Christoph Martin
2004-May-28 10:34 UTC
[Logcheck-devel] Bug#251404: logcheck-database: rules don't match non local syslog messages
Package: logcheck-database
Version: 1.2.20a
Severity: normal
Tags: patch
syslog has a "weird" feature. If a syslog deamon forwards the messages
to another host, there is one additional blank at the end of each
message on the remote host. Since most of the regex matches of
logcheck end with a $, these rules will not match non local syslog
messages. You should remove all the $ or replace them with <blank>?$.
Example patch:
--- /etc/logcheck/ignore.d.paranoid/cron~ Sun May 16 08:37:22 2004
+++ /etc/logcheck/ignore.d.paranoid/cron Fri May 28 12:27:16 2004
@@ -1,1 +1,1 @@
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]: \([[:alnum:]-]+\)
CMD \(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]: \([[:alnum:]-]+\)
CMD \(.*\) ?$
Christoph
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux violet 2.4.20 #1 SMP Fri May 2 16:13:28 MEST 2003 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages logcheck-database depends on:
ii debconf 1.4.25 Debian configuration management sy
ii debconf [debconf-2.0] 1.4.25 Debian configuration management sy
maks attems
2004-May-28 19:20 UTC
Bug#251404: [Logcheck-devel] Bug#251404: logcheck-database: rules don't match non local syslog messages
hey christoph, On Fri, 28 May 2004, Christoph Martin wrote:> Package: logcheck-database > Version: 1.2.20a > Severity: normal > Tags: patch > > syslog has a "weird" feature. If a syslog deamon forwards the messages > to another host, there is one additional blank at the end of each > message on the remote host. Since most of the regex matches of > logcheck end with a $, these rules will not match non local syslog > messages. You should remove all the $ or replace them with <blank>?$.well logcheck removes trailing slashes whitespace before log entry is processed. so your bug report seems wired to me.> Example patch: > --- /etc/logcheck/ignore.d.paranoid/cron~ Sun May 16 08:37:22 2004 > +++ /etc/logcheck/ignore.d.paranoid/cron Fri May 28 12:27:16 2004 > @@ -1,1 +1,1 @@ > -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]: \([[:alnum:]-]+\) CMD \(.*\)$ > +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]: \([[:alnum:]-]+\) CMD \(.*\) ?$are you using logcheck-database outside of logcheck, or did logcheck report aboves line? thanks for further infos a+ maks -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040528/50fdadf1/attachment.pgp
maks attems
2004-Jun-03 10:59 UTC
[Logcheck-devel] Bug#251404: logcheck-database: rules don't match non local syslog messages
hello christoph, please clarify your bug report? thanks for responding :) On Fri, 28 May 2004, maks attems wrote:> well logcheck removes trailing slashes whitespace before log > entry is processed. so your bug report seems wired to me. > > are you using logcheck-database outside of logcheck, > or did logcheck report aboves line?maks -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040603/3e336213/attachment.pgp
Christoph Martin
2004-Jun-03 11:06 UTC
Bug#251404: [Logcheck-devel] Bug#251404: logcheck-database: rules don't match non local syslog messages
maks attems schrieb:>>syslog has a "weird" feature. If a syslog deamon forwards the messages >>to another host, there is one additional blank at the end of each >>message on the remote host. Since most of the regex matches of >>logcheck end with a $, these rules will not match non local syslog >>messages. You should remove all the $ or replace them with <blank>?$. > > well logcheck removes trailing slashes whitespace before log > entry is processed. so your bug report seems wired to me.It might be that this was fixed some time ago with the removing of trailing whitespace. I try to check it at the moment. But it takes some time since I had some problems with the introduction of the logcheck user . My /var/lib/logcheck/offset* files were owned by root, so logcheck was checking all time from the beginning, which resulted in very large and also late mails.>>Example patch: >>--- /etc/logcheck/ignore.d.paranoid/cron~ Sun May 16 08:37:22 2004 >>+++ /etc/logcheck/ignore.d.paranoid/cron Fri May 28 12:27:16 2004 >>@@ -1,1 +1,1 @@ >>-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]: \([[:alnum:]-]+\) CMD \(.*\)$ >>+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]: \([[:alnum:]-]+\) CMD \(.*\) ?$ > > are you using logcheck-database outside of logcheck, > or did logcheck report aboves line?I only use it inside logcheck. Christoph -- ===========================================================================Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany Internet-Mail: Christoph.Martin at Uni-Mainz.DE Telefon: +49-6131-3926337 Fax: +49-6131-3922856 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040603/744560d1/attachment.pgp
Debian Bug Tracking System
2004-Jun-07 08:48 UTC
[Logcheck-devel] Bug#251404: marked as done (logcheck-database: rules don't match non local syslog messages)
Your message dated Mon, 07 Jun 2004 10:43:29 +0200 with message-id <40C42AB1.3090908 at uni-mainz.de> and subject line Bug#251404: [Logcheck-devel] Bug#251404: logcheck-database: rules don't match non local syslog messages has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 28 May 2004 10:35:15 +0000>From root at verwaltung.uni-mainz.de Fri May 28 03:35:15 2004Return-path: <root at verwaltung.uni-mainz.de> Received: from mailgate1.verwaltung.uni-mainz.de (patty.verwaltung.uni-mainz.de) [134.93.144.165] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1BTehn-0000xQ-00; Fri, 28 May 2004 03:35:15 -0700 Received: from charlie.verwaltung.uni-mainz.de (charlie.verwaltung.uni-mainz.de [134.93.226.11]) by patty.verwaltung.uni-mainz.de (8.12.11/8.12.11/Debian-3) with ESMTP id i4SAYl8L011753 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT); Fri, 28 May 2004 12:34:47 +0200 Received: from violet.verwaltung.uni-mainz.de (root at violet.verwaltung.uni-mainz.de [134.93.226.14]) by charlie.verwaltung.uni-mainz.de (8.12.3/8.12.3/Debian-6.6) with ESMTP id i4SAYkPH009018 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Fri, 28 May 2004 12:34:46 +0200 Received: from violet.verwaltung.uni-mainz.de (smmsp at localhost [127.0.0.1]) by violet.verwaltung.uni-mainz.de (8.12.3/8.12.3/Debian-6.6) with ESMTP id i4SAYghI006390; Fri, 28 May 2004 12:34:42 +0200 Received: (from root at localhost) by violet.verwaltung.uni-mainz.de (8.12.3/8.12.3/Debian-6.6) id i4SAYgWc006389; Fri, 28 May 2004 12:34:42 +0200 Message-Id: <200405281034.i4SAYgWc006389 at violet.verwaltung.uni-mainz.de> From: Christoph Martin <martin at uni-mainz.de> To: Debian Bug Tracking System <submit at bugs.debian.org> Subject: logcheck-database: rules don't match non local syslog messages X-Mailer: reportbug 1.50 Date: Fri, 28 May 2004 12:34:42 +0200 X-Virus-Scanned-From: mailgate1.verwaltung.uni-mainz.de X-Spam-Scanned-From: mailgate1.verwaltung.uni-mainz.de X-Scanned-By: MIMEDefang 2.41 Delivered-To: submit at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Package: logcheck-database Version: 1.2.20a Severity: normal Tags: patch syslog has a "weird" feature. If a syslog deamon forwards the messages to another host, there is one additional blank at the end of each message on the remote host. Since most of the regex matches of logcheck end with a $, these rules will not match non local syslog messages. You should remove all the $ or replace them with <blank>?$. Example patch: --- /etc/logcheck/ignore.d.paranoid/cron~ Sun May 16 08:37:22 2004 +++ /etc/logcheck/ignore.d.paranoid/cron Fri May 28 12:27:16 2004 @@ -1,1 +1,1 @@ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]: \([[:alnum:]-]+\) CMD \(.*\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]: \([[:alnum:]-]+\) CMD \(.*\) ?$ Christoph -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux violet 2.4.20 #1 SMP Fri May 2 16:13:28 MEST 2003 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages logcheck-database depends on: ii debconf 1.4.25 Debian configuration management sy ii debconf [debconf-2.0] 1.4.25 Debian configuration management sy --------------------------------------- Received: (at 251404-done) by bugs.debian.org; 7 Jun 2004 08:43:45 +0000>From martin at uni-mainz.de Mon Jun 07 01:43:45 2004Return-path: <martin at uni-mainz.de> Received: from mailgate1.verwaltung.uni-mainz.de (patty.verwaltung.uni-mainz.de) [134.93.144.165] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1BXFjN-00009Z-00; Mon, 07 Jun 2004 01:43:45 -0700 Received: from charlie.verwaltung.uni-mainz.de (charlie.verwaltung.uni-mainz.de [134.93.226.11]) by patty.verwaltung.uni-mainz.de (8.12.11/8.12.11/Debian-3) with ESMTP id i578hUNj026562 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT); Mon, 7 Jun 2004 10:43:30 +0200 Received: from uni-mainz.de (martin at woodstock.verwaltung.uni-mainz.de [134.93.226.8]) by charlie.verwaltung.uni-mainz.de (8.12.3/8.12.3/Debian-6.6) with ESMTP id i578hTPH020114 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Mon, 7 Jun 2004 10:43:30 +0200 Message-ID: <40C42AB1.3090908 at uni-mainz.de> Date: Mon, 07 Jun 2004 10:43:29 +0200 From: Christoph Martin <martin at uni-mainz.de> User-Agent: Mozilla Thunderbird 0.5 (X11/20040306) X-Accept-Language: de-de, de-at, de, en-us, en MIME-Version: 1.0 To: maks attems <debian at sternwelten.at> CC: 251404-done at bugs.debian.org Subject: Re: Bug#251404: [Logcheck-devel] Bug#251404: logcheck-database: rules don't match non local syslog messages References: <200405281034.i4SAYgWc006389 at violet.verwaltung.uni-mainz.de> <20040528192044.GD1659 at sputnik.stro.at> <40BF063D.90501 at uni-mainz.de> <20040603113719.GH2137 at sputnik.stro.at> In-Reply-To: <20040603113719.GH2137 at sputnik.stro.at> X-Enigmail-Version: 0.83.2.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigC0C396B33C006F233A77B671" X-Virus-Scanned-From: mailgate1.verwaltung.uni-mainz.de X-Spam-Scanned-From: mailgate1.verwaltung.uni-mainz.de X-Scanned-By: MIMEDefang 2.41 Delivered-To: 251404-done at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigC0C396B33C006F233A77B671 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit maks attems schrieb:> ok thanks for the further clarification, > would be nice to have that nailed down.After some more checks it seams that it is ok. I have a lot of local rules, so it is difficult to sort out this issue. Especially it is a problem that remotely installed packages come with their own logcheck rules which do not get included into the logcheck rules set. So lets close this for now. Christoph -- ===========================================================================Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany Internet-Mail: Christoph.Martin at Uni-Mainz.DE Telefon: +49-6131-3926337 Fax: +49-6131-3922856 --------------enigC0C396B33C006F233A77B671 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAxCqxgeVih7XOVJcRAhvyAJ4nXsXgdFnG8OEt+EfDtfHWORq6YQCgg923 i2EYfcFmJQzY+pw7UIKXRDQ=KUxt -----END PGP SIGNATURE----- --------------enigC0C396B33C006F233A77B671--