[Logcheck-devel] Bug#286307: Updated logcheck webmin rules
maximilian attems
debian at sternwelten.at
Tue Feb 1 19:22:51 UTC 2005
On Tue, 01 Feb 2005, Jamie L. Penman-Smithson wrote:
> On Tue, 2005-02-01 at 17:43 +0200, Ognyan Kulev wrote:
> > A grep result of auth.log is attached.
> >
> > There is one more possible message, but I think it's not for logcheck:
> >
> > Dec 22 22:57:24 dwyn webmin[18988]: Invalid login as ogi from
> > localhost.localdomain
>
> I think you'd want to know about invalid login attempts..
>
> Based on the log messages you've given (thanks!) I've created the
> following rules, which have been tested against the log lines you gave
> me and applied to CVS:
>
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ webmin\[[0-9]+\]: Successful login as
> [[:alnum:]]+ from [._[:alnum:]-]+ $
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ webmin\[[0-9]+\]: Logout by
> [[:alnum:]]+ from [._[:alnum:]-]+ $
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ webmin\[[0-9]+\]: Timeout of
> [[:alnum:]]+ $
logcheck takes care to remove trailing space thanks to
an sed invocation, before processing logs.
please correct aboves rules. :-)
more info ->
/usr/share/doc/logcheck-database/README.logcheck-database.gz
thanks for processing it.
--
maks
More information about the Logcheck-devel
mailing list