[Logcheck-devel] Bug#273433: marked as done (logcheck: odd behaviour with perdition rules)

Debian Bug Tracking System owner at bugs.debian.org
Sun Oct 17 00:03:08 UTC 2004 

Your message dated Sat, 16 Oct 2004 19:47:08 -0400
with message-id <E1CIyGS-0006ny-00 at newraff.debian.org>
and subject line Bug#273433: fixed in logcheck 1.2.29
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 26 Sep 2004 03:19:18 +0000
>From jamie at silverdream.org Sat Sep 25 20:19:18 2004
Return-path: <jamie at silverdream.org>
Received: from lorien.silverdream.org [82.133.58.131] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CBPZG-0004GK-00; Sat, 25 Sep 2004 20:19:18 -0700
Received: from localhost (localhost [127.0.0.1])
	by lorien.silverdream.org (Postfix) with ESMTP id C0F1848007FE
	for <submit at bugs.debian.org>; Sun, 26 Sep 2004 04:18:46 +0100 (BST)
Received: from lorien.silverdream.org ([127.0.0.1])
	by localhost (lorien.silverdream.org [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id 14306-02-2 for <submit at bugs.debian.org>;
	Sun, 26 Sep 2004 04:18:41 +0100 (BST)
Received: from [192.168.1.7] (pegasus.pinklemon.net [82.133.58.129])
	(using SSLv3 with cipher RC4-MD5 (128/128 bits))
	(Client did not present a certificate)
	by lorien.silverdream.org (Postfix) with ESMTP id 3E18F48007FD
	for <submit at bugs.debian.org>; Sun, 26 Sep 2004 04:18:41 +0100 (BST)
Subject: logcheck: odd behaviour with perdition rules
From: "Jamie L. Penman-Smithson" <jamie at silverdream.org>
Reply-To: jamie at silverdream.org
To: submit at bugs.debian.org
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-5l2BFyv6jZQUD3sBXGEY"
Organization: PinkLemon Internet Services
Date: Sun, 26 Sep 2004 04:18:40 +0100
Message-Id: <1096168720.3318.42.camel at oasis.silverdream.hq>
Mime-Version: 1.0
X-Mailer: Evolution 2.0.0 
X-Virus-Scanned: by amavisd-maia-1.0.0-rc5 (Debian) at silverdream.org
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 


--=-5l2BFyv6jZQUD3sBXGEY
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Package: logcheck
Version: 1.2.28
Severity: minor

I've got the following rules for perdition:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Auth:
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}-
>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} user=3D
\"[[:alnum:]+[:punct:]+]+\" server=3D\"[[:alnum:]+[:punct:]]+\" port=3D
\"[0-9]+\" status=3D\"ok\"$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Close:
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}-
>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} user=3D
\"[[:alnum:]+[:punct:]+]+\" received=3D[0-9]+ sent=3D[0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Connect:
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}-
>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} $

However I still see these messages from logcheck:

System Events
=3D-=3D-=3D-=3D-=3D-=3D-=3D
Sep 26 03:10:14 evenstar perdition[18515]: Connect: 82.133.58.132-
>82.133.58.132
Sep 26 03:10:14 evenstar perdition[18516]: Connect: 82.133.58.132-
>82.133.58.132
Sep 26 03:10:14 evenstar perdition[18517]: Connect: 82.133.58.132-
>82.133.58.132
Sep 26 03:10:14 evenstar perdition[18518]: Connect: 82.133.58.132-
>82.133.58.132

...even though these messages are matched by the 'Connect' rule above:

jps at evenstar:~$ sudo egrep "^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition
\[[0-9]+\]: Connect: [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}-
>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} $" /var/log/mail.log
Sep 19 17:40:07 evenstar perdition[1329]: Connect: 82.133.58.132-
>82.133.58.132
Sep 19 17:40:07 evenstar perdition[1334]: Connect: 82.133.58.132-
>82.133.58.132
Sep 19 17:40:07 evenstar perdition[1335]: Connect: 82.133.58.132-
>82.133.58.132
Sep 19 17:40:07 evenstar perdition[1337]: Connect: 82.133.58.132-
>82.133.58.132

I've fiddled with it and can't see for the life of me why logcheck isn't
applying that rule..

--=20
-jamie <jamie at silverdream.org> | spamtrap: spam at silverdream.org
 w: http://www.silverdream.org | p: sms at silverdream.org
 pgp key @ http://silverdream.org/~jps/pub.key
 03:30:01 up 1 day,  7:19, 14 users,  load average: 0.20, 0.44, 0.34


--=-5l2BFyv6jZQUD3sBXGEY
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQBBVjUQ0mxM1DK1CAsRArdjAJ99JHfKbfEExloY2/WMi/SU6JcBMQCfVcNv
EMJvySlBxSkH0E5Nxx21ML4=
=8Yxv
-----END PGP SIGNATURE-----

--=-5l2BFyv6jZQUD3sBXGEY--


---------------------------------------
Received: (at 273433-close) by bugs.debian.org; 16 Oct 2004 23:54:27 +0000
>From katie at ftp-master.debian.org Sat Oct 16 16:54:27 2004
Return-path: <katie at ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CIyNX-0006p2-00; Sat, 16 Oct 2004 16:54:27 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1CIyGS-0006ny-00; Sat, 16 Oct 2004 19:47:08 -0400
From: Todd Troxell <ttroxell at debian.org>
To: 273433-close at bugs.debian.org
X-Katie: $Revision: 1.51 $
Subject: Bug#273433: fixed in logcheck 1.2.29
Message-Id: <E1CIyGS-0006ny-00 at newraff.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Sat, 16 Oct 2004 19:47:08 -0400
Delivered-To: 273433-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 
X-CrossAssassin-Score: 4

Source: logcheck
Source-Version: 1.2.29

We believe that the bug you reported is fixed in the latest version of
logcheck, which is due to be installed in the Debian FTP archive:

logcheck-database_1.2.29_all.deb
  to pool/main/l/logcheck/logcheck-database_1.2.29_all.deb
logcheck_1.2.29.dsc
  to pool/main/l/logcheck/logcheck_1.2.29.dsc
logcheck_1.2.29.tar.gz
  to pool/main/l/logcheck/logcheck_1.2.29.tar.gz
logcheck_1.2.29_all.deb
  to pool/main/l/logcheck/logcheck_1.2.29_all.deb
logtail_1.2.29_all.deb
  to pool/main/l/logcheck/logtail_1.2.29_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 273433 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Saturday, 16 Oct 2004 19:14:03 -0500
Source: logcheck
Binary: logcheck logtail logcheck-database
Architecture: source all
Version: 1.2.29
Distribution: unstable
Urgency: low
Maintainer: Debian logcheck Team <logcheck-devel at lists.alioth.debian.org>
Changed-By: Todd Troxell <ttroxell at debian.org>
Description: 
 logcheck   - Mails anomalies in the system logfiles to the administrator
 logcheck-database - A database of system log rules for the use of log checkers
 logtail    - Print log file lines that have not been read
Closes: 270019 270677 272969 273433 276063 276317
Changes: 
 logcheck (1.2.29) unstable; urgency=low
 .
   maks:
   * Don't report sudo calls where pwd contains spaces (Closes: #272969)
   * Fix trailing space in perdition rule. (Closes: #273433)
   * Small documentation update how to test rules without fiddling with
     trailing space.
   * sed fine tuning to speed up + remove trailing tabs. thanks alfie
   * Don't use -m switch from sort, it basically disables sorting.
     Remove gratious call to uniq that should be done with SORTUNIQ.
     (Closes: #270677)
   * Add violations.ignore.d/su on old logfiles to be removed on sarge upgrade.
   * Add rules for kdm/wdm/xdm, kernel (usb, keyboard) on level workstation.
   * Only show "rules-directories-note" on upgrade.
   * Enhance ppp rules on level workstation. (Closes: #270019)
     Add pppoa3 rules to the ppp rules.
   * Small update concerning reject messages in postfix + new rule.
   * Added pptpd rules at level workstation.
     thanks to Erich Schubert <erich at debian.org>
   * Added first pure-ftpd rules at level server.
   * Fix cyrus violations.ignore.d rules for higher pids.
   todd:
   * Add 1 dovecot rule
   * Fix another permission issue involving rulefiles.  Added chown to debian/
   rules.
   * Simpler formatting on version string.
   jamie:
   * Updated rules for innd, added rule for cleanfeed.
   * Small correction to gps rules.
   * Added SPF postfix policy server rule for 'SPF pass'.
   * Fix spelling mistake in dhcp rules. (Closes: #276063)
   * Change dhcp rules to reflect ISC's change of name.
     Thanks to Dirk Prosdorf for the patch. (Closes: #276317)
Files: 
 f7720d493d22ecc98da401f694d4b894 668 admin optional logcheck_1.2.29.dsc
 6eb2aca5a62e1506ff9da91f70c5c5dc 83385 admin optional logcheck_1.2.29.tar.gz
 a16f72d33f2f74b99454ed59ff088e14 40122 admin optional logcheck_1.2.29_all.deb
 22c9bc92215aa4917125903264492df0 50294 admin optional logcheck-database_1.2.29_all.deb
 0be6a2f4354e5eb85654aeab28020c4e 23734 admin optional logtail_1.2.29_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBcawf4u3oQ3FHP2YRAploAKCeVtHWvKgupv3HIiRtX3b2nt2nZACeJ8Xu
oHXCzqSgmE6v9mCNWbspCNY=
=qAeK
-----END PGP SIGNATURE-----

More information about the Logcheck-devel mailing list