[Logcheck-devel] Bug#273433: logcheck: odd behaviour with perdition rules
Jamie L. Penman-Smithson
jamie at silverdream.org
Sun Sep 26 03:18:40 UTC 2004
Package: logcheck
Version: 1.2.28
Severity: minor
I've got the following rules for perdition:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Auth:
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}-
>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} user=
\"[[:alnum:]+[:punct:]+]+\" server=\"[[:alnum:]+[:punct:]]+\" port=
\"[0-9]+\" status=\"ok\"$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Close:
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}-
>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} user=
\"[[:alnum:]+[:punct:]+]+\" received=[0-9]+ sent=[0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Connect:
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}-
>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} $
However I still see these messages from logcheck:
System Events
=-=-=-=-=-=-=
Sep 26 03:10:14 evenstar perdition[18515]: Connect: 82.133.58.132-
>82.133.58.132
Sep 26 03:10:14 evenstar perdition[18516]: Connect: 82.133.58.132-
>82.133.58.132
Sep 26 03:10:14 evenstar perdition[18517]: Connect: 82.133.58.132-
>82.133.58.132
Sep 26 03:10:14 evenstar perdition[18518]: Connect: 82.133.58.132-
>82.133.58.132
...even though these messages are matched by the 'Connect' rule above:
jps at evenstar:~$ sudo egrep "^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition
\[[0-9]+\]: Connect: [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}-
>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} $" /var/log/mail.log
Sep 19 17:40:07 evenstar perdition[1329]: Connect: 82.133.58.132-
>82.133.58.132
Sep 19 17:40:07 evenstar perdition[1334]: Connect: 82.133.58.132-
>82.133.58.132
Sep 19 17:40:07 evenstar perdition[1335]: Connect: 82.133.58.132-
>82.133.58.132
Sep 19 17:40:07 evenstar perdition[1337]: Connect: 82.133.58.132-
>82.133.58.132
I've fiddled with it and can't see for the life of me why logcheck isn't
applying that rule..
--
-jamie <jamie at silverdream.org> | spamtrap: spam at silverdream.org
w: http://www.silverdream.org | p: sms at silverdream.org
pgp key @ http://silverdream.org/~jps/pub.key
03:30:01 up 1 day, 7:19, 14 users, load average: 0.20, 0.44, 0.34
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040926/d512f01f/attachment.pgp
More information about the Logcheck-devel
mailing list