so I just scanned
through the scponly source code and added the whole
On Sun, Jan 11, 2009 at 03:09:06PM +0100, Christoph Anton Mitterer wrote:
Could you please add rules for rkhunter:
I don't think there's much interest by the logcheck maintainers in
adding support for non-syslog logfiles. (Especially since they all tend
to have their own crappy syntax.)
This
On Thu, May 15, 2008 at 10:50:12AM +0300, Andrei Emeltchenko wrote:
Can you add rule to filter out following messages:
System Events
=-=-=-=-=-=-=
May 15 07:44:48 niko syslog-ng[21911]: Configuration reload request
received, reloading configuration;
syslog-ng has its own logcheck ruleset,
On Wed, Dec 10, 2008 at 11:21:53AM +0100, Ferenc Wagner wrote:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+[[:space:]]+: \(pam_[[:alnum:]]+\) session
opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+[[:space:]]+: \(pam_[[:alnum:]]+\) session
closed for user
On Mon, Dec 29, 2008 at 01:57:06PM +0100, Marc Haber wrote:
Hmm, when and where was there a logtail2 package?
When I created it, in 1.2.59. Unfortunately, whoever removed it didn't
note it in the changelog.
It was removed by Martin in 3498cb3, which was part of 1.2.60.
According to the
On Fri, Jan 02, 2009 at 10:21:51AM +0100, Jan Evert van Grootheest wrote:
Package: logcheck-database
Version: 1.2.68
It has now started to spam the logs with lots of
Jan 2 09:22:57 sisko sshd[28511]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
On Fri, Jan 09, 2009 at 10:03:25PM +, Andrew Gallagher wrote:
Connection reset, restarting message can return negative error code
This has already been added in 1.3.0.
SENT CONTROL ... PUSH_REPLY message has a new field topology WORD
I found a couple more in the openvpn source
On Tue, May 19, 2009 at 12:07:59AM +0200, Patrik Wallstrom wrote:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp?\[[0-9]+\]: setting up TLS
connection (to|from) [._[:alnum:]-]+(\[[0-9a-f.:]{3,39}\]\:25)?$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp?\[[0-9]+\]: (Trusted )?TLS
connection
On Tue, Jul 28, 2009 at 06:30:11PM -0400, David I. Lehn wrote:
Here are the two rules I just started using. These messages are of no
use to me but I have no idea if they are unimportant enough to filter
out for everyone.
I would tend to agree; these messages indicate that the problem is at
On Thu, Aug 20, 2009 at 08:51:21PM +0300, Jari Aalto wrote:
This is extremely too often. Getting huge number of mail every two
hours is filling in the mailboxes.
Actually, it is every hour (at x:02). But if logcheck is sending you
crap every hour, you need better rules, not a lazier schedule.
On Tue, Aug 18, 2009 at 08:27:32PM +0200, Ralf Treinen wrote:
etc/logcheck/ignore.d.server/sendmail
This file was brought to life by 1e1ad02 during the whole viol-merge
saga. This was a mistake, as it's belonged to sendmail-base for years.
What would be the best course of action? Should we
On Mon, Jan 05, 2009 at 09:35:47AM +0100, Thomas Mueller wrote:
I created a new ruleset for postfix-policyd (see the attachment).
Thanks very much.
To be thorough, I looked through the postfix-policyd source code and
added all the possible modules in there. The result is a bit unwieldy,
so I
On Tue, Mar 18, 2008 at 08:20:37AM +0100, Javier Fernández-Sanguino Peña wrote:
I would agree, though, that if Bastille already reports this information
in some way (say, via email), then it's redundant to report it again.
I'm sorry, you don't understand Bastille's task. Bastille does not
On Mon, Mar 17, 2008 at 04:13:03PM -0700, Russ Allbery wrote:
Conffiles are not automatically deleted on upgrade. You have to remove
It would appear that logcheck has shed many files over the years:
$ git log --summary master origin/1.2 -- rulefiles/linux/ | \
grep 'delete mode'
On Tue, Jun 09, 2009 at 10:36:25AM +0200, martin f krafft wrote:
The reason for this email to send you a copy of a file that I am using
on my FreeBSD system in ignore.d.paranoid to limit the messages that
are pulled out as I am now using logcheck to also check my maillog file
qmail is actually
On Fri, Aug 21, 2009 at 12:03:41PM -0700, Russ Allbery wrote:
Do we have the md5 checksums of the last version that we shipped with the
package anywhere?
Yes, that can be easily extracted. I see two issues with this:
First, there's no guarantee that the file will be the last version
shipped.
On Fri, Jun 26, 2009 at 07:23:13PM +0200, Michael Tautschnig wrote:
Attached please find a patch to extend kernel logcheck rules. You might want
do
check the changes line by line as some of them could still be specific for my
systems.
Thanks for your contribution. Unfortunately, I don't
1 - 100 of 115 matches
Mail list logo