Bug#255560: [Logcheck-devel] Bug#255560: logcheck-database: More Postfix rules
Todd Troxell
ttroxell at debian.org
Mon Jun 28 22:03:41 UTC 2004
Aha! ok. I didn't realize it was a remotely supplied string. Will patch.
Thanks for the explaination.
Re: cvs downloads
I just located the problem on alioth [0] and submitted a patch. Hopefully it
will be applied!
[0] http://lists.gnu.org/archive/html/info-cvs/2004-01/msg00306.html
-Todd
On Mon, Jun 28, 2004 at 10:13:31AM +0100, Mark Brown wrote:
> On Mon, Jun 28, 2004 at 04:09:21AM -0400, Todd Troxell wrote:
>
> > Maks applied parts of the patch to cvs version. The .*$ stuff was a bit too
> > general. If you'd like those changes included, please write tighter rules.
>
> The .$ stuff generally matches random text supplied by remote systems
> that Postfix reports in the logs for diagnostic purposes. As a result
> it is not possible to supply more specific rules. For example, in this
> case:
>
> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: host [^[:space:]]+ refused to talk to me: [45][0-9][0-9].*$
>
> Postfix is simply reporting a remote error - the [45][0-9][0-9] matches
> the beginning of a SMTP response line and the rest of the line will be
> whatever randomly formatted text the remote system decided to include.
>
> It's the same with cases like:
>
> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [A-Z0-9]+: host [^[:space:]]+ said: .* \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|end of DATA) command\)$
>
> where the .* matches some text supplied by the remote system which can
> write pretty much whatever it pleases there. The space where this text
> will go is very clearly delimited, though, so it's possible to reliably
> ignore it.
>
> Similarly, here:
>
> -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: message-id=<.*>( \(.*\))?$
> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: message-id=.*$
>
> and here:
>
> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: message-id=.*$
>
> Postfix is just reporting the message ID it got from the remote system
> verbatim. While it would be nice if systems would reliably generate
> valid message IDs delimited by <> it is unfortunately the case that some
> systems generate invalid ones with one or both angle brackets missing.
>
> The best you can do with this stuff is say "If Postfix wrote this then
> the rest of the line will be a remote error and can therefore be
> ignored.". This is a fairly general problem with logging from services
> like Postfix and INN - since they interact with remote systems and it is
> useful to report text provided by remote systems for diagnostic purposes
> you will find yourself needing very general matches.
>
> BTW, CVS downloads via CVSweb are broken:
>
> | Error: Unexpected output from cvs co: cvs [checkout aborted]:
> | /var/lib/gforge/chroot/cvsroot/CVSROOT: No such file or directory
>
> | Check whether the directory /var/lib/gforge/chroot/cvsroot/CVSROOT
> | exists and the script has write-access to the CVSROOT/history file if it
> | exists. The script needs to place lock files in the directory the file
> | is in as well.
>
> --
> "You grabbed my hand and we fell into it, like a daydream - or a fever."
--
[ Todd J. Troxell ,''`.
Student, Debian GNU/Linux Developer, SysAdmin, Geek : :' :
http://debian.org || http://rapidpacket.com/~xtat `. `'
`- ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040628/bb06d369/attachment.pgp
More information about the Logcheck-devel
mailing list