Wojciech Nizinski
2016-Feb-22 08:35 UTC
[Logcheck-devel] [PATCH] Update bind filter to match lines also with domain name in brackets.
Before correction: Feb 22 07:55:09 myserver1 named[21728]: client 111.11.1.11#53: query (cache) 'domain.gov/ANY/IN' denied After correction: Feb 22 07:55:09 myserver1 named[21728]: client 111.11.1.11#53 (domain.gov): query (cache) 'domain.gov/ANY/IN' denied Signed-off-by: Wojciech Nizinski <niziak at spox.org> --- rulefiles/linux/ignore.d.server/bind | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rulefiles/linux/ignore.d.server/bind b/rulefiles/linux/ignore.d.server/bind index 88e1989..f50e3c7 100644 --- a/rulefiles/linux/ignore.d.server/bind +++ b/rulefiles/linux/ignore.d.server/bind @@ -1,6 +1,6 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: FORMERR resolving '[^[:space:]]+': [.:[:xdigit:]]+#[[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [.:[:xdigit:]]+#[[:digit:]]+: updating zone '[-._[:alnum:]]+/IN': (adding an RR|deleting rrset) at '[._[:alnum:]-]+' A$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [[:digit:].]+#[[:digit:]]+: query (\(cache\) )?'.*' denied$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [[:digit:].]+#[[:digit:]]+( \([._[:alnum:]-]+\))?: query (\(cache\) )?'.*' denied$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: dispatch 0x[[:xdigit:]]+: shutting down due to TCP receive error: [.:[:xdigit:]]+#[[:digit:]]+: connection reset$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: enforced delegation-only for '[._[:alnum:]-]+' \([._[:alnum:]-]+/(A|AAAA)/IN\) from [.:[:xdigit:]]+#[[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: journal file [-./_[:alnum:]]+ does not exist, creating it$ -- 2.1.4