Bug#283331: [Logcheck-devel] Bug#283331: logcheck-database: changes to ignore.d.server dnsmasq and ntpdate
maks attems
debian at sternwelten.at
Sun Nov 28 18:34:00 UTC 2004
On Sun, 28 Nov 2004, bug hunter #742 wrote:
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq\[[[:digit:]]+\]:
> (DHCPDISCOVER|DHCPOFFER|DHCPREQUEST|DHCPACK|DHCPRELEASE|DHCPINFO|BOOTP)[()[:alnum:]]+
> [ :[:alnum:].]+$
>
> might be more accurately:
>
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq\[[[:digit:]]+\]:
> (DHCPDISCOVER|DHCPOFFER|DHCPREQUEST|DHCPACK|DHCPRELEASE|DHCPINFO|BOOTP)([[:alnum:]]+)
> [ :[:alnum:]._-]+$
>
> To break it down:
> 1.
> [()[:alnum:]]+
> trying to match something like "(eth1)"
> would more accurate:
> ([[:alnum:]]+)
>
> 2.
> [ :[:alnum:].]+
> I noticed that this didn't match computer names with underscores like
> "TEST_COM"
> so this just adds underscores and dashes. I'm not positive that's the
> best approach and I'm not sure of the need for the space and colon but
> this is the safe approach.
> [ :[:alnum:]._-]+
sounds good, please post some relevant loglines to check against. :)
> Also I would add this line to dnsmasq as it occurs when you use dnsmasq
> as a local dns caching server (that is have 127.0.0.1 in resolve.conf):
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq\[[[:digit:]]+\]: ignoring
> nameserver 127.0.0.1 - local interface$
ok cool, added to current cvs.
just changed '.' to '\.'
could you post the dnsmasq logline when using a remote dns?
> Finally, I added this line for ntpdate in my setup:
> ntpdate\[[0-9]+\]: step time server .* offset 0\.[0-9]+ sec
> This ignores time steps that are less than 1 second which I don't
> consider a big deal and I'm not sure others would either so I submit it
> for inclusion.
hmm that is a bad rule, only use '.*' for remote strings.
and the rule doesn't match the hole logline.
ntpdate is using it's own logcheck ignore rule, you may want to follow up
#283386
thanks + best regards
--
maks
More information about the Logcheck-devel
mailing list