[Logcheck-devel] Bug#410453: logcheck-database: filter kernel messages for UDP as well as TCP/IP traffic

Matt Corks mvcorks at alumni.uwaterloo.ca
Sat Feb 10 19:09:29 UTC 2007


Package: logcheck-database
Version: 1.2.53
Severity: normal


logcheck is generating messages like this:

Feb 10 13:31:09 waterloo kernel: IN=ppp0 OUT= MAC= SRC=216.58.8.243 DST=239.255.67.250 LEN=176 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=34554 DPT=16680 LEN=156

the closest match to this is the following rule:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: BANDWIDTH_IN:IN=[[:alnum:]]+ OUT= MAC=[:[:xdigit:]]+ SRC=[.0-9]{7,15} DST=[.0-9]{7,15} LEN=[0-9]+ TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[0-9]+ ID=[0-9]+ (DF )?PROTO=TCP SPT=[0-9]+ DPT=[0-9]+ WINDOW=[0-9]+ RES=0x[[:xdigit:]]+ ACK (PSH )?URGP=[0-9]+$

but it only handles TCP/IP traffic.  logcheck should filter normal UDP inbound
& outbound traffic.

thanks,
matt

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-k7
Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1)

Versions of packages logcheck-database depends on:
ii  debconf [debconf-2.0]         1.5.11     Debian configuration management sy

logcheck-database recommends no packages.

-- debconf information:
  logcheck-database/rules-directories-note:
  logcheck-database/standard-rename-note:
  logcheck-database/conffile-cleanup: false





More information about the Logcheck-devel mailing list