[Logcheck-devel] [PATCH] Update bind filter to match lines also with domain name in brackets.
Wojciech Nizinski
niziak at spox.org
Mon Feb 22 08:35:53 UTC 2016
Before correction:
Feb 22 07:55:09 myserver1 named[21728]: client 111.11.1.11#53: query (cache) 'domain.gov/ANY/IN' denied
After correction:
Feb 22 07:55:09 myserver1 named[21728]: client 111.11.1.11#53 (domain.gov): query (cache) 'domain.gov/ANY/IN' denied
Signed-off-by: Wojciech Nizinski <niziak at spox.org>
---
rulefiles/linux/ignore.d.server/bind | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rulefiles/linux/ignore.d.server/bind b/rulefiles/linux/ignore.d.server/bind
index 88e1989..f50e3c7 100644
--- a/rulefiles/linux/ignore.d.server/bind
+++ b/rulefiles/linux/ignore.d.server/bind
@@ -1,6 +1,6 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: FORMERR resolving '[^[:space:]]+': [.:[:xdigit:]]+#[[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [.:[:xdigit:]]+#[[:digit:]]+: updating zone '[-._[:alnum:]]+/IN': (adding an RR|deleting rrset) at '[._[:alnum:]-]+' A$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [[:digit:].]+#[[:digit:]]+: query (\(cache\) )?'.*' denied$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [[:digit:].]+#[[:digit:]]+( \([._[:alnum:]-]+\))?: query (\(cache\) )?'.*' denied$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: dispatch 0x[[:xdigit:]]+: shutting down due to TCP receive error: [.:[:xdigit:]]+#[[:digit:]]+: connection reset$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: enforced delegation-only for '[._[:alnum:]-]+' \([._[:alnum:]-]+/(A|AAAA)/IN\) from [.:[:xdigit:]]+#[[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: journal file [-./_[:alnum:]]+ does not exist, creating it$
--
2.1.4
More information about the Logcheck-devel
mailing list