tag 504100 + moreinfo
tag 504100 - patch
thanks
* Tim Small <t...@seoss.co.uk> [2008-10-31 14:03:37 CET]:
> SSHD in lenny and etch emit white space at the end of ssh login
> authentication failure lines. It would appear that line 11 of the current
> /etc/logcheck/violations.ignore.d/logcheck-ssh intends to filter such lines
> (in fact it does manage to filter ones that include the user=username field,
> but not lines without), but fails to do so because of the trailing
> whitespace.
That's a false analysis, trailing whitespace is explicitly stripped off
by logcheck so the rules must not have it.
> The problematic part of the regex is the final:
> rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$
> replacing it with:
> rhost=[^[:space:]]+[[:space:]]+(user=[^[:space:]]+)?$
> fixes the problem,
I really doubt that, trailing whitespace isn't any problem for logcheck
in lenny - and I believe it's the same for etch too, can't unfortunately
check it right now, am offline. Line 675 in lenny:
$SORT $TMPDIR/logoutput/* | sed -e 's/[[:space:]]\+$//' | cat \
> $TMPDIR/logoutput-sorted \
So it stripps off trailing whitespace.
> but the following is probably less brittle:
> rhost=[^[:space:]]+([[:space:]]+)?(user=[^[:space:]]+)?$
That's even worse: It will match even when there is no whitespace at
all between the rhost= and user= line, something you surely didn't want
to achieve - so this renders your patch invalid.
Can you please offer the lines that appear in your logcheck mails that
you didn't expect to get displayed? If they don't contain too sensitive
informations, that is. Private mail is alright, too.
Thanks. :)
Rhonda
_______________________________________________
Logcheck-devel mailing list
Logcheck-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
