[Logcheck-devel] Logcheck configuration questions: format is not on a single line and I don't know why

Tamar Weinberg tweinberg at 10e20.com
Wed Jan 31 18:00:45 UTC 2007 

Hi everyone,

 

 

Please cc tweinberg AT 10e20 DOT com when you reply to this as I am not a
mailing list subscriber.

 

 

I have been using logcheck with a lot of success (on a RedHat ES 4.0
enterprise webserver), but I have run into some issues recently when I
decided to tweak the logcheck.violations, logcheck.ignore, and
logcheck.violations.ignore files to reduce the size of emails and to only
include messages that are important to me.  Now I’m seeing messages where
the entire log report is on one line.  This is not the case for all items
that are logged which makes it much more difficult to troubleshoot.

 

For example, I’m most concerned about mail intrusions and failed SSH login
attempts.  So one of my reports looks like this:

Jan 31 00:46:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 01:32:32 www
pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 01:48:32 www pop3d: LOGIN FAILED,
ip=[64.61.x.x] Jan 31 02:04:33 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan
31 02:20:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:35:32 www
pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:50:32 www pop3d: LOGIN FAILED,
ip=[64.61.x.x] Jan 31 03:36:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan
31 03:52:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 04:23:26 www
pop3d: LOGIN FAILED, ip=[64.61.x.x]

 

It’s on one line, instead of on distinct lines as it was previously (like
this):

Jan 31 00:46:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] 

Jan 31 01:32:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] 

Jan 31 01:48:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] 

Jan 31 02:04:33 www pop3d: LOGIN FAILED, ip=[64.61.x.x] 

Jan 31 02:20:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x] 

Jan 31 02:35:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] 

Jan 31 02:50:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] 

Jan 31 03:36:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] 

Jan 31 03:52:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x] 

Jan 31 04:23:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x]

 

For me, the “run on” line is really hard to read and I can’t figure out if
the login attempt is legit or not (which is why I’ve masked the IP address
in case it is).  

 

The changed logcheck.violations, logcheck.violations.ignore, and
logcheck.ignore files are below – but I’m not sure why this is happening.
Can you please shed some light into the issue?  

 

Logcheck.violations.ignore:

named.*

qmail.*

spamd.*

pop3d: Connection

proftpd.*

proftpd*

pop3d: IMAP connect

sshd: Connection closed

 

logcheck.violations:

!=

-ERR Password

CWD etc

DEBUG

EXPN

FAILURE

ILLEGAL

LOGIN FAILURE

LOGIN REFUSED

PERMITTED

REFUSED

RETR group

RETR passwd

RETR pwd.db

ROOT LOGIN

SITE EXEC

VRFY

"WIZ"

admin

alias database

debug

denied

deny

deny host

expn

failed

illegal

kernel: Oversized packet received from

nested

permitted

reject

rexec

rshd

securityalert

setsender

shutdown

smrsh

su root

su:

sucked

unapproved

vrfy

attackalert

 

 

logcheck.ignore: 

authsrv.*AUTHENTICATE

cron.*CMD

cron.*RELOAD

cron.*STARTUP

ftp-gw.*: exit host

ftp-gw.*: permit host

ftpd.*ANONYMOUS FTP LOGIN

ftpd.*FTP LOGIN FROM

ftpd.*retrieved

ftpd.*stored

http-gw.*: exit host

http-gw.*: permit host

imapd: IMAP connect from

imapd-ssl.*

mail.local

named.*client

named.*update

named.*Lame delegation

named.*Response from

named.*answer queries

named.*points to a CNAME

named.*reloading

named.*starting

netacl.*: exit host

netacl.*: permit host

pop3d.*

popper.*Unable

popper: -ERR POP server at

popper: -ERR Unknown command: "uidl".

proftpd:*

proftpd.*

qmail.*

qmail:*delivery

qmail.*new msg

qmail.*info msg

qmail.*starting delivery

qmail.*delivery

qmail.*end msg

qmail-queue.*

rlogin-gw.*: exit host

rlogin-gw.*: permit host

sendmail.*User Unknown

sendmail.*User Unknown

sendmail.*alias database.*rebuilt

sendmail.*aliases.*longest

sendmail.*from=

sendmail.*lost input channel

sendmail.*message-id=

sendmail.*putoutmsg

sendmail.*return to sender

sendmail.*return to sender

sendmail.*stat=

sendmail.*timeout waiting

smap.*host=

smapd.*daemon running

smapd.*daemon running

smapd.*deliveredsmapd.*delivered

smtp_auth.*:

spamd.*

spamd.*processing

spamd.*result

spamd.*clean

telnetd.*ttloop:  peer died

tn-gw.*: exit host

tn-gw.*: permit host

x-gw.*: exit host

x-gw.*: permit host

xinetd: warning

xntpd.*Previous time adjustment didn't complete

xntpd.*time reset

root 1

 


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.17.17/661 - Release Date: 1/30/2007
11:30 PM
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20070131/289ba620/attachment.htm

More information about the Logcheck-devel mailing list