Bug#255560: [Logcheck-devel] Bug#255560: logcheck-database: More Postfix rules

Todd Troxell ttroxell at debian.org
Mon Jun 28 22:03:41 UTC 2004


Aha! ok.  I didn't realize it was a remotely supplied string.  Will patch.
Thanks for the explaination.

Re: cvs downloads

I just located the problem on alioth [0] and submitted a patch.  Hopefully it
will be applied!

[0] http://lists.gnu.org/archive/html/info-cvs/2004-01/msg00306.html

-Todd

On Mon, Jun 28, 2004 at 10:13:31AM +0100, Mark Brown wrote:
> On Mon, Jun 28, 2004 at 04:09:21AM -0400, Todd Troxell wrote:
> 
> > Maks applied parts of the patch to cvs version.  The .*$ stuff was a bit too
> > general.  If you'd like those changes included, please write tighter rules.
> 
> The .$ stuff generally matches random text supplied by remote systems
> that Postfix reports in the logs for diagnostic purposes.  As a result
> it is not possible to supply more specific rules.  For example, in this
> case:
> 
> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: host [^[:space:]]+ refused to talk to me: [45][0-9][0-9].*$
> 
> Postfix is simply reporting a remote error - the [45][0-9][0-9] matches
> the beginning of a SMTP response line and the rest of the line will be
> whatever randomly formatted text the remote system decided to include.
> 
> It's the same with cases like:
> 
> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [A-Z0-9]+: host [^[:space:]]+ said: .* \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|end of DATA) command\)$
> 
> where the .* matches some text supplied by the remote system which can
> write pretty much whatever it pleases there.  The space where this text
> will go is very clearly delimited, though, so it's possible to reliably
> ignore it.
> 
> Similarly, here:
> 
> -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: message-id=<.*>( \(.*\))?$
> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: message-id=.*$
> 
> and here:
> 
> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: message-id=.*$
> 
> Postfix is just reporting the message ID it got from the remote system
> verbatim.  While it would be nice if systems would reliably generate
> valid message IDs delimited by <> it is unfortunately the case that some
> systems generate invalid ones with one or both angle brackets missing.
> 
> The best you can do with this stuff is say "If Postfix wrote this then
> the rest of the line will be a remote error and can therefore be
> ignored.".  This is a fairly general problem with logging from services
> like Postfix and INN - since they interact with remote systems and it is
> useful to report text provided by remote systems for diagnostic purposes
> you will find yourself needing very general matches.
> 
> BTW, CVS downloads via CVSweb are broken:
> 
> | Error: Unexpected output from cvs co: cvs [checkout aborted]:
> | /var/lib/gforge/chroot/cvsroot/CVSROOT: No such file or directory
> 
> | Check whether the directory /var/lib/gforge/chroot/cvsroot/CVSROOT
> | exists and the script has write-access to the CVSROOT/history file if it
> | exists.  The script needs to place lock files in the directory the file
> | is in as well. 
> 
> -- 
> "You grabbed my hand and we fell into it, like a daydream - or a fever."

-- 
[   Todd J. Troxell                                         ,''`.
      Student, Debian GNU/Linux Developer, SysAdmin, Geek  : :' :
      http://debian.org || http://rapidpacket.com/~xtat    `. `' 
                                                             `-     ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040628/bb06d369/attachment.pgp 


More information about the Logcheck-devel mailing list