[Logcheck-devel] Bug#740203: logcheck-databse: proposed ignore rules for hostapd
Gabriel Niebler
gabriel.niebler at gmail.com
Wed Feb 26 21:21:18 UTC 2014
Package: logcheck-database
Version: 1.3.15
Severity: wishlist
Tags: patch
Dear Maintainers,
I have logcheck running on a centralised loghost for my small home network,
running Debian wheezy (stable). My wireless router, running OpenWRT, also
logs to this host, to separate logfiles, and when I added these to
logcheck.logfiles, I started getting emails from logcheck complaining about
messages like these...
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 IEEE 802.11: authenticated
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 IEEE 802.11: associated (aid 2)
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 IEEE 802.11: associated (aid 3)
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 IEEE 802.11: deauthenticated due to local deauth request
... and...
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 WPA: pairwise key handshake completed (RSN)
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 WPA: group key handshake completed (RSN)
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 WPA: received EAPOL-Key 2/2 Group with unexpected replay counter
... all of which are harmless.
(To see this for the last line cf.:
http://lists.shmoo.com/pipermail/hostap/2011-May/023166.html )
So I created "local-hostapd" in /etc/logcheck/ignore.d.server,
which contains these lines:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} IEEE 802\.11: authenticated$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} IEEE 802\.11: associated \(aid [[:digit:]]\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} IEEE 802\.11: deauthenticated due to local deauth request$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} WPA: pairwise key handshake completed \(RSN\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} WPA: group key handshake completed \(RSN\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} WPA: received EAPOL-Key 2/2 Group with unexpected replay counter$
I tested them and they work for me.
Since 'hostapd' exists on Debian, too, and AFAIK logs the same
messages, I propose creating "/etc/logcheck/ignore.d.server/hostapd"
using these same ignore-filtering rules.
Cheers
- gabe
-- System Information:
Debian Release: 7.2
Architecture: armhf (armv6l)
Kernel: Linux 3.6.11+ (PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-- Configuration Files: [Errno 13] Permission denied - all of them
-- no debconf information
More information about the Logcheck-devel
mailing list