Sorry about this, but I messed this patch up. This message gets tagged as a sercurity violation, so I put the exclusion in the wrong directory. It needs to go in a new file .../violations.ignore.d/logcheck-samba. Please consider this a vote for a single unified ignore directory in a future version of logcheck, instead of the split cracking/violations/events structure we currently have. Until then, you might want to consider changing the labels of the emails to match the names of the directories, to make it a little more obvious at least: # Controls Subject: lines on logcheck reports: ATTACKSUBJECT="Cracking Alerts" SECURITYSUBJECT="Security Violations" EVENTSSUBJECT="System Events" One more question... why do the files you provide in the logcheck-database package use the "logcheck-" prefix in the violations directory, but not in the ignore directory? Consistancy would be good here, I think. - Marc
maximilian attems
2004-Dec-30 10:49 UTC
Bug#286329: [Logcheck-devel] Bug#286329: Sorry, wrong directory
On Sun, 26 Dec 2004, Marc Sherman wrote:> Sorry about this, but I messed this patch up. This message gets tagged > as a sercurity violation, so I put the exclusion in the wrong directory. > It needs to go in a new file .../violations.ignore.d/logcheck-samba.ok thanks for the report as current logcheck cvs is not yet released. i fixed it in cvs.> Please consider this a vote for a single unified ignore directory in a > future version of logcheck, instead of the split > cracking/violations/events structure we currently have.objected, it's a feature to have a different level of events. but you are right that current implementation of dirs is suboptimal and is a TODO entry for post sarge.> Until then, you might want to consider changing the labels of the emails > to match the names of the directories, to make it a little more obvious > at least: > > # Controls Subject: lines on logcheck reports: > ATTACKSUBJECT="Cracking Alerts" > SECURITYSUBJECT="Security Violations" > EVENTSSUBJECT="System Events"that is the older name for the mid layer, "Security Violations" is much too strong for what get logged. "Cracking Alerts" will be renamed in "Security Violations". look in /usr/share/doc/logcheck/TODO> One more question... why do the files you provide in the > logcheck-database package use the "logcheck-" prefix in the violations > directory, but not in the ignore directory? Consistancy would be good > here, I think.good question, the renaming was done before my time. it's a bit hardcoded in logcheck code. greplogoutput() needs clean up, but works currently ;-) -- maks