Bug#275946: [Logcheck-devel] Bug#275946: Acknowledgement (newline not recognized when logcheck sends emails)

Brendon Baumgartner brendon at brendon.com
Mon Oct 11 19:32:02 UTC 2004 

> From: maximilian attems [mailto:max at stro.at] On Behalf Of maks attems
> Sent: Monday, October 11, 2004 3:10 AM
> To: Brendon Baumgartner; 275946 at bugs.debian.org
> Subject: Re: [Logcheck-devel] Bug#275946: Acknowledgement (newline not
> recognized when logcheck sends emails)
> 
> On Mon, 11 Oct 2004, Brendon Baumgartner wrote:
> 
> > I upgraded to 1.2.28, same results.
> >
> > Here are the rules I added.
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Connect:
> fixed in latest cvs.
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: [^[:space:]]+ \[NOTICE\]
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: [^[:space:]]+ \[INFO\]
> please show us the loglines you want to ignore with those.

I'm not sure what pureftp all shows, I haven't looked into it yet. I don't
want to see when someone logs in or when they upload a file. Based on what I
see below, dumping NOTICE and INFO is good.

Some pure-ftpd messages:
Oct 11 08:13:27 solara pure-ftpd: (?@ip68-104-126-23.lv.lv.cox.net) [INFO]
New connection from ip68-104-126-23.lv.lv.cox.net
Oct 11 08:13:28 solara pure-ftpd: (?@ip68-104-126-23.lv.lv.cox.net) [INFO]
www.tennis-league.com is now logged in
Oct 11 08:13:28 solara pure-ftpd:
(www.tennis-league.com at ip68-104-126-23.lv.lv.cox.net) [ERROR] Can't remove
directory: No such file or directory
Oct 11 08:13:28 solara pure-ftpd:
(www.tennis-league.com at ip68-104-126-23.lv.lv.cox.net) [INFO] Can't change
directory to //mm_casetest4291: No such file or directory
Oct 11 09:33:10 solara pure-ftpd:
(www.bballin.com at ip68-104-126-23.lv.lv.cox.net) [NOTICE]
/v0/ispman/domains/bballin.com/vhosts/www//htdocs/browsewaiverwire.php.LCK
downloaded  (40 bytes, 279.02KB/sec)
Oct 11 09:33:13 solara pure-ftpd:
(www.bballin.com at ip68-104-126-23.lv.lv.cox.net) [NOTICE]
/v0/ispman/domains/bballin.com/vhosts/www//htdocs/include/Ladder.php
uploaded  (5093 bytes, 15.15KB/sec)
Oct 11 10:16:54 solara pure-ftpd:
(www.bballin.com at ip68-104-126-23.lv.lv.cox.net) [INFO] Timeout - try typing
a little faster next time

> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ exact\[[0-9]+\]:
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ slapd\[[0-9]+\]:
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snmpd\[[0-9]+\]: Connection from
> pretty tooo generic, with those you trust any message of aboves 2 daemons,
> again please send logmessages.

Yes, a little over the top, but slapd creates so much junk, I don't have
time to write proper rules, and I don't care about exact for the moment
either.

> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: IN-inet:IN
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: NEW TCP
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: SYN FLOOD:IN
> what that? iptables?

Yes. Iptables. I use another program check iptables. I do see ping floods in
logcheck emails still. I don't see a reason I need to though, but I've left
them for the moment.

Oct 11 10:53:50 solara kernel: IN-inet:IN=eth0 OUT=
MAC=00:90:27:17:b5:9b:00:90:69:46:3e:37:08:00 SRC=208.180.6.36
DST=208.184.76.97 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=33483 DF PROTO=TCP
SPT=2998 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0

> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [A-Z0-9]+:
> > reject: RCPT from [^[:space:]]+: [0-9]{3} <[^[:space:]]+>: Relay access
> > denied; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=(ESMTP|SMTP)
> > helo=<[^[:space:]]+>$
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [A-Z0-9]+:
> > reject: RCPT from [^[:space:]]+: [0-9]{3} <[^[:space:]]+>: User unknown
> in
> > local recipient table; from=<[^[:space:]]*> to=<[^[:space:]]+>
> > proto=(ESMTP|SMTP) helo=<[^[:space:]]+>$
> thanks now fixed in cvs,
> we ignored NOQUEUE, which other are appearing, curious about the log
> messages?

Not sure what you're asking. Sorry.

Oct 11 10:58:09 solara postfix/smtpd[27917]: DA2331317B: reject: RCPT from
ip073254.fscwv.edu[129.71.73.254]: 550 <thomas at brendon.com>: User unknown in
local recipient table; from=<88 at adelphia.net> to=<thomas at brendon.com>
proto=SMTP helo=<brendon.com>

> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/imapd\[[0-9]+\]: SQUAT
> failed.*$
> please no '.*' without reasons,

Thanks, this was probably one of the first rules I did, while I was still
trying to figure things out. Fixed.

Oct 11 11:41:37 solara cyrus/imapd[27913]: SQUAT failed to open index file
Oct 11 11:41:37 solara cyrus/imapd[27913]: SQUAT failed

> logmessages would help.

I tried to include some for you.
 
> 
> thanks for your bugreport.

Glad to help. I know Outlook isn't desirable, but hey, it has a huge market
share :/

Tested with Outlook Express. Passed
Tested on another Outlook 2003, SP1. Failed. (same results)
Tested with Thunderbird. Passed.

I've attached my /etc/logcheck.

-- 
 _BB


-------------- next part --------------
A non-text attachment was scrubbed...
Name: logcheck.tar.gz
Type: application/octet-stream
Size: 20664 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20041011/9755ed56/attachment.obj

More information about the Logcheck-devel mailing list