[Logcheck-devel] Bug#588312: Bug#588312: logcheck-database: updated rules for many packages

Hannes von Haugwitz hannes at vonhaugwitz.com
Thu Jul 8 11:58:47 UTC 2010 

Hi,

Like Gerfried said, please file different bug reports for different 
packages the next time.

Some comments about your rule suggestions:

Radosław Antoniuk wrote:
>> #dkimproxy
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkimproxy.out\[[0-9]+\]: connect from .*$
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkimproxy.out\[[0-9]+\]: DKIM signing - signed; .*$
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkimproxy.out\[[0-9]+\]: DKIM signing - skipped; .*$
> 
> No rules at all.
> 
> 
> Jul  7 12:39:21 hosting dkimproxy.out[1508]: DKIM signing - skipped;
> message-id=<cb42d0dfb3a2eb598e162cfe3b6ea493 at www.xyz.com>,
> from=<email at dot.com>
> Jul  7 12:39:21 hosting dkimproxy.out[1508]: DKIM signing - signed;
> message-id=<cb42d0dfb3a2eb598e162cfe3b6ea493 at www.xyz.com>,
> from=<email at dot.com>
> Jul  7 12:39:21 hosting dkimproxy.out[1508]: connect from 127.0.0.1
> 

I don't see the need of wildchar .* here.

> 
>> #ssh
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: error writing /proc/self/oom_adj: Operation not permitted$
> 
> Not there.
> 

Looks like an error for me, maybe #555625?

>> #ntp
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync status change 4001
> 
> No config at all
> 

This message shouldn't occur anymore (see #498992).

> 
>> #syslog-ng
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslog-ng\[[0-9]+\]: Log statistics;.*$
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslog-ng\[[0-9]+\]: Configuration reload request received, reloading configuration;$
> 
> 
> syslog-ng[31823]: Log statistics; processed='destination(d_error)=3',
> processed='destination(d_messages)=298',
> processed='src.internal(s_src#1)=90',
> stamp='src.internal(s_src#1)=1278499023',
> processed='destination(d_syslog)=90', processed='center(received)=0',
> processed='destination(d_xconsole)=3',
> processed='destination(d_newscrit)=0',
> processed='destination(d_auth)=1452',
> processed='destination(d_daemon)=1',
> processed='global(payload_reallocs)=0',
> processed='global(msg_clones)=0', processed='destination(d_mail)=64',
> processed='destination(d_cron)=711',
> processed='destination(d_kern)=132',
> processed='destination(d_uucp)=0', processed='destination(d_debug)=4',
> processed='destination(d_lpr)=0', processed='destination(d_user)=76',
> processed='center(queued)=0', processed='global(sdata_updates)=0',
> processed='destination(d_newsnotice)=0',
> processed='destination(d_console_all)=3',
> processed='destination(d_console)=1', processed='source(s_src)=2530',
> processed='destination(d_newserr)=0'
> 
> 

Also no need of wildchar .* .

>> #shorewall
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Shorewall:.*$
> 
> Shorewall can log to an outside file. Logging to syslog is causing
> every packet drop to be in logcheck.
> Example:
> 
> Jul  7 12:40:04 dev kernel: Shorewall:net2fw:DROP:IN=venet0 OUT=
> PHYSIN=eth0 MAC= SRC=X.Y.Z.A DST=A.B.C.D LEN=404 TOS=0x00 PREC=0x00
> TTL=32 ID=54796 PROTO=UDP SPT=2368 DPT=1434 LEN=384
> 

If you enable syslog logging you should know what you're doing. If not, 
disable the feature.

>> #libpam-cracklib
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cracklib: no dictionary update necessary.$
> 
> Not there.

Rule is part of the cracklib-runtime package 
(/etc/logcheck/ignore.d.paranoid/cracklib-runtime).

> 
>> #modprobe?
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ modprobe: WARNING: Not loading blacklisted module ipv6.$
> 
> Should be in fact:
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ modprobe: WARNING: Not loading
> blacklisted module [:alnum:]+$
> 

I tend to not add this rule by default. The user should be informed at 
least once about the blacklisted module, so he can react accordingly 
(for instance by adding the rule above to the local rule set).

> 
>> #rsyncd
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: file has vanished: .*$
>>
> 
> Not there.

I guess the wildchar .* represents a file name; so here, too, no need of 
wildchar.

> 
> 
>> #netatalk
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: server_child[[:xdigit:]+] [:xdigit:]+ exited 1$
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam.c :PAM: PAM Success$
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam.c :PAM: PAM Auth OK!$
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: login [:alpha:]+ (uid [:xdigit:]+, gid [:xdigit:]+) AFP3.1$
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dhx login: [:alpha:]+$
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: ipc_read: command: .*$
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: Setting clientid .*$
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: pc_get_session: .*$
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: bad function .*$
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: ASIP session:.*$
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_alarm: child timed out$
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [:alpha:]+ read, [:alpha:]+ written$
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: Connection terminated$
>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: server_child[[:xdigit:]+] [:xdigit:]+ exited 1$
> 
> No rules at all.
> 

There are rule files in the netatalk package 
(/etc/logcheck/ignore.d.server/netatalk, 
/etc/logcheck/violations.ignore.d/netatalk).

Greetings,

Hannes

More information about the Logcheck-devel mailing list