[Logcheck-devel] Bug#270018: HylaFax send logs after log level reduction

Sun Oct 31 04:04:28 UTC 2004

On Thu, Oct 28, 2004 at 12:02:38AM -0700, Ross Boylan wrote:
> On Fri, Oct 22, 2004 at 11:43:54AM -0700, Ross Boylan wrote:
> > On Thu, Oct 21, 2004 at 02:23:33PM +0100, Jamie L. Penman-Smithson wrote:
> > > In the absense of any further info, I'm going to add the rules I've got to
> > > CVS:
> > > 
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: SUBMIT JOB
> > > [0-9]+$
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: FIFO RECV
> > > \"Sclient/[0-9]+:[0-9]+\"$
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: JOB [0-9]+
> > > \((ready|active) dest [0-9\+]+ pri [0-9]+ tts [0-9]+:[0-9]+ killtime
> > > [0-9]+:[0-9]+:[0-9]+\): (READY|PROCESS|ACTIVE|PREPARE START)$
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: LOCKWAIT$
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: STATE CHANGE:
> > > RUNNING -> LOCKWAIT \(timeout [0-9]+\)$
> > > 
I have the above rules in place.

> However, some of the hylafax docs
> (file:///usr/share/doc/hylafax-doc/html/setup.html) indicate
> ServerTracing 1
> SessionTracing 0x4f
> for Class 1 or
I switched to these settings in /etc/hylafax/config and config.ttyS0.
I rebooted after that, so I'm pretty sure they are in effect.

Here are some guesses at further patterns, based on the log messages
that still got through.  These were based on basic operation of system
and successfully sending one fax.

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: MODEM
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: ANSWER: Can not lock modem device$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: NOTIFY: bin/notify "doneq/q[[:digit:]]+" "done" "[[:digit:]:]+"$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: NOTIFY exit status: 0 \([[:digit:]]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxSend\[[0-9]+\]: SEND FAX: JOB [[:digit:]]+1 DEST [ [:digit:]()-]+ COMMID \w+ DEVICE '[/[:alnum:]]'$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxSend\[[0-9]+\]: SEND FAX: JOB [[:digit:]]+1 SENT in [[:digit:]:]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ HylaFAX\[[0-9]+\]: Filesystem has SysV-style file creation semantics\.$

I'm not sure that all these generalizations are appropriately
general.  Also, note the first pattern doesn't include a $.

I had no failed faxes, but my guess is they would still produce the
log messages shown in earlier reports under "Security Events".  They
definitely don't merit being so reported; I doubt they merit being
reported at all.

Here are the types of messages that came through after reseting the
log level and after installing the quoted patterns at the top of the
message:
0ct 30 17:43:06 wheat FaxGetty[1398]: MODEM U.S. ROBOTICS 56K VOICE INT V4.9.1 5601/
Oct 30 17:46:02 wheat HylaFAX[29554]: Filesystem has SysV-style file creation semantics.
Oct 30 17:46:23 wheat FaxSend[29660]: SEND FAX: JOB 131 DEST 1 805 480-8413 COMMID 000000196 DEVICE '/dev/ttyS0'

Oct 30 17:47:16 wheat FaxSend[29660]: SEND FAX: JOB 131 SENT in 0:17
Oct 30 17:47:34 wheat FaxQueuer[899]: NOTIFY: bin/notify "doneq/q131" "done" "1:23"
Oct 30 17:47:35 wheat FaxQueuer[899]: NOTIFY exit status: 0 (29712)

Oct 30 18:42:02 wheat FaxGetty[1398]: ANSWER: Can not lock modem device

By the way, the "Can not lock modem device" is simply because I was
using the modem to do ppp.