[Logcheck-devel] Bug#317642: marked as done (How to debug logcheck?)
Debian Bug Tracking System
owner at bugs.debian.org
Mon Aug 22 20:48:29 UTC 2005
Your message dated Mon, 22 Aug 2005 13:32:39 -0700
with message-id <E1E7IyF-0002y5-00 at spohr.debian.org>
and subject line Bug#317642: fixed in logcheck 1.2.41
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
Received: (at submit) by bugs.debian.org; 10 Jul 2005 11:02:26 +0000
>From UseNet-Posting-Nospam-74308- at zocki.toppoint.de Sun Jul 10 04:02:26 2005
Return-path: <UseNet-Posting-Nospam-74308- at zocki.toppoint.de>
Received: from archer.toppoint.de (mail.toppoint.de) []
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DrZZp-0000o6-00; Sun, 10 Jul 2005 04:02:26 -0700
Received: (from uucp at localhost)
by mail.toppoint.de (8.11.7p1+Sun/8.11.7) id j6AB2EG29770
for submit at bugs.debian.org; Sun, 10 Jul 2005 13:02:14 +0200 (MEST)
>Received: by zocki.toppoint.de (CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515);
10 Jul 2005 13:01:52 +0200
Date: 10 Jul 2005 13:01:00 +0200
From: Rainer Zocholl <UseNet-Posting-Nospam-74308- at zocki.toppoint.de>
To: <submit at bugs.debian.org>
Message-ID: <9$am0-WbgjB at zocki.toppoint.de>
Subject: How to debug logcheck?
X-Mailer: CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Organization: http://www.toppoint.de
X-ZC-Telefon: V+49-431-5606-550Q V+49-431-562136Q
X-XP-Version: CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515
X-RFC-Converter: E-UUZ/II [FreeXP v3.40.1a RC3] @ 200405292345
Received: from zocki.toppoint.de by archer.toppoint.de; Sun, 10 Jul 2005 13:02 MES
Content-Type: text/plain; charset=US-ASCII
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.3 required=4.0 tests=BAYES_00,HAS_PACKAGE,
Package: logcheck
Version: 1.2.39
i change the rules but logcheck seems to ignore them
One example:
logcheck send mails containing:
Security Events
Jul 10 09:11:53 machine ipop3ds[10304]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de []
Jul 9 14:09:56 machine ipop3ds[4934]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de []
i don't want to see those messages (currently)
So i added a new rule to ipopd-ssl
[20:22:44]machine:/etc/logcheck/ignore.d.server# grep AUTH *
ipopd-ssl:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*.dip0.t-ipconnect.de \[84\.141\..*\]
(BTW: Wouldn't it be better to add an entire new file?)
If i test the rule file with that:
/etc/logcheck/ignore.d.server# egrep -f ipopd-ssl /var/log/syslog
i exactly get the lines i don't want to see in logcheck output,
so i assume that rule is OK.
As there is the "magical" word "failure" i have to add that rule to
violations.ignore too, or?
[20:23:22]machine:/etc/logcheck/violations.ignore.d# grep AUTH * logcheck-ipop3:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*\.dip0\.t-ipconnect\.de \[84\.141\..*\]
/etc/logcheck/violations.ignore.d# egrep -f logcheck-ipop3 /var/log/syslog
Jul 9 11:31:21 machine ipop3ds[29588]: AUTHENTICATE CRAM-MD5 failure
host=p548D1585.dip0.t-ipconnect.de []
So i assume the rules are right, or?
But why are they ignored by logcheck?
I meanwhile have the feeling that logcheck is using entire
other rule files than i edit (box root kitted?)
Is there a way to debug logcheck?
"-d" seems to give only a hints to program flow but
seems to be only a "one shot" so i can't debug the rules effective.
Isn't there somewhere a tool (bayes?) where i can feed the
"unwanted" lines to which in future are ignored by logcheck?
(Like "tiger" does which only reports changes/new lines)
Currently the "optimization" of the rule set took several weeks(!)
as i have to wait hours to veryfy the trivialest change.
What's the intended way to debug rules sets?
Why does the "egrep" trick can't be used to verify the rules?
(What is logcheck adding to the rules to make them fail?)
How can i verify which rules files logcheck really uses?
Where are the used rules (files that contens) logged?
How can i run "logcheck" repetely to debug?
Received: (at 317642-close) by bugs.debian.org; 22 Aug 2005 20:45:57 +0000
>From katie at spohr.debian.org Mon Aug 22 13:45:57 2005
Return-path: <katie at spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1E7IyF-0002y5-00; Mon, 22 Aug 2005 13:32:39 -0700
From: Todd Troxell <ttroxell at debian.org>
To: 317642-close at bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#317642: fixed in logcheck 1.2.41
Message-Id: <E1E7IyF-0002y5-00 at spohr.debian.org>
Sender: Archive Administrator <katie at spohr.debian.org>
Date: Mon, 22 Aug 2005 13:32:39 -0700
Delivered-To: 317642-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 4
Source: logcheck
Source-Version: 1.2.41
We believe that the bug you reported is fixed in the latest version of
logcheck, which is due to be installed in the Debian FTP archive:
to pool/main/l/logcheck/logcheck-database_1.2.41_all.deb
to pool/main/l/logcheck/logcheck_1.2.41.dsc
to pool/main/l/logcheck/logcheck_1.2.41.tar.gz
to pool/main/l/logcheck/logcheck_1.2.41_all.deb
to pool/main/l/logcheck/logtail_1.2.41_all.deb
A summary of the changes between this version and the previous one is
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 317642 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)
Hash: SHA1
Format: 1.7
Date: Mon, 22 Aug 2005 15:27:45 -0500
Source: logcheck
Binary: logcheck logtail logcheck-database
Architecture: source all
Version: 1.2.41
Distribution: unstable
Urgency: low
Maintainer: Debian logcheck Team <logcheck-devel at lists.alioth.debian.org>
Changed-By: Todd Troxell <ttroxell at debian.org>
logcheck - mails anomalies in the system logfiles to the administrator
logcheck-database - database of system log rules for the use of log checkers
logtail - Print log file lines that have not been read
Closes: 311216 312597 312598 312729 313601 313603 314951 315507 316612 317642 317741 317772 318500 318731 320009 321506 322036 322179 322570
logcheck (1.2.41) unstable; urgency=low
[ Jamie Penman-Smithson ]
* Fix postfix rule to match "setting up TLS connection" messages again.
* Fix innd rule for "ME time" messages, add rule for innfeed "ME time"
* Fix rules for gps to match messages with the null sender (<>).
* Update cyrus/notifyd rule to match destination folders and subfolders too.
* Update cyrus rules to suppress DBERROR db3: n lockers messages when it's
only 1-2 lockers, these messages are harmless as long as the number
doesn't increase.
* Update postfix lmtp rule to match messages given by amavis when discarding
UBE and viruses.
* Fix bug in the squid rule for "found whitespace" messages which caused
grep to choke due to unescaped { and } characters. (Closes: #311216)
* Update innd nnrpd rule for latest version of INN.
* Add a versioned dependency on grep to prevent bugs like #311216 happening
in the first place.
* Added Vietnamese translation, thanks to Clytie Siddall. (Closes: #312597)
* Fix minor typo in logcheck-database.templates. (Closes: #312598)
* Modify rules for successful ssh login messages to match when ssh/ssh2 is
not specified at the end. (Closes: #312729)
* Modified ignore.d.workstation/kernel to ignore nfs warnings about mount
version. (Closes: #313601)
* Fix postfix anvil rules to match max message/recipient rate and count
* Add the first rules for dkfilter, which implements domainkeys signing and
verification for postfix.
* Add rule for openssh-krb5 and add gssapi-with-mic to the list of auth
alternatives. (Closes: #318500)
* Add ovpn-tunnel rule to suppress "VERIFY OK: nsCertType=SERVER" messages.
Thanks to Martin Lohmeier <martin at mein-horde.de>. (Closes: #320009)
[ Maximilian Attems ]
* Suppress error message if hostname not set. (Closes: #314951)
* Add another sshd rule for PARANOID /etc/hosts.deny setting.
* Fix postfix rule concerning Service unavailable. (Closes: #315507)
* Add some initial support for exim4 log messages. Pretty rudimentary
stuff still, will need further refinements. (Closes: #316612)
* First rule for amandad. (Closes: #313603)
* Remention how to invoke logcheck with sudo.
* Add an examples section to the manpage with my most usual invocation.
* Fix rules for gconfd loglines.
* Add rule for mailman admin loglines in violations.ignore.d/logcheck-postfix
thanks toby cabot <toby at caboteria.org>. (Closes: #317772)
* Fix hostname match in rbldnsd rule thanks sistemas at dedaloingenieros.com.
(Closes: #317741)
* Unifiy gdm rules, add a rule for X restart.
* Beautify README.logcheck-database, uses markdown(1) syntax now.
Added testing rules header to carify sections. (Closes: #317642, #318731)
* Small manpage fixes.
* Add 2 courier rules for ACCEPTED usernames and the started client module.
* Add pdns rule for duplicate packets from recursor.
* Fix cvs rule for exit code != 0. thanks Martin Lohmeier
<martin at mein-horde.de> (Closes: #321506)
* Fix hostname match in cups-lpd rules thanks Gilbert Laycock
<gtl1 at mcs.le.ac.uk> (Closes: #322179)
* Add horde3 rules for users login/logout thanks Martin Lohmeier
<martin at mein-horde.de> (Closes: #322570)
* Fix logcheck.8 rendering of docbook-to-man. (Closes: #322036)
[Todd Troxell]
* Tweak descriptions to satisfy litian.
1885143b4845e7da6dc748ef4f2ec7fb 736 admin optional logcheck_1.2.41.dsc
1a946e45f82a0dc98838c896510dfca9 101085 admin optional logcheck_1.2.41.tar.gz
4ec4e8c0a9227a8c06a716675f8a0d3f 47870 admin optional logcheck_1.2.41_all.deb
3bf53f05bfb119af9e2c1da3c8130f12 67460 admin optional logcheck-database_1.2.41_all.deb
078148d37c693d7dd9511355d70e7d40 29826 admin optional logtail_1.2.41_all.deb
Version: GnuPG v1.2.5 (GNU/Linux)
More information about the Logcheck-devel
mailing list