Wojciech Nizinski
2016-Feb-22 08:35 UTC
[Logcheck-devel] [PATCH] Update bind filter to match lines also with domain name in brackets.
Before correction:
Feb 22 07:55:09 myserver1 named[21728]: client 111.11.1.11#53: query (cache)
'domain.gov/ANY/IN' denied
After correction:
Feb 22 07:55:09 myserver1 named[21728]: client 111.11.1.11#53 (domain.gov):
query (cache) 'domain.gov/ANY/IN' denied
Signed-off-by: Wojciech Nizinski <niziak at spox.org>
---
rulefiles/linux/ignore.d.server/bind | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rulefiles/linux/ignore.d.server/bind
b/rulefiles/linux/ignore.d.server/bind
index 88e1989..f50e3c7 100644
--- a/rulefiles/linux/ignore.d.server/bind
+++ b/rulefiles/linux/ignore.d.server/bind
@@ -1,6 +1,6 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: FORMERR
resolving '[^[:space:]]+': [.:[:xdigit:]]+#[[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client
[.:[:xdigit:]]+#[[:digit:]]+: updating zone '[-._[:alnum:]]+/IN':
(adding an RR|deleting rrset) at '[._[:alnum:]-]+' A$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client
[[:digit:].]+#[[:digit:]]+: query (\(cache\) )?'.*' denied$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client
[[:digit:].]+#[[:digit:]]+( \([._[:alnum:]-]+\))?: query (\(cache\)
)?'.*' denied$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: dispatch
0x[[:xdigit:]]+: shutting down due to TCP receive error:
[.:[:xdigit:]]+#[[:digit:]]+: connection reset$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: enforced
delegation-only for '[._[:alnum:]-]+' \([._[:alnum:]-]+/(A|AAAA)/IN\)
from [.:[:xdigit:]]+#[[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: journal file
[-./_[:alnum:]]+ does not exist, creating it$
--
2.1.4