[Logcheck-devel] Bug#560245: logcheck: violations.ignore.d causes lines to not show up at any level
Dan D Niles
dan at more.net
Wed Dec 9 22:25:01 UTC 2009
Package: logcheck
Version: 1.2.68
Severity: important
Adding an exclusion to violations.ignore.d causes matching lines to not
show up at all. The same applies to cracking.ignore.d. As a result,
important message my be inadvertentlly missed.
For example, suppose you have a program that outputs:
This is a failure test
This would show up a a SECURITY event. It isn't really a SECURITY
event, so you exclude it in violations.ignore.d. Now it does not show
up as a SECURITY event, but it also does not show up as a SYSTEM event.
That behavior is not what I would expect. I could potentially be missing
important events.
It is easy to test:
logger -p kern.notice This is a failure test
run logcheck
You will get an email showing a SECURITY event.
Add "This is a failure test" to a file in violations.ignore.d.
logger -p kern.notice This is a failure test
run logcheck
You will not get any notification of the event.
I cannot off the top of my head think of an easy fix. I for one would
MUCH rather have duplicate messages than risk missing something
important.
-- System Information:
Debian Release: 5.0
APT prefers jaunty-updates
APT policy: (500, 'jaunty-updates'), (500, 'jaunty-security'), (500, 'jaunty')
Architecture: i386 (i686)
Kernel: Linux 2.6.28-16-generic (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages logcheck depends on:
ii adduser 3.110ubuntu5 add and remove users and groups
ii bsd-mailx [ 8.1.2-0.20081101cvs-2ubuntu1 A simple mail user agent
ii cron 3.0pl1-105ubuntu1.1 management of regular background p
ii lockfile-pr 0.1.11ubuntu2 Programs for locking and unlocking
ii logtail 1.2.68 Print log file lines that have not
ii postfix [ma 2.5.5-1.1 High-performance mail transport ag
ii sysklogd [s 1.5-5ubuntu3 System Logging Daemon
Versions of packages logcheck recommends:
ii logcheck-database 1.2.68 database of system log rules for t
Versions of packages logcheck suggests:
pn syslog-summary <none> (no description available)
-- no debconf information
More information about the Logcheck-devel
mailing list