[Logcheck-devel] Bug#270019: serial/lp rules for logcheck

Ross Boylan RossBoylan at stanfordalumni.org
Sat Oct 2 18:25:00 UTC 2004 

Oops, forgot to copy the bug report on this.
here are the messages in the log.
----- Forwarded message from Ross Boylan <RossBoylan at stanfordalumni.org> -----

Resent-From: rossboylan at stanfordalumni.org
X-USANET-From: 207.217.120.232 IN   RossBoylan at stanfordalumni.org flamingo.mail.pas.earthlink.net
Date: Mon, 6 Sep 2004 12:56:42 -0700
To: Todd Troxell <ttroxell at debian.org>
Cc: Ross Boylan <RossBoylan at stanfordalumni.org>
Subject: Re: serial/lp rules for logcheck
From: Ross Boylan <RossBoylan at stanfordalumni.org>
Resent-Message-Id: <E1C4PeO-0001q1-00 at wheat.dslnorthwest.net>
Resent-Bcc:
Resent-Date: Mon, 06 Sep 2004 12:59:40 -0700

On Sun, Sep 05, 2004 at 08:22:21PM -0400, Todd Troxell wrote:
> At the moment I've no host with which to test ppp/lp things on.  If you (or
> anyone) could provide complete regexes, (each beginning with ^ and ending with
> $)  I will patch the rules accordingly.
> 
> If not, sending the full log lines is a good start.
> 
> Thanks!

I'm not sure I'd get the patterns right, so I put the offending lines
at the bottom.  I have one pattern for which I didn't immediately find
an example:
pppd\[[[:digit:]]+\]: Perms of /dev/ttyS[[:digit:]] are ok, no 'mesg n' neccesary.
Perhaps this message is obsolete.

I also notice the currently installed filters have a couple of lines
that are clearly too specific:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: Connect: ppp0 <--> [.0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: Device ttyS1 is locked by pid [0-9]+$

I also believe that ttySn is not the only possible name for serial
ports, but I'm not sure what the alternatives are.

Some of the lines below, and my corresponding patterns, appear to
match existing ppp patterns.  Some of my patterns may be redundant
with the ppp patters; some may differ in more or less obvious ways.

Here are some log lines that would be good to exclude, and match my
local exclusion patterns:

Sep  4 18:08:14 wheat kernel: CSLIP: code copyright 1989 Regents of the University of California
Sep  4 18:08:14 wheat kernel: PPP generic driver version 2.4.2
Sep  4 18:08:18 wheat kernel: PPP BSD Compression module registered
Sep  4 18:08:20 wheat kernel: PPP Deflate Compression module registered
Sep  4 18:15:43 wheat kernel: parport0: PC-style at 0x378 [PCSPP]
Sep  4 18:15:43 wheat kernel: lp0: using parport0 (polling).
Sep  4 18:15:52 wheat kernel: lp0 off-line
Sep  4 19:08:58 wheat kernel: parport0: PC-style at 0x378 [PCSPP]
Sep  4 19:08:58 wheat kernel: parport0: Printer, Lexmark International Lexmark Optra E310
Sep  5 14:23:58 wheat chat[10807]: abort on (BUSY)
Sep  5 14:23:58 wheat chat[10807]: abort on (NO CARRIER)
Sep  5 14:23:58 wheat chat[10807]: abort on (VOICE)
Sep  5 14:23:58 wheat chat[10807]: abort on (NO DIALTONE)
Sep  5 14:23:58 wheat chat[10807]: abort on (NO DIAL TONE)
Sep  5 14:23:58 wheat chat[10807]: abort on (NO ANSWER)
Sep  5 14:23:58 wheat chat[10807]: send (ATZ^M)
Sep  5 14:23:59 wheat chat[10807]: expect (OK)
Sep  5 14:23:59 wheat chat[10807]: ^M
Sep  5 14:23:59 wheat chat[10807]: OK
Sep  5 14:23:59 wheat chat[10807]:  -- got it 
Sep  5 14:23:59 wheat chat[10807]: send (ATDT2404278^M)
Sep  5 14:23:59 wheat chat[10807]: expect (CONNECT)
Sep  5 14:23:59 wheat chat[10807]: ^M
Sep  5 14:24:24 wheat chat[10807]: ATDT2404278^M^M
Sep  5 14:24:24 wheat chat[10807]: CONNECT
Sep  5 14:24:24 wheat chat[10807]:  -- got it 
Sep  5 14:24:24 wheat chat[10807]: send (\d)
Sep  5 14:24:25 wheat pppd[10806]: Serial connection established.
Sep  5 14:24:25 wheat pppd[10806]: using channel 1
Sep  5 14:24:25 wheat pppd[10806]: Using interface ppp0
Sep  5 14:24:25 wheat pppd[10806]: Connect: ppp0 <--> /dev/ttyS0
Sep  5 14:24:26 wheat pppd[10806]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xafd259fa> <pcomp> <accomp>]
Sep  5 14:24:29 wheat pppd[10806]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xafd259fa> <pcomp> <accomp>]
Sep  5 14:24:29 wheat pppd[10806]: rcvd [LCP ConfReq id=0x1 < 00 04 00 00> <mru 1524> <asyncmap 0xa0000> <auth chap MD5> <pcomp> <accomp> <mrru 1524> <endpoint [MAC:00:d0:52:01:3a:9e]> < 1b 04 02 02>]
Se
Sep  4 09:53:33 wheat pppd[12592]: pppd 2.4.2 started by ross, uid 1000
Sep  4 09:53:33 wheat pppd[12592]: Using interface ppp0
Sep  4 09:53:33 wheat pppd[12592]: Connect: ppp0 <--> /dev/tts/0
Sep  4 09:53:37 wheat pppd[12592]: PAP authentication succeeded
Sep  4 09:53:37 wheat pppd[12592]: kernel does not support PPP filtering
Sep  4 09:53:37 wheat pppd[12592]: Cannot determine ethernet address for proxy ARP
Sep  4 09:53:37 wheat pppd[12592]: local  IP address 4.243.185.239
Sep  4 09:53:37 wheat pppd[12592]: remote IP address 209.244.43.20
Sep  4 09:53:37 wheat pppd[12592]: primary   DNS address 207.69.188.187
Sep  4 09:53:37 wheat pppd[12592]: secondary DNS address 207.69.188.186
Sep  4 12:41:35 wheat pppd[12592]: Terminating on signal 15.
Sep  4 12:41:36 wheat pppd[12592]: Connection terminated.
Sep  4 12:41:36 wheat pppd[12592]: Connect time 168.1 minutes.
Sep  4 12:41:36 wheat pppd[12592]: Sent 314432 bytes, received 1781295 bytes.
Sep  4 12:41:36 wheat pppd[12592]: Exit.

Sep  5 14:24:30 wheat pppd[10806]: Script /etc/ppp/ip-up started (pid 10908)
Sep  5 14:24:47 wheat pppd[10806]: Script /etc/ppp/ip-up finished (pid 10908), status = 0x0
Sep  5 14:27:20 wheat pppd[10806]: Terminating on signal 15.
Sep  5 14:27:20 wheat pppd[10806]: Script /etc/ppp/ip-down started (pid 11143)

Sep  5 14:27:20 wheat pppd[10806]: Waiting for 1 child processes...

Sep  5 14:43:05 wheat pppd[11269]: PAP authentication succeeded
#Sep  5 14:43:05 wheat pppd[11269]: kernel does not support PPP filtering

Sep  6 06:15:05 wheat pppd[14210]: Modem hangup


----- End forwarded message -----

More information about the Logcheck-devel mailing list