[Logcheck-devel] Bug#410453: logcheck-database: filter kernel messages for UDP as well as TCP/IP traffic
Matt Corks
mvcorks at alumni.uwaterloo.ca
Sat Feb 10 19:09:29 UTC 2007
Package: logcheck-database
Version: 1.2.53
Severity: normal
logcheck is generating messages like this:
Feb 10 13:31:09 waterloo kernel: IN=ppp0 OUT= MAC= SRC=216.58.8.243 DST=239.255.67.250 LEN=176 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=34554 DPT=16680 LEN=156
the closest match to this is the following rule:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: BANDWIDTH_IN:IN=[[:alnum:]]+ OUT= MAC=[:[:xdigit:]]+ SRC=[.0-9]{7,15} DST=[.0-9]{7,15} LEN=[0-9]+ TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[0-9]+ ID=[0-9]+ (DF )?PROTO=TCP SPT=[0-9]+ DPT=[0-9]+ WINDOW=[0-9]+ RES=0x[[:xdigit:]]+ ACK (PSH )?URGP=[0-9]+$
but it only handles TCP/IP traffic. logcheck should filter normal UDP inbound
& outbound traffic.
thanks,
matt
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-k7
Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1)
Versions of packages logcheck-database depends on:
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
logcheck-database recommends no packages.
-- debconf information:
logcheck-database/rules-directories-note:
logcheck-database/standard-rename-note:
logcheck-database/conffile-cleanup: false
More information about the Logcheck-devel
mailing list