thr3ads.net - Logcheck devel - [Logcheck-devel] Bug#257874: logcheck: additional ignores for Squid [Jun 2004]

If this information is useful, please help other people find it:
Share via:

Ralf Hildebrandt

2004-Jun-25 13:24 UTC

[Logcheck-devel] Bug#257874: logcheck: additional ignores for Squid

Package: logcheck
Version: 1.2.22a
Severity: minor


I tried adding additional rules for squid

in /etc/logcheck/ignore.d.server/squid I defined:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: sslReadServer: FD.*: read
failure: \(.*\) Connection reset by peer.*$

since this is a pattern that happens to be totally irrelevant in real life use.
But still my
logcheck mails show:

Security Events
=-=-=-=-=-=-=-Jun 25 13:04:14 spiderboy squid[17248]: sslReadServer: FD 430:
read failure: (104) Connection reset by peer
Jun 25 13:04:45 spiderboy squid[17248]: sslReadServer: FD 51: read failure:
(104) Connection reset by peer
Jun 25 13:14:35 spiderboy squid[17248]: sslReadServer: FD 103: read failure:
(104) Connection reset by peer
Jun 25 13:20:02 spiderboy squid[17248]: sslReadServer: FD 118: read failure:
(104) Connection reset by peer
Jun 25 13:22:58 spiderboy squid[17248]: sslReadServer: FD 513: read failure:
(104) Connection reset by peer
Jun 25 13:23:47 spiderboy squid[17248]: sslReadServer: FD 451: read failure:
(104) Connection reset by peer
Jun 25 13:24:53 spiderboy squid[17248]: sslReadServer: FD 251: read failure:
(104) Connection reset by peer
Jun 25 13:25:02 spiderboy squid[17248]: sslReadServer: FD 302: read failure:
(104) Connection reset by peer
Jun 25 13:25:19 spiderboy squid[17248]: sslReadServer: FD 357: read failure:
(104) Connection reset by peer
Jun 25 13:25:23 spiderboy squid[17248]: sslReadServer: FD 498: read failure:
(104) Connection reset by peer

But if I use:

# egrep -v -f /etc/logcheck/ignore.d.server/squid /var/log/daemon.log

Then I'm NOT getting any "Connection reset by peer" lines. I'm
getting insane. Where is the mistake?

-- System Information:
Debian Release: testing/unstable
Architecture: i386 (i686)
Kernel: Linux 2.4.26
Locale: LANG=C, LC_CTYPE=C

Versions of packages logcheck depends on:
ii  adduser          3.57                    Add and remove users and groups
ii  cron             3.0pl1-83               management of regular background p
ii  debconf [debconf 1.4.28                  Debian configuration management sy
ii  debianutils      2.8.3                   Miscellaneous utilities specific t
ii  lockfile-progs   0.1.10                  Programs for locking and unlocking
ii  logcheck-databas 1.2.22a                 A database of system log rules for
ii  logtail          1.2.22a                 Print log file lines that have not
ii  mailx            1:8.1.2-0.20040524cvs-1 A simple mail user agent
ii  perl             5.8.4-2                 Larry Wall's Practical
Extraction
ii  postfix-snap [ma 1.1.11-20021115-1       Postfix Mail Transport Agent - sna
ii  sysklogd [system 1.4.1-14                System Logging Daemon

-- debconf information:
* logcheck/security_level: server
* logcheck/noroot:
* logcheck/manage_conffiles: true
* logcheck/changes:
* logcheck/install-note:
* logcheck/email_address: root
* logcheck/rewrite-note:
* logcheck/auto_create_logfiles: true
  logcheck/upgrade-note:

Eric Evans

2004-Jul-08 19:21 UTC

head link

Bug#257874: [Logcheck-devel] Bug#257874: logcheck: additional ignores for Squid

On Fri, Jun 25, 2004 at 03:24:33PM +0200, Ralf Hildebrandt muttered these
words:> Package: logcheck
> Version: 1.2.22a
> Severity: minor
> 
> I tried adding additional rules for squid
> 
> in /etc/logcheck/ignore.d.server/squid I defined:
> 
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: sslReadServer: FD.*:
read failure: \(.*\) Connection reset by peer.*$
> 
> since this is a pattern that happens to be totally irrelevant in real life
use. But still my
> logcheck mails show:
[ ... ]> 
> Jun 25 13:25:23 spiderboy squid[17248]: sslReadServer: FD 498: read
failure: (104) Connection reset by peer
> 
> But if I use:
> 
> # egrep -v -f /etc/logcheck/ignore.d.server/squid /var/log/daemon.log
> 
> Then I'm NOT getting any "Connection reset by peer" lines.
I'm getting insane. Where is the mistake?
> 
Since this output qualifies as a "violation", (see 
/etc/logcheck/violations.d/logcheck), the pattern needs to be included in
a file under violations.ignore.d.

I'll add this pattern to CVS, but in the meantime you can put it into a 
file in /etc/logcheck/violations.ignore.d, improve your signal-to-noise 
ratio, and retain your sanity. :)

Thanks for the report.

-- Eric
> -- System Information:
> Debian Release: testing/unstable
> Architecture: i386 (i686)
> Kernel: Linux 2.4.26
> Locale: LANG=C, LC_CTYPE=C
> 
> Versions of packages logcheck depends on:
> ii  adduser          3.57                    Add and remove users and
groups
> ii  cron             3.0pl1-83               management of regular
background p
> ii  debconf [debconf 1.4.28                  Debian configuration
management sy
> ii  debianutils      2.8.3                   Miscellaneous utilities
specific t
> ii  lockfile-progs   0.1.10                  Programs for locking and
unlocking
> ii  logcheck-databas 1.2.22a                 A database of system log rules
for
> ii  logtail          1.2.22a                 Print log file lines that have
not
> ii  mailx            1:8.1.2-0.20040524cvs-1 A simple mail user agent
> ii  perl             5.8.4-2                 Larry Wall's Practical
Extraction
> ii  postfix-snap [ma 1.1.11-20021115-1       Postfix Mail Transport Agent -
sna
> ii  sysklogd [system 1.4.1-14                System Logging Daemon
> 
> -- debconf information:
> * logcheck/security_level: server
> * logcheck/noroot:
> * logcheck/manage_conffiles: true
> * logcheck/changes:
> * logcheck/install-note:
> * logcheck/email_address: root
> * logcheck/rewrite-note:
> * logcheck/auto_create_logfiles: true
>   logcheck/upgrade-note:
-- 
Eric Evans
eevans at sym-link.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040708/31130220/attachment.pgp

Debian Bug Tracking System

2004-Jul-24 02:18 UTC

head link

[Logcheck-devel] Bug#257874: marked as done (logcheck: additional ignores for Squid)

Your message dated Fri, 23 Jul 2004 22:02:11 -0400
with message-id <E1BoBrX-0003x0-00 at newraff.debian.org>
and subject line Bug#257874: fixed in logcheck 1.2.24
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 6 Jul 2004 12:47:21
+0000>From hildeb at charite.de Tue Jul 06 05:47:20 2004Return-path: <hildeb at charite.de>
Received: from hauptpostamt.charite.de [193.175.66.220] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BhpM0-0001DR-00; Tue, 06 Jul 2004 05:47:20 -0700
Received: from postamt1.charite.de (postamt1.charite.de [193.175.66.246])
	by hauptpostamt.charite.de (Postfix) with ESMTP id 528B815C008
	for <submit at bugs.debian.org>; Tue,  6 Jul 2004 14:47:18 +0200 (CEST)
Received: by postamt1.charite.de (Postfix, from userid 7945)
	id 2E099633A8; Tue,  6 Jul 2004 14:47:18 +0200 (CEST)
Resent-From: hildeb at charite.de
Resent-Date: Tue, 6 Jul 2004 14:47:18 +0200
Resent-Message-ID: <20040706124718.GT20457 at charite.de>
Resent-To: submit at bugs.debian.org
X-Original-To: hildeb at postamt1.charite.de
Received: from hauptpostamt.charite.de (hauptpostamt.charite.de
[193.175.66.220])
	by postamt1.charite.de (Postfix) with ESMTP id 8F1E1633A8
	for <hildeb at postamt1.charite.de>; Tue,  6 Jul 2004 14:21:01 +0200
(CEST)
Received: from spiderboy.charite.de (spiderboy.charite.de [192.168.220.204])
	by hauptpostamt.charite.de (Postfix) with ESMTP id 8392A15C014
	for <hildeb at charite.de>; Tue,  6 Jul 2004 14:20:53 +0200 (CEST)
Received: by spiderboy.charite.de (Postfix, from userid 503)
	id 20926B030C; Tue,  6 Jul 2004 14:20:52 +0200 (CEST)
Resent-From: hildeb at spiderboy.charite.de
Resent-Date: Tue, 6 Jul 2004 14:20:51 +0200
Resent-Message-ID: <20040706122051.GA4383 at spiderboy>
Resent-To: hildeb at charite.de
X-Original-To: hildeb at spiderboy.charite.de
Received: by spiderboy.charite.de (Postfix, from userid 503)
	id D8EA7B02FD; Fri, 25 Jun 2004 15:24:33 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Ralf Hildebrandt <hildeb at spiderboy.charite.de>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: logcheck: additional ignores for Squid
X-Mailer: reportbug 2.61
Date: Fri, 25 Jun 2004 15:24:33 +0200
Message-Id: <20040625132433.D8EA7B02FD at spiderboy.charite.de>
X-Virus-Scanned: by amavisd-new at charite.de
X-Virus-Scanned: by amavisd-new at charite.de
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.2 required=4.0 tests=BAYES_40,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Package: logcheck
Version: 1.2.22a
Severity: minor


I tried adding additional rules for squid

in /etc/logcheck/ignore.d.server/squid I defined:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: sslReadServer: FD.*: read
failure: \(.*\) Connection reset by peer.*$

since this is a pattern that happens to be totally irrelevant in real life use.
But still my
logcheck mails show:

Security Events
=-=-=-=-=-=-=-Jun 25 13:04:14 spiderboy squid[17248]: sslReadServer: FD 430:
read failure: (104) Connection reset by peer
Jun 25 13:04:45 spiderboy squid[17248]: sslReadServer: FD 51: read failure:
(104) Connection reset by peer
Jun 25 13:14:35 spiderboy squid[17248]: sslReadServer: FD 103: read failure:
(104) Connection reset by peer
Jun 25 13:20:02 spiderboy squid[17248]: sslReadServer: FD 118: read failure:
(104) Connection reset by peer
Jun 25 13:22:58 spiderboy squid[17248]: sslReadServer: FD 513: read failure:
(104) Connection reset by peer
Jun 25 13:23:47 spiderboy squid[17248]: sslReadServer: FD 451: read failure:
(104) Connection reset by peer
Jun 25 13:24:53 spiderboy squid[17248]: sslReadServer: FD 251: read failure:
(104) Connection reset by peer
Jun 25 13:25:02 spiderboy squid[17248]: sslReadServer: FD 302: read failure:
(104) Connection reset by peer
Jun 25 13:25:19 spiderboy squid[17248]: sslReadServer: FD 357: read failure:
(104) Connection reset by peer
Jun 25 13:25:23 spiderboy squid[17248]: sslReadServer: FD 498: read failure:
(104) Connection reset by peer

But if I use:

# egrep -v -f /etc/logcheck/ignore.d.server/squid /var/log/daemon.log

Then I'm NOT getting any "Connection reset by peer" lines. I'm
getting insane. Where is the mistake?

-- System Information:
Debian Release: testing/unstable
Architecture: i386 (i686)
Kernel: Linux 2.4.26
Locale: LANG=C, LC_CTYPE=C

Versions of packages logcheck depends on:
ii  adduser          3.57                    Add and remove users and groups
ii  cron             3.0pl1-83               management of regular background p
ii  debconf [debconf 1.4.28                  Debian configuration management sy
ii  debianutils      2.8.3                   Miscellaneous utilities specific t
ii  lockfile-progs   0.1.10                  Programs for locking and unlocking
ii  logcheck-databas 1.2.22a                 A database of system log rules for
ii  logtail          1.2.22a                 Print log file lines that have not
ii  mailx            1:8.1.2-0.20040524cvs-1 A simple mail user agent
ii  perl             5.8.4-2                 Larry Wall's Practical
Extraction
ii  postfix-snap [ma 1.1.11-20021115-1       Postfix Mail Transport Agent - sna
ii  sysklogd [system 1.4.1-14                System Logging Daemon

-- debconf information:
* logcheck/security_level: server
* logcheck/noroot:
* logcheck/manage_conffiles: true
* logcheck/changes:
* logcheck/install-note:
* logcheck/email_address: root
* logcheck/rewrite-note:
* logcheck/auto_create_logfiles: true
  logcheck/upgrade-note:

---------------------------------------
Received: (at 257874-close) by bugs.debian.org; 24 Jul 2004 02:08:10
+0000>From katie at ftp-master.debian.org Fri Jul 23 19:08:10 2004Return-path: <katie at ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BoBxK-0000fs-00; Fri, 23 Jul 2004 19:08:10 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1BoBrX-0003x0-00; Fri, 23 Jul 2004 22:02:11 -0400
From: Todd Troxell <ttroxell at debian.org>
To: 257874-close at bugs.debian.org
X-Katie: $Revision: 1.51 $
Subject: Bug#257874: fixed in logcheck 1.2.24
Message-Id: <E1BoBrX-0003x0-00 at newraff.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Fri, 23 Jul 2004 22:02:11 -0400
Delivered-To: 257874-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 
X-CrossAssassin-Score: 3

Source: logcheck
Source-Version: 1.2.24

We believe that the bug you reported is fixed in the latest version of
logcheck, which is due to be installed in the Debian FTP archive:

logcheck-database_1.2.24_all.deb
  to pool/main/l/logcheck/logcheck-database_1.2.24_all.deb
logcheck_1.2.24.dsc
  to pool/main/l/logcheck/logcheck_1.2.24.dsc
logcheck_1.2.24.tar.gz
  to pool/main/l/logcheck/logcheck_1.2.24.tar.gz
logcheck_1.2.24_all.deb
  to pool/main/l/logcheck/logcheck_1.2.24_all.deb
logtail_1.2.24_all.deb
  to pool/main/l/logcheck/logtail_1.2.24_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 257874 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Friday, 23 Jul 2004 21:39:19 -0500
Source: logcheck
Binary: logcheck logtail logcheck-database
Architecture: source all
Version: 1.2.24
Distribution: unstable
Urgency: low
Maintainer: Debian logcheck Team <logcheck-devel at
lists.alioth.debian.org>
Changed-By: Todd Troxell <ttroxell at debian.org>
Description: 
 logcheck   - Mails anomalies in the system logfiles to the administrator
 logcheck-database - A database of system log rules for the use of log checkers
 logtail    - Print log file lines that have not been read
Closes: 206495 213711 257874 258735 258759 259092 259094 259371 259466 260096
260102 260103 260105 260330 260382 260810
Changes: 
 logcheck (1.2.24) unstable; urgency=low
 .
   eevans:
   * Added violations ignore rule for squid (Closes: #257874)
   maks
   * Added dhcpd-client, kernel, ntp, postfix rules. (Closes: #259094)
   * Added lots of postfix rules at level workstation for those,
     who wants to include /var/log/mail.log. (Closes: #206495)
   * Generalize "nobody" to "[_[:alnum:]-]+" for su rule.
   * Update rules ignore.d.paranoid/cron, ignore.d.paranoid/postfix.
     New courier rules merged and simplified from imap, impd-ssl and pop3d-ssl.
     thanks to Bastian Blank <waldi at debian.org>. (Closes: #258759)
   * Fix pid regex in cyrus rules. (Closes: #259092)
   * Added cyrus rules for notifyd. (Closes: #259466)
   * Make sure logtail gets a logfile to read, if not exit soon.
     Documented -o switch in logtail(8). (Closes: #259371)
   * Added logcheck-devel mail to logtail(8) and copyright.
   * Added userv rules. (Closes: #260105)
   * Generalize user match in spamd rule. (Closes: #260103)
   * Added a ippl rule at level workstation. (Closes: #260102)
   * Updated logcheck help message to all existent switches.
     Corrected logcheck command line parsing, -T needs no args.
     Use 6 'X' for mktemp(1) template. Better lock handling. (Closes:
#260330)
   * Do not create unused /var/state/logcheck and really get rid of it.
     (Closes: #260096)
   * Added cs Translation. thanks Jan Outrata. (Closes: #260382)
   * Remove duplicate postfix rules, fix for remote string add lmtp rule.
     (Closes: #260810)
   todd:
   * Added 2 kernel rules for sparc workstations.
   * Added nearly 50 squid rules. (Closes: #213711)
   * Fix anacron Normal exit rule.
   * Move adduser from preinst to postinst (Closes: #258735)
   * Update pump and dhclient rules.
Files: 
 b12f7f6e9f7ee1c1ab93c11d06197436 670 admin optional logcheck_1.2.24.dsc
 fac761afff4056f62d05e0b0a49a8941 78439 admin optional logcheck_1.2.24.tar.gz
 b42736deefef2c9cbb27e596fe3453ca 38306 admin optional logcheck_1.2.24_all.deb
 544fe294c31535dae713ca94746030c4 45540 admin optional
logcheck-database_1.2.24_all.deb
 ab277c25932c9ef600581ebb1aa8f68c 22412 admin optional logtail_1.2.24_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBAb4/4u3oQ3FHP2YRAteqAKDC5u2SOudNtfjaZvMM1gFdFIE1AQCfXBAm
nUk8s8a4rlxDrmTdK7SD5XI=XQO7
-----END PGP SIGNATURE-----

Logcheck devel - Jun 2004 - Bug#257874: logcheck: additional ignores for Squid

[Logcheck-devel] Bug#257874: logcheck: additional ignores for Squid

Bug#257874: [Logcheck-devel] Bug#257874: logcheck: additional ignores for Squid

[Logcheck-devel] Bug#257874: marked as done (logcheck: additional ignores for Squid)