[Logcheck-devel] Bug#508138: logcheck: loglines leakage
Paolo
oopla at users.sf.net
Tue Dec 9 11:28:25 UTC 2008
On Tue, Dec 09, 2008 at 10:36:51AM +0100, Gerfried Fuchs wrote:
...
> ignore.d.server rules won't filter out security events. I guess it's
> matched as such because of the contained /failure/ in the line. I'm not
> completely sure if this should be filtered out, but a matching rule for
> that has to live below violations.ignore.d - and there is the
> logcheck-smartd file in there which as far as I can see should match ...
ah, I see ...
> > so the patterns in /etc.../smartd do match and logcheck run should end up
> > with no such lines.
>
> Can you egrep -v -f /etc/logcheck/ignore.d.server/smartd instead and
you mean violations.ignore.d/logcheck-smartd ?
but I see the problem: the regex is
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd...
which is fine for stock sysklogd, but socklog's format is eg
/var/log/socklog/main/current
auth.info: Dec 9 02:39:01 CRON[31998]: (pam_unix) session closed for user root
and
/var/log/socklog-klog/main/current
2008-12-03_16:50:42.17649 kern.warn: ide: failed opcode was: unknown
...
2008-12-08_17:44:58.45722 kern.warn: nfsd: unexporting all filesystems
[and a nice broken logline eg]
2008-12-08_17:47:19.33831 nterface driver usbfs
2008-12-08_17:47:19.43500 kern.info: usbcore: registered new interface driver hub
...
so regex should be changed to
\w{3} [ :0-9]{11} ([._[:alnum:]-]+ )?smartd...
to match (also) socklog/*/* lines, while for socklog-klog the regex could be
kern\.[a-z]+:
While I did change patterns in ignore.d.server/*, I overlooked those in
violations.ignore.d/* :-}
Changing those as well I get 0 output from:
# grep Prefail /var/log/socklog/main/current |\
# egrep -v -f /etc/logcheck/violations.ignore.d/logcheck-smartd
so that'd work.
thanks
--
paolo
GPG/PGP id:0x3A47DE45 - B5F9 AAA0 44BD 2B63 81E0 971F C6C0 0B87 3A47 DE45
- 9/11: the outrageous deception & coverup: http://journalof911studies.com -
More information about the Logcheck-devel
mailing list