Bug#249181: [Logcheck-devel] Bug#249181: acknowledged by developer (Bug#249181: fixed in logcheck 1.2.21)
Mark Brown
broonie at debian.org
Fri Jun 4 12:22:30 UTC 2004
On Fri, Jun 04, 2004 at 01:47:37PM +0200, maks attems wrote:
> we can't pump up all "system events" rules, by the assumption
> that there may be a localy triggered string for a "security
> violation" inside.
It's not a case of simply ignoring all system events - it's a case of
recognising that there are log messages which include strings supplied
by both users and remote systems which may legitimately contain text
that can trip up logcheck. Since it's possible to match on the entire
log line, clearly identifying the portion that may contain the offending
strings, there's no great risk from ignoring them.
Without this sort of rule it becomes fairly easy to render logcheck much
less useful by using perfectly legitimate means to inject strings that
spuriously trip the security violations rules.
Besides, many of the articles that are tripping up my system are in
news.admin.net-abuse.sightings which is going to be carried by a
reasonable proportion of INN users.
--
"You grabbed my hand and we fell into it, like a daydream - or a fever."
More information about the Logcheck-devel
mailing list