Bug#275946: [Logcheck-devel] Bug#275946: Acknowledgement (newline not recognized when logcheck sends emails)

Tue Oct 12 16:10:27 UTC 2004

On Mon, 11 Oct 2004, Brendon Baumgartner wrote:

> > From: maximilian attems On Behalf Of maks attems
> > 
> > On Mon, 11 Oct 2004, Brendon Baumgartner wrote:
> > 
> > > I upgraded to 1.2.28, same results.
> > >
> > > Here are the rules I added.
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Connect:
> > fixed in latest cvs.
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: [^[:space:]]+ \[NOTICE\]
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: [^[:space:]]+ \[INFO\]
> > please show us the loglines you want to ignore with those.
> 
> I'm not sure what pureftp all shows, I haven't looked into it yet. I don't
> want to see when someone logs in or when they upload a file. Based on what I
> see below, dumping NOTICE and INFO is good.

fully agreed, worked out some preliminary rules out of posted messages,
used '.+' to match dirs as they can also contain spaces.
please try attached local-pureftp.

> Yes, a little over the top, but slapd creates so much junk, I don't have
> time to write proper rules, and I don't care about exact for the moment
> either.

ok left as is,
afaik slapd has very different loglevels with increasing ouput.

> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: IN-inet:IN
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: NEW TCP
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: SYN FLOOD:IN
> > what that? iptables?
> 
> Yes. Iptables. I use another program check iptables. I do see ping floods in
> logcheck emails still. I don't see a reason I need to though, but I've left
> them for the moment.

hmm not shure if iptables logs into syslog in standard conf,
there for left for some iptables gurus.

> > thanks now fixed in cvs,
> > we ignored NOQUEUE, which other are appearing, curious about the log
> > messages?
> 
> Not sure what you're asking. Sorry.
> 
> Oct 11 10:58:09 solara postfix/smtpd[27917]: DA2331317B: reject: RCPT from
> ip073254.fscwv.edu[129.71.73.254]: 550 <thomas at brendon.com>: User unknown in
> local recipient table; from=<88 at adelphia.net> to=<thomas at brendon.com>
> proto=SMTP helo=<brendon.com>

thanks this answered my question,
added new rule to cvs logcheck-postfix for aboves,
and fixed other reject lines.

> Thanks, this was probably one of the first rules I did, while I was still
> trying to figure things out. Fixed.
> 
> Oct 11 11:41:37 solara cyrus/imapd[27913]: SQUAT failed to open index file
> Oct 11 11:41:37 solara cyrus/imapd[27913]: SQUAT failed

strange there are rules for that message in
/etc/logcheck/violations.ignore.d/logcheck-cyrus .
could you check it's permission?
in what section do aboves rule appear, "security events"
or "system events"?

> Glad to help. I know Outlook isn't desirable, but hey, it has a huge market
> share :/
> 
> Tested with Outlook Express. Passed
> Tested on another Outlook 2003, SP1. Failed. (same results)
> Tested with Thunderbird. Passed.

i still don't understand how that does correlate with
mails containtaing less messages due local-* rules.

> I've attached my /etc/logcheck.

ooh i had overlooked that, found nothing suspicious in your local files.

--
maks
-------------- next part --------------
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \(\?@[._[:alnum:]-]+\) \[INFO\] New connection from [._[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \(\?@[._[:alnum:]-]+\) \[INFO\] [._[:alnum:]-]+ is now logged in$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Can't change directory to .+: No such file or directory$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Timeout - try typing a little faster next time$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\] .+ (up|down)loaded  \([0-9]+ bytes, [0-9]+.[0-9]+KB/sec\)$