[Logcheck-devel] RE: logcheck rules

Brendon Baumgartner brendon at brendon.com
Mon Oct 25 21:03:25 UTC 2004 

> From: maximilian attems [mailto:max at stro.at] On Behalf Of maximilian
> attems
> Sent: Monday, October 25, 2004 1:09 PM
> To: Brendon Baumgartner
> Cc: logcheck-devel
> Subject: Re: logcheck rules
> 
> On Fri, 22 Oct 2004, Brendon Baumgartner wrote:
> 
> > I know you're a rule collector :)
> 
> well there are times when i'm less responsive,
> please just file bug reports to balance the load
> on the team. i'll try on this one.
> 
> > Here's what I've got. Some minor adjustments. Some lines have \. To
> match
> > periods etc. This list doesn't relate to the email I just sent about the
> > bug. I removed some of this for testing. I've made a lot of minor tweeks
> > since our last discussion.
> >
> > ./ignore.d.server/local-perdition
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Connect:
> > [.0-9]+->[.0-9]+$
> strange this one should be ignored in current logcheck.
> could you check why this rule goofs, i'll attach it also in local-
> perdition:
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Connect:
> [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}->[0-9]{1,3}\.[0-
> 9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$
> maybe it was just added to current cvs?


^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Connect:
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}->[0-9]{1,3}\.[0-9]{1,3}\.[0-9
]{1,3}\.[0-9]{1,3} $

Above is what I have in my perdition file from you. Notice the " $" at the
end. Looks like you caught it in cvs. I swapped mine to yours.


> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Fatal error
> piping
> > data. Exiting child\.$
> no idea that sounds more like an error?

Yea. Sure does. I added it for a reason, don't remember now. Can we put
comments in the rules files?

> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Closing NULL
> > session: [.0-9]+->[.0-9]+ username=\(null\)$
> ok cool, added with a bit stricter ip matching:
> '[.0-9]+' became  '[.0-9]{7,15}'

k.

> > ./ignore.d.server/local-postfix
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: table
> > hash:/var/lib/exact/relay\(0,100\) has changed -- restarting$
> how often does that happen?
> not shure if it's sane to ignore?

Exact is a pop-before-smtp daemon, so whenever something changes a hash
table, you get that message. Exact changes the hash table OFTEN. It's up to
you. These type messages apply to postfix 2.1.x and not 2.0.x I believe.
Postfix 2.0.x is very generic about hash table messages and doesn't say what
file.

> > ^COMMENT\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [0-9A-
> Z]+:
> > lost connection with [^[:space:]]+ while sending end of data -- message
> may
> > be sent more than once$
> also added but used '[:upper:]' instead of 'A-Z'.

Not sure why I commented that one out....
 
> > ./ignore.d.server/local-cron
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
> > closed for user logcheck$
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
> > opened for user logcheck by \(uid=0\)$
> strange i've never seen this!?
> when do you get that?
> in ignore.d.paranoid/cron i see that rule
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam_[[:alnum:]]+\)
> session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
> what cron are you using? (debian or other distribution)?

Yes. Debian cron.
solara:/var/log# dpkg -l|grep cron
ii  cron           3.0pl1-81      management of regular background
processing
solara:/var/log#
solara:/var/log# grep -i cron auth.log|grep logcheck|grep pam
Oct 17 07:02:01 solara CRON[23093]: (pam_unix) session opened for user
logcheck by (uid=0)
Oct 17 07:02:06 solara CRON[23093]: (pam_unix) session closed for user
logcheck


> > ./ignore.d.server/local-sshd
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]:
> syslogin_perform_logout:
> > logout\(\) returned an error$
> thanks already in current cvs.
> 
> > ./ignore.d.server/local-pure-ftpd
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \(\?@[._[:alnum:]-]+\)
> > \[INFO\] New connection from [._[:alnum:]-]+$
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \(\?@[._[:alnum:]-]+\)
> > \[INFO\] [._[:alnum:]-]+ is now logged in$
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> > \([\?._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Logout\.$
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> > \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Timeout - try typing a
> little
> > faster next time$
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> > \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Can't change directory to
> .+:
> > No such file or directory$
> all aboves already in cvs, thanks.
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> > \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Can't change directory to
> .+:
> > Not a directory$
> added this ending bit to aboves rule:
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Can't change directory to .+:
> (No such file or|Not a) directory$
> 
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> > \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Timeout \(no new data for
> > [0-9]+ seconds\)$
> added
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> > \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\] .+ (up|down)loaded  \([0-
> 9]+
> > bytes, [0-9]+.[0-9]+KB/sec\)$
> already in cvs
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> > \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\] Deleted .+$
> hmmm, yeaah can be noisy on big hosts,
> i'll leave it out until future notice.
> but ftp-user shouldn't have acces to important stuff.
> please inform me on the nr. of occurence on you host for example?
> egrep '\[NOTICE\] Deleted' /var/log/syslog | wc -l

Users have ftp access to their websites on my system using pureftpd. So
anytime they delete a file, this message will appear. At least that's what I
think. Correct me if that's wrong.

solara:/var/log# zcat syslog* |egrep '\[NOTICE\] Deleted'  | wc -l
zcat: syslog: not in gzip format
zcat: syslog.0: not in gzip format
    114
solara:/var/log#

...your call.

> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> > \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\] File successfully renamed
> or
> > moved: \[.+\]->\[.+\]$
> great added.
> 
> > ./ignore.d.server/local-exact
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ exact\[[0-9]+\]: authorising
> > [^[:space:]]+ at [.0-9]+$
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ exact\[[0-9]+\]: cleaning db file$
> sorry i don't know of an "exact" daemon,
> please educate me.

Pop-before-smtp. It's not popular, but it is the only simple one written in
C and not perl or some scripted lang. I made a deb for it for the author and
tried to become a maintainer, applied on the website, and never followed up.
Seemed to hard to get in as a maintainer. I just use it :)

> > ./ignore.d.server/local-slapd
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ slapd\[[0-9]+\]:
> hmm that one don't make me happy,
> have you tried to decrease verbosity in slapd?

Yes. Logging 0 is now in my lapd.conf, for some reason the default is 256.
Not sure if I should use 0, but it was annoying me. Got a recommendation ?

That said, I removed my local-slapd files. If it chills out, I'll make a few
rules and send them in.
 
> > ./ignore.d.server/local-snmpd
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snmpd\[[0-9]+\]: Connection from [.0-
> 9]+$
> thanks added with a bit stricter ip matching rule, see above.
> 
> > ./ignore.d.server/local-ispman
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ispman: ISPMan
> looks like a verbose man,
> no idea what he does nor is this rule complete. ;-)

Ignore this. I wouldn't add it to your set.
 
> > ./ignore.d.server/local-kernel
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: IN-inet:IN
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: NEW TCP
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: SYN FLOOD:IN
> hmm the iptables stuff, left for another time..

Yea I sent a follow-up email on this. Hopefully you can get back to me. I
would like to filter out everything but trusted networks.
 
> > ./violations.ignore.d/local-postfix
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [A-Z0-9]+:
> > reject: RCPT from [^[:space:]]+: [0-9]{3} <[^[:space:]]+>: Relay access
> > denied; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=(ESMTP|SMTP)
> > helo=<[^[:space:]]+>$
> thanks already in cvs
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [A-Z0-9]+:
> > reject: RCPT from [^[:space:]]+: [0-9]{3} <[^[:space:]]+>: User unknown
> in
> > local recipient table; from=<[^[:space:]]*> to=<[^[:space:]]+>
> > proto=(ESMTP|SMTP) helo=<[^[:space:]]+>$
> grr we have a slightly different rule in cvs,
> could we fix that one up?
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]:
> [[:upper:]0-9]+: reject: RCPT from [^[:space:]]+\[[0-9.]{7,14}\]:
> [45][0-9][0-9] <.+>: User unknown in local recipient table;
> from=<[^[:space:]]*> to=<[^[:space:]]+> proto=(ESMTP|SMTP)
> helo=<[^[:space:]]+>$
> looks quite similar except the part
> "RCPT from [^[:space:]]+\[[0-9.]{7,14}\]"
> could you try if it works for you, attached.

k. I'll give it a go.

> 
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [A-Z0-9]+:
> > to=<[^[:space:]]+>, relay=[^[:space:]]+, delay=[0-9]+, status=deferred
> > \(host [^[:space:]]+ refused to talk to me: [^[:space:]]+ 554 Access
> > denied\)$
> great thanks added just used [:upper:] instead of 'A-Z'
> >
> > ./violations.ignore.d/local-pure-ftpd
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> > \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[ERROR\] Can't open .+: No such
> file or
> > directory$
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> > \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[ERROR\] Can't remove directory: No
> > such file or directory$
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \(\?@[._[:alnum:]-]+\)
> > \[DEBUG\] This is a private system - No anonymous login$
> thanks added
> 
> > ./violations.ignore.d/local-cyrus
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/imapd\[[0-9]+\]: SQUAT failed$
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/imapd\[[0-9]+\]: SQUAT failed
> to
> > open index file$
> already in current cvs.
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/lmtpd\[[0-9]+\]: DBERROR db3:
> > [0-9]+ lockers$
> what? that sounds bad?

Yea. Sounds bad. Looked it up. Its okay :)

> > ./violations.ignore.d/local-slapd
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ slapd\[[0-9]+\]:
> hmm..
> 
> thanks a lot for the different rules,
> i've added a thanks to current changelog for all this rules.

Np. Thanks for the thorough work! 

-- 
-brendon

More information about the Logcheck-devel mailing list