[Logcheck-devel] more local-* files

Frédéric Brière fbriere at fbriere.net
Fri Feb 19 15:39:44 UTC 2010 

Dan Langille <dan at langille.org> wrote:
> I have a few local-* files that you may find useful.  Please use as you 
> see fit. No doubt, some will require refinement for public distribution. 

Thanks for sharing these with us.  Unfortunately, there's not much that
can be salvaged here, as most rules are much too loose to be distributed
as-is, and we don't have the original log messages to match them with.

Nevertheless, here are some comments:

- I think you'll find that many of your postfix and dovecot rules are
  already taken care of by the latest logcheck-database release.  (Some
  others seem to be obsolete, and do not appear in the source code at
  all.)  Would you be willing to give 1.3.x a whirl, and report on what
  is missing?

- I'm attaching a tentative rulefile for stunnel; could you also give it
  a try?

- The amavis-new package includes its own logcheck rules, so you should
  forward your suggestions to its maintainer(s).  This was also the case
  with ntpd, but your particular rule has already been taken care of by
  #498992.

- I could not find a trace of newsyslog in Debian; is this something you
  installed on your own?


Again, thanks for your help!



  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: SSL_read .*: Connection reset by peer$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: .* connected from .*$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: VERIFY OK: depth=[0-9]+, .*$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: Received signal 15; terminating$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: stunnel [0-9.]+ on i386-pc-linux-gnu PTHREAD\+POLL\+IPv6\+LIBWRAP with OpenSSL [0-9a-z.]+ [0-9]{2} \w{3} [0-9]{4}$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: [0-9]+ clients allowed$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: SSL_accept: Peer suddenly disconnected$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: [._[:alnum:]-]+ accepted connection from [.:[:xdigit:]]+:[[:digit:]]+$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: connect_blocking: connected [.:[:xdigit:]]+:[[:digit:]]+$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(( LOG[[:digit:]])?\[[:[:digit:]]+\])?: [._[:alnum:]-]+ connected remote server from [.:[:xdigit:]]+:[[:digit:]]+$


-- 
LOAD "LINUX",8,1
		-- Topic on #LinuxGER

More information about the Logcheck-devel mailing list