Dan Langille <d...@langille.org> wrote: > I have a few local-* files that you may find useful. Please use as you > see fit. No doubt, some will require refinement for public distribution.
Thanks for sharing these with us. Unfortunately, there's not much that can be salvaged here, as most rules are much too loose to be distributed as-is, and we don't have the original log messages to match them with. Nevertheless, here are some comments: - I think you'll find that many of your postfix and dovecot rules are already taken care of by the latest logcheck-database release. (Some others seem to be obsolete, and do not appear in the source code at all.) Would you be willing to give 1.3.x a whirl, and report on what is missing? - I'm attaching a tentative rulefile for stunnel; could you also give it a try? - The amavis-new package includes its own logcheck rules, so you should forward your suggestions to its maintainer(s). This was also the case with ntpd, but your particular rule has already been taken care of by #498992. - I could not find a trace of newsyslog in Debian; is this something you installed on your own? Again, thanks for your help! ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: SSL_read .*: Connection reset by peer$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: .* connected from .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: VERIFY OK: depth=[0-9]+, .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: Received signal 15; terminating$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: stunnel [0-9.]+ on i386-pc-linux-gnu PTHREAD\+POLL\+IPv6\+LIBWRAP with OpenSSL [0-9a-z.]+ [0-9]{2} \w{3} [0-9]{4}$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: [0-9]+ clients allowed$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: SSL_accept: Peer suddenly disconnected$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: [._[:alnum:]-]+ accepted connection from [.:[:xdigit:]]+:[[:digit:]]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: connect_blocking: connected [.:[:xdigit:]]+:[[:digit:]]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: [._[:alnum:]-]+ connected remote server from [.:[:xdigit:]]+:[[:digit:]]+$ -- LOAD "LINUX",8,1 -- Topic on #LinuxGER _______________________________________________ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel