[Logcheck-devel] Bug#560245: Bug#560245: logcheck: violations.ignore.d causes lines to not show up at any level
Hannes von Haugwitz
hannes at vonhaugwitz.com
Fri May 21 09:15:58 UTC 2010
tags 560245 +wontfix
thanks
Dan D Niles wrote:
> Adding an exclusion to violations.ignore.d causes matching lines to not
> show up at all. The same applies to cracking.ignore.d. As a result,
> important message my be inadvertentlly missed.
>
> For example, suppose you have a program that outputs:
>
> This is a failure test
>
> This would show up a a SECURITY event. It isn't really a SECURITY
> event, so you exclude it in violations.ignore.d. Now it does not show
> up as a SECURITY event, but it also does not show up as a SYSTEM event.
> That behavior is not what I would expect.
The current behavior is due to the design of logcheck and avoids
duplicate rules in {cracking,violations}.ignore.d/ and ignore.d.*/.
Additionally the behavior is documented in README.logcheck-database.gz.
So I'm tagging this bug as wontfix.
>
> I cannot off the top of my head think of an easy fix. I for one would
> MUCH rather have duplicate messages than risk missing something
> important.
>
To avoid false ignored messages, you can ensure that the rules in
violations.ignore.d are as specific as possible.
Greetings
Hannes
More information about the Logcheck-devel
mailing list