[Logcheck-devel] Bug#740203: logcheck-databse: proposed ignore rules for hostapd

[Gabriel Niebler]

Package: logcheck-database
Version: 1.3.15
Severity: wishlist
Tags: patch

Dear Maintainers,

I have logcheck running on a centralised loghost for my small home network,
running Debian wheezy (stable). My wireless router, running OpenWRT, also
logs to this host, to separate logfiles, and when I added these to
logcheck.logfiles, I started getting emails from logcheck complaining about
messages like these...

<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 IEEE 802.11: authenticated
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 IEEE 802.11: associated (aid 2)
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 IEEE 802.11: associated (aid 3)
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 IEEE 802.11: deauthenticated due to local deauth request

... and...

<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 WPA: pairwise key handshake completed (RSN)
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 WPA: group key handshake completed (RSN)
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 WPA: received EAPOL-Key 2/2 Group with unexpected replay counter

... all of which are harmless.
(To see this for the last line cf.:
 http://lists.shmoo.com/pipermail/hostap/2011-May/023166.html )

So I created "local-hostapd" in /etc/logcheck/ignore.d.server,
which contains these lines:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} IEEE 802\.11: authenticated$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} IEEE 802\.11: associated \(aid [[:digit:]]\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} IEEE 802\.11: deauthenticated due to local deauth request$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} WPA: pairwise key handshake completed \(RSN\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} WPA: group key handshake completed \(RSN\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} WPA: received EAPOL-Key 2/2 Group with unexpected replay counter$

I tested them and they work for me.
Since 'hostapd' exists on Debian, too, and AFAIK logs the same
messages, I propose creating "/etc/logcheck/ignore.d.server/hostapd"
using these same ignore-filtering rules.

Cheers
- gabe

-- System Information:
Debian Release: 7.2
Architecture: armhf (armv6l)

Kernel: Linux 3.6.11+ (PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- Configuration Files: [Errno 13] Permission denied - all of them

-- no debconf information