[Logcheck-devel] Requesting clarification on a few things
Jeremy L. Gaddis
jlgaddis at gnu.org
Fri Jul 8 09:33:49 UTC 2011
martin f krafft <madduck at debian.org> wrote:
> also sprach Jeremy L. Gaddis <jlgaddis at gnu.org> [2011.07.08.0624 +0200]:
> > One thing that Hannes mentioned was in response to commits
> > 5f7da05[1] and cf5e9d3[2] which I made to address bug #590559[3].
> > As he mentioned in his email, webmin was removed from the Debian
> > archive over five years ago[4]. He Cc:'d madduck asking what the
> > policy is for rules for packages that have been removed from
> > Debian. My personal thought was that since they were still there,
> > they might as well be updated. For clarification and future
> > reference, I am interested in knowing what the policy is as well.
>
> I do not think there is a policy. It makes sense to keep filters
> around while any version of Debian still has a package (due to
> backports), but when Debian does not have the package at all
> anymore, then there is no real reason to carry over the weight???
Right. I was a bit confused since webmin had long ago been removed, yet
the filters for it was still present. Makes sense to me to remove it.
> > Currently, I am trying to figure out the proper thing to do with regard
> > to bug #621373[7]. This is a request for two rules related to log
> > messages generated by avahi-daemon. As of now, there are no rules in
> > logcheck-database for Avahi. Is there some process for deciding if it
> > is appropriate to add them or do we just go ahead (which seems like the
> > logical decision to me).
>
> It would make much more sense to distribute the filters in the
> avahi-daemon package.
I agree. In an ideal world, I think logcheck-database wouldn't contain
much besides filters for kernel messages. All of the other filters (for
specific software) would be included in the respective packages.
> > Related to that, can I assume that the proper file to create would
> > be i.d.s/avahi-daemon instead of i.d.w/avahi-daemon? Avahi is
> > often present on both servers and workstations so it would seem
> > appropriate to put it under i.d.s since those rules will get
> > applied when REPORTLEVEL is set to "workstation" as well as
> > "server".
>
> I really do not see a reason why one would have Avahi on a server,
> so I'd tend to put it into the workstation pool. If you disagree,
> then use your own judgement.
I agree with you totally and I wouldn't personally run Avahi on any of
my servers, but I've seen it done. Workstation it is.
> > Bug #617232[9] mentions rules which match on IPv4 addresses but
> > will not match IPv6 addresses. Should we begin updating rules so
> > that both IPv4 and IPv6 addresses will be matched? Is there
> > a preferred methodology for doing this, or is it okay to simply
> > start working on it now?
>
> Rather than hacking the regexps, this should really be done by
> finally introducing macros/templates/patterns into rulefiles.
From what I gathered (either from the archives or the wiki, I forget
which), it seems that this idea has been floating around for a while but
hasn't really taken off yet. Is anyone [interested in] leading this
effort?
> Thanks for your time and effort. I hope I answered all questions.
I appreciate the reply, martin. You've basically reinforced my previous
thought which was "use your best judgment". If I make the wrong
decision, well, that's what "git revert" is for.
Thanks,
-j
--
Jeremy L. Gaddis
More information about the Logcheck-devel
mailing list