[Logcheck-devel] Bug#270018: HylaFax send logs after log level reduction
Jamie L. Penman-Smithson
jamie at silverdream.org
Sun Oct 31 14:43:12 UTC 2004
Hey Ross,
On Sat, 2004-10-30 at 21:04 -0700, Ross Boylan wrote:
> I'm not sure that all these generalizations are appropriately
> general. Also, note the first pattern doesn't include a $.
>
> I had no failed faxes, but my guess is they would still produce the
> log messages shown in earlier reports under "Security Events". They
> definitely don't merit being so reported; I doubt they merit being
> reported at all.
Okay, I've come up with these rules under violations.d.ignore for the
log messages you gave, I've tested them and they work with the log
messages you supplied:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: NOTIFY:
bin/notify \"doneq/q[[:digit:]]+\" \"failed\" \"[:0-9]{4,5}\"$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: JOB [0-9]+
\(failed dest \+[[:digit:]]+ pri [0-9]+ tts [:0-9]{4,5} killtime
[:0-9]{7,8}\): (DEAD|DELETE|SEND DONE: [:0-9]{4,5})$
> Here are the types of messages that came through after reseting the
> log level and after installing the quoted patterns at the top of the
> message:
<snip>
Thanks for those rules, I've hacked them a bit and this is what I've got
(everything has been tested against the log message you've given):
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: MODEM
[.[:space:][:alnum:]/]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ HylaFAX\[[0-9]+\]: Filesystem has
SysV-style file creation semantics\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: ANSWER: Can not
lock modem device$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: NOTIFY:
bin/notify \"doneq/q[[:digit:]]+\" \"done\" \"[:0-9]{4,5}\"$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: NOTIFY exit
status: 0 \([[:digit:]]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxSend\[[0-9]+\]: SEND FAX: JOB
[[:digit:]]+1 DEST [ [:digit:]()-]+ COMMID \w+ DEVICE '[/[:alnum:]]+'$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxSend\[[0-9]+\]: SEND FAX: JOB
[[:digit:]]+1 SENT in [[:digit:]:]{4,5}$
I've committed the changes to CVS.
Thanks,
--
-jamie <jamie at silverdream.org> | spamtrap: spam at silverdream.org
w: http://www.silverdream.org | p: sms at silverdream.org
pgp key @ http://silverdream.org/~jps/pub.key
21:30:02 up 17 min, 2 users, load average: 2.65, 2.52, 1.58
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20041031/6d2a870f/attachment.pgp
More information about the Logcheck-devel
mailing list