[Logcheck-devel] Bug#508138: logcheck: loglines leakage

[Paolo]

On Tue, Dec 09, 2008 at 10:36:51AM +0100, Gerfried Fuchs wrote:
...
>  ignore.d.server rules won't filter out security events. I guess it's
> matched as such because of the contained /failure/ in the line. I'm not
> completely sure if this should be filtered out, but a matching rule for
> that has to live below violations.ignore.d - and there is the
> logcheck-smartd file in there which as far as I can see should match ...

ah, I see ...
 
> > so the patterns in /etc.../smartd do match and logcheck run should end up 
> > with no such lines.
> 
>  Can you egrep -v -f /etc/logcheck/ignore.d.server/smartd instead and

you mean violations.ignore.d/logcheck-smartd ?
but I see the problem: the regex is

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd...

which is fine for stock sysklogd, but socklog's format is eg

/var/log/socklog/main/current
auth.info: Dec  9 02:39:01 CRON[31998]: (pam_unix) session closed for user root

and

/var/log/socklog-klog/main/current
2008-12-03_16:50:42.17649 kern.warn: ide: failed opcode was: unknown
...
2008-12-08_17:44:58.45722 kern.warn: nfsd: unexporting all filesystems
[and a nice broken logline eg]
2008-12-08_17:47:19.33831 nterface driver usbfs
2008-12-08_17:47:19.43500 kern.info: usbcore: registered new interface driver hub
...

so regex should be changed to 

 \w{3} [ :0-9]{11} ([._[:alnum:]-]+ )?smartd...

to match (also) socklog/*/* lines, while for socklog-klog the regex could be

 kern\.[a-z]+: 
 
While I did change patterns in ignore.d.server/*, I overlooked those in
violations.ignore.d/*  :-}
Changing those as well I get 0 output from:

# grep Prefail /var/log/socklog/main/current |\
#  egrep -v -f /etc/logcheck/violations.ignore.d/logcheck-smartd

so that'd work.


thanks
-- 
 paolo
 
 GPG/PGP id:0x3A47DE45  - B5F9 AAA0 44BD 2B63 81E0  971F C6C0 0B87 3A47 DE45
 - 9/11: the outrageous deception & coverup: http://journalof911studies.com -