[Logcheck-devel] Re: logcheck rules

maks attems debian at sternwelten.at
Mon Oct 25 23:06:53 UTC 2004 

On Mon, 25 Oct 2004, Brendon Baumgartner wrote:

> Above is what I have in my perdition file from you. Notice the " $" at the
> end. Looks like you caught it in cvs. I swapped mine to yours.
 
ok
 
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Fatal error
> > piping
> > > data. Exiting child\.$
> > no idea that sounds more like an error?
> 
> Yea. Sure does. I added it for a reason, don't remember now. Can we put
> comments in the rules files?

yes lines with a '#' at the beginning will be discarded by logcheck.
 
> > > ./ignore.d.server/local-postfix
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: table
> > > hash:/var/lib/exact/relay\(0,100\) has changed -- restarting$
> > how often does that happen?
> > not shure if it's sane to ignore?
> 
> Exact is a pop-before-smtp daemon, so whenever something changes a hash
> table, you get that message. Exact changes the hash table OFTEN. It's up to
> you. These type messages apply to postfix 2.1.x and not 2.0.x I believe.
> Postfix 2.0.x is very generic about hash table messages and doesn't say what
> file.

thanks for the info!
 
> > > ^COMMENT\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [0-9A-
> > Z]+:
> > > lost connection with [^[:space:]]+ while sending end of data -- message
> > may
> > > be sent more than once$
> > also added but used '[:upper:]' instead of 'A-Z'.
> 
> Not sure why I commented that one out....

ooh hadn't noticed that.
maybe aboves is quite rare?
 
> > > ./ignore.d.server/local-cron
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
> > > closed for user logcheck$
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
> > > opened for user logcheck by \(uid=0\)$
> > strange i've never seen this!?
> > when do you get that?
> > in ignore.d.paranoid/cron i see that rule
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam_[[:alnum:]]+\)
> > session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
> > what cron are you using? (debian or other distribution)?
> 
> Yes. Debian cron.
> solara:/var/log# dpkg -l|grep cron
> ii  cron           3.0pl1-81      management of regular background
> processing
> solara:/var/log#
> solara:/var/log# grep -i cron auth.log|grep logcheck|grep pam
> Oct 17 07:02:01 solara CRON[23093]: (pam_unix) session opened for user
> logcheck by (uid=0)
> Oct 17 07:02:06 solara CRON[23093]: (pam_unix) session closed for user
> logcheck

i rembember an older cron log like that, you might want to upgrade ;-)
dpkg -l |grep cron
ii  cron           3.0pl1-86      management of regular background processing

 
> Users have ftp access to their websites on my system using pureftpd. So
> anytime they delete a file, this message will appear. At least that's what I
> think. Correct me if that's wrong.
yup thanks for the explanation,
added your ignore rule for that notice!
 
> > > ./ignore.d.server/local-exact
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ exact\[[0-9]+\]: authorising
> > > [^[:space:]]+ at [.0-9]+$
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ exact\[[0-9]+\]: cleaning db file$
> > sorry i don't know of an "exact" daemon,
> > please educate me.
> 
> Pop-before-smtp. It's not popular, but it is the only simple one written in
> C and not perl or some scripted lang. I made a deb for it for the author and
> tried to become a maintainer, applied on the website, and never followed up.
> Seemed to hard to get in as a maintainer. I just use it :)

again thanks for the info,
don't give up, it might be a nice experience. :-)

so i don't include those rules for now, as we have some
more packages to follow up in the archive...
 
> > > ./ignore.d.server/local-slapd
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ slapd\[[0-9]+\]:
> > hmm that one don't make me happy,
> > have you tried to decrease verbosity in slapd?
> 
> Yes. Logging 0 is now in my lapd.conf, for some reason the default is 256.
> Not sure if I should use 0, but it was annoying me. Got a recommendation ?

well for production server with working setup,
i found it the sane level.
there is more of it in man slapd.conf
already level 1 looks scary "trace function calls"
 
> That said, I removed my local-slapd files. If it chills out, I'll make a few
> rules and send them in.

okay they are welcome anytime.
  
> Yea I sent a follow-up email on this. Hopefully you can get back to me. I
> would like to filter out everything but trusted networks.

ok need to read that, sort of backlog right now.
  
> > grr we have a slightly different rule in cvs,
> > could we fix that one up?
> > looks quite similar except the part
> > "RCPT from [^[:space:]]+\[[0-9.]{7,14}\]"
> > could you try if it works for you, attached.
> 
> k. I'll give it a go.

if it doesn't work please scream.
 
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/lmtpd\[[0-9]+\]: DBERROR db3:
> > > [0-9]+ lockers$
> > what? that sounds bad?
> 
> Yea. Sounds bad. Looked it up. Its okay :)

ok left for now.
happy to read you any time soon.
 
--
maks

More information about the Logcheck-devel mailing list