Bug#357841: [Logcheck-devel] Bug#357841: false positives for some lines longer than 503 characters
Todd Troxell
ttroxell at debian.org
Tue Apr 11 06:03:41 UTC 2006
Hello Jonas,
Thanks for you report.
On Sun, Mar 19, 2006 at 10:51:09PM +0100, Jonas Meurer wrote:
> Package: logcheck
> Version: 1.2.43a
> Severity: important
>
> hello,
>
> it seems like logcheck always outputs some log lines longer than 503
> characters, even if they perfectly well match a given regex.
>
> i have the following entry in /etc/logcheck/ignore.d.server/syslog-ng:
> syslog-ng\[.*\]: Log statistics; processed='.*\(.*\)=.*', .*
>
> and in the file 'testlog' i have the following two lines:
> Mar 16 22:31:56 resivo syslog-ng[6932]: Log statistics; processed='source(s_all)=2186', processed='destination(df_auth)=407', processed='destination(df_news_dot_notice)=0', processed='destination(df_news_dot_err)=0', processed='destination(df_uucp)=0', processed='destination(df_mail)=0', processed='destination(df_user)=126', processed='destination(df_facility_dot_notice)=0', processed='destination(df_daemon)=1415', processed='destination(df_facility_dot_crit)=0', processed='destination(df_debu)=28'
> Mar 16 22:31:56 resivo syslog-ng[6932]: Log statistics; processed='source(s_all)=2186', processed='destination(df_auth)=407', processed='destination(df_news_dot_notice)=0', processed='destination(df_news_dot_err)=0', processed='destination(df_uucp)=0', processed='destination(df_mail)=0', processed='destination(df_user)=126', processed='destination(df_facility_dot_notice)=0', processed='destination(df_daemon)=1415', processed='destination(df_facility_dot_crit)=0', processed='destination(df_debug)=28'
>
> (both are exactly identical, except that the second one has one more
> character (third-last one).
>
> now see what logcheck gives:
> # sudo -u logcheck logcheck -o -s -t -l testlog
> This email is sent by logcheck. If you wish to no-longer receive it,
> you can either deinstall the logcheck package or modify its
> configuration file (/etc/logcheck/logcheck.conf).
>
> Security Events
> =-=-=-=-=-=-=-=
> Mar 16 22:31:56 resivo syslog-ng[6932]: Log statistics; processed='source(s_all)=2186', processed='destination(df_auth)=407', processed='destination(df_news_dot_notice)=0', processed='destination(df_news_dot_err)=0', processed='destination(df_uucp)=0', processed='destination(df_mail)=0', processed='destination(df_user)=126', processed='destination(df_facility_dot_notice)=0', processed='destination(df_daemon)=1415', processed='destination(df_facility_dot_crit)=0', processed='destination(df_debug)=28'
>
>
>
> unfortunately the line length is not the only criteria. lines containing
> only numbers and letters which are longer than 503 characters seem to be
> ignored if they match a regex.
I have tested this with a couple of versions of logcheck and I'm unable to
reproduce. It is worth nothing that the string caught above contains
substrings that would trigger a violation, and therefore needs a line in
violations.ignore.d as well. I suspect this is a configuration issue.
Please let me know your findings.
--
Todd Troxell
http://rapidpacket.com/~xtat
More information about the Logcheck-devel
mailing list