I have made some empirical investigation for two systems; setting up one IPv4 esp-ah-transport and one IPv6 ah-transport, all using RSA signatures. One machine is left at default logging level "info", and the other machine gets the entry "log notice" in its configuration.
The result is pure bliss. Using "notice-logging" only five messages are recorded: thrice: "WARNING: CERT validation disabled by configuration twice: "ERROR: such policy does not ..." The warning message is a bogus artifact caused by the use of RSASIG. It was recently identified as such by Upstream and has been removed for this use case in the development branch. The error message was equally recently brought to the attention of Upstream by myself and my patch, which reassigned the message as DEBUG level, was accepted. (The message simply states that a previous policy did not exists, thus could not be purged!) Both these changes were timely enough to theoretically be able to enter the new release 0.8.0, but I have not verified whether they are present in the release candidate. Anyway, logging level "notice" clearly satisfies my ideals. Observe that my other endpoint included 37 [!] messages marked as "INFO", thereby visibly polluting "/var/log/daemon.log". The manual page mentions no mechanism to specify a logging level in a command line option, only a possibility to _increase_ the level beyond the default "info". Therefore my suggestion is now to include the directive # /etc/racoon/racoon.conf log notice into the distributed configuration file, and refrain from crafting some logcheck rules inteded to mask excessive INFO-messages. It is reasonable that Debian, as a distributor, slightly decreases the suggested logging level beyond that of a raw install from a source archive. Best regards, Mats E A <mats.anders...@gisladisker.se> 2459 41E9 C420 3F6D F68B 2E88 F768 4541 F25B 5D41 Abonnerar på: debian-mentors, debian-devel-games, debian-perl, debian-ipv6, debian-qa -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org