Bug#277696: [Logcheck-devel] Bug#277696: logcheck-database: spelling error in /etc/logcheck/ignore.d.server/uw-imap

[maks attems]

tags 277696 moreinfo
tags 277696 pending
thanks

On Thu, 21 Oct 2004, Wouter de Vries wrote:

> I found a spelling error in /etc/logcheck/ignore.d.server/uw-imap. There
> is a line that reads:

logcheck has no such file, verified with:
dpkg -L logcheck-database | egrep imap
you probably mean /etc/logcheck/ignore.d.paranoid/imap

 
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd\[[0-9]+\]: (connect|(port (143|220)|imap(s SSL)?) service init) from [\.0-9]+$

in aboves file i find this rule:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd\[[0-9]+\]: port 143 service init
from [^[:space:]]+$

> connections from clients read like this on my computer though:
> 
> Oct 21 21:45:03 phoenix snmpd[16630]: Connection from 127.0.0.1

that logmessages makes no sense.
 
> So maybe the line should read:
> 
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd\[[0-9]+\]: (connect|Connection|(port (143|220)|imap(s SSL)?) service init) from [\.0-9]+$

when improving logcheck rules please place them for your own help
in local-<package> file as described in
-> /usr/share/doc/logcheck-database/README.logcheck-database.gz

please also pay attention to which bug report your answering. ;)

On Thu, 21 Oct 2004, Wouter Leonard de Vries wrote:

> I'm very sorry, I messed up. The lines in my syslog read like this:
> 
> Oct 21 21:36:33 phoenix imapd[1582]: connect from 192.168.1.3
> (192.168.1.3)

that logline makes sense yes.
 
> I'm not sure wether the first one is a hostname or the second, but the 
> line should probably change to:
> 
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd\[[0-9]+\]: (connect|(port 
> (143|220)|imap(s SSL)?) service init) from [\.0-9]+ (\([\.0-9]+\))?$

not so bad, but please use at least that '[0-9.]{7,15}' to match an ip.
so i propose the attached rule.

--
maks