[Logcheck-devel] Bug#560245: logcheck: violations.ignore.d causes lines to not show up at any level

Dan D Niles dan at more.net
Wed Dec 9 22:25:01 UTC 2009 

Package: logcheck
Version: 1.2.68
Severity: important


Adding an exclusion to violations.ignore.d causes matching lines to not 
show up at all.  The same applies to cracking.ignore.d.  As a result,
important message my be inadvertentlly missed.

For example, suppose you have a program that outputs: 
        
        This is a failure test
        
This would show up a a SECURITY event.  It isn't really a SECURITY
event, so you exclude it in violations.ignore.d.  Now it does not show
up as a SECURITY event, but it also does not show up as a SYSTEM event.
That behavior is not what I would expect.  I could potentially be missing
important events.

It is easy to test:
        
  logger -p kern.notice This is a failure test
  run logcheck 

You will get an email showing a SECURITY event.

Add "This is a failure test" to a file in violations.ignore.d.

  logger -p kern.notice This is a failure test
  run logcheck 

You will not get any notification of the event.

I cannot off the top of my head think of an easy fix.  I for one would
MUCH rather have duplicate messages than risk missing something
important.

-- System Information:
Debian Release: 5.0
  APT prefers jaunty-updates
  APT policy: (500, 'jaunty-updates'), (500, 'jaunty-security'), (500, 'jaunty')
Architecture: i386 (i686)

Kernel: Linux 2.6.28-16-generic (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages logcheck depends on:
ii  adduser     3.110ubuntu5                 add and remove users and groups
ii  bsd-mailx [ 8.1.2-0.20081101cvs-2ubuntu1 A simple mail user agent
ii  cron        3.0pl1-105ubuntu1.1          management of regular background p
ii  lockfile-pr 0.1.11ubuntu2                Programs for locking and unlocking
ii  logtail     1.2.68                       Print log file lines that have not
ii  postfix [ma 2.5.5-1.1                    High-performance mail transport ag
ii  sysklogd [s 1.5-5ubuntu3                 System Logging Daemon

Versions of packages logcheck recommends:
ii  logcheck-database             1.2.68     database of system log rules for t

Versions of packages logcheck suggests:
pn  syslog-summary                <none>     (no description available)

-- no debconf information

More information about the Logcheck-devel mailing list