Logcheck devel - Jul 2004 - logcheck reference in debians harden-doc

hello everyone,

the description of logcheck in latest harden-doc is outdated
compared to the logcheck version sarge/sid.

please take a look at the diff and comment.
i'll plan to send javier the patch in 2-3 days.

thanks maks


--- after-install.sgml.orig	2004-07-12 12:00:06.000000000 +0200
+++ after-install.sgml	2004-07-12 12:16:18.000000000 +0200
@@ -1208,12 +1208,13 @@
 
 <sect1 id="custom-logcheck">Using and customising
<prgn>logcheck</prgn>
 
-<p>The <prgn>logcheck</prgn> package in Debian is divided
into two
-packages <package>logcheck</package> (the main program) and
+<p>The <prgn>logcheck</prgn> package in Debian is divided
into three
+packages <package>logcheck</package> (the main program), 
 <package>logcheck-database</package> (a database of regular
-expressions for the program). The Debian default (in
+expressions for the program) and <package>logtail</package> (prints
+loglines that have not yet been read). The Debian default (in
 <file>/etc/cron.d/logcheck</file>) is that
<prgn>logcheck</prgn> is run
-daily at 2 AM and once after each reboot.
+every hour just off the hour and once after each reboot.
 
 <p>This tool can be quite useful if properly customised to alert the
 administrator to unusual events in the system.
<prgn>Logcheck</prgn>
@@ -1225,7 +1226,7 @@
 <file>/etc/logcheck/logcheck.conf</file>, sourced by the program,
that
 defines which user the checks are sent to. It also provides a way for
 packages that provide services to implement new policies in the
-directories: <file>/etc/logcheck/hacking.d/_packagename_</file>,
+directories: <file>/etc/logcheck/cracking.d/_packagename_</file>,
 <file>/etc/logcheck/violations.d/_packagename_</file>,
 <file>/etc/logcheck/violations.ignore.d/_packagename_</file>,
 <file>/etc/logcheck/ignore.d.paranoid/_packagename_</file>,
@@ -1236,29 +1237,31 @@
 appropriate package (as a <em>wishlist</em> bug). For more
information read
 <file>/usr/share/doc/logcheck/README.Debian</file>
 
-<p>The best way to configure <prgn>logcheck</prgn> is to
install it
-(it will ask for the user to which reports should be mailed and generate
-<file>/etc/logcheck/logcheck.logfiles</file> from syslog entries).
If
-you wish to add new log files just add them to
-<file>/etc/logcheck/logcheck.logfiles</file>. The
-package dependency will also force the installation of 
-<package>logcheck-database</package>; during installation it will
ask which
-security level is desired: workstation, server or paranoid. This will
-make <file>/etc/logcheck/ignore.d</file> point to the appropriate
-directories (through symbolic links). To change this run
-<tt>dpkg-reconfigure -plow logcheck-database</tt>.  Then create the
-<file>/etc/ignore.d/local</file>, this file will hold all the rules
to
-exclude messages that should not be reported. Leave it empty for the
-moment (a simple <tt>cp /dev/null /etc/ignore.d/local</tt> will
-work). 
+<p>The best way to configure <prgn>logcheck</prgn> is to edit
its
+main configuration file <file>/etc/logcheck/logcheck.conf</file> 
+after installation. Change the default user (root) whom reports
+should be mailed. You should set there the reportlevel.
+<package>logcheck-database</package> has three report levels of 
+increasing verbosity: workstation, server, paranoid.
+"server" beeing the default level, paranoid is only recommended 
+for high-security machines running as few services as possible 
+and workstation for relatively sheltered machines.
+If you wish to add new log files just add them to
+<file>/etc/logcheck/logcheck.logfiles</file>. It is tuned for a
+default syslog install.
 
 <p>Once this is done you might want to check the mails that are sent, for
the
 first few days/weeks/months. If you find you are sent messages you do not wish 
-to receive, just add the regular expressions (see 
-<manref name="regex" section="7">) that correspond to
these messages to the
-<file>/etc/ignore.d/local</file>. It's an ongoing tuning
process; once the
-messages that are sent are always relevant you can consider the tuning 
-finished. Note that if <prgn>logcheck</prgn> does not find anything
relevant
+to receive, just add the regular expressions (see
+<manref name="regex" section="7"> and <manref
name="egrep" section="1">) that
+correspond to these messages to the
+<file>/etc/logcheck/ignore.d.{reportlevel}/local</file>. Try to
match the
+hole logline. Details on howto write rules are explained in
+<file>/usr/share/doc/logcheck-database/README.logcheck-database.gz</file>
+It's an ongoing tuning process; once the messages that are sent are always
+relevant you can consider the tuning finished. Please file bugs on
+<package>logcheck-database</package> whith the repeated logline and
your rule.
+Note that if <prgn>logcheck</prgn> does not find anything relevant
 in your system it will not mail you even if it does run (so you might get a 
 mail only once a week, if you are lucky).

* maks attems <debian at sternwelten.at> [2004-07-12
12:24]:
> --- after-install.sgml.orig	2004-07-12 12:00:06.000000000 +0200
> +++ after-install.sgml	2004-07-12 12:16:18.000000000 +0200
> @@ -1208,12 +1208,13 @@
>  
>  <sect1 id="custom-logcheck">Using and customising
<prgn>logcheck</prgn>
>  
> -<p>The <prgn>logcheck</prgn> package in Debian is
divided into two
> -packages <package>logcheck</package> (the main program) and
> +<p>The <prgn>logcheck</prgn> package in Debian is
divided into three
                                                            
^^^^^^^^^^
> +packages <package>logcheck</package> (the main program), 
   ^^^^^^^^
>  <package>logcheck-database</package> (a database of regular
> -expressions for the program). The Debian default (in
> +expressions for the program) and <package>logtail</package>
(prints
> +loglines that have not yet been read). The Debian default (in
 Please write either "into three packages: " or "into the three
packages "
-- would sound much better, IMHO.  I'm no native speaker, though.
> +<p>The best way to configure <prgn>logcheck</prgn> is to
edit its
> +main configuration file
<file>/etc/logcheck/logcheck.conf</file>
> +after installation. Change the default user (root) whom reports
                                                     ^
 Maybe add a "to" here?
> +should be mailed. You should set there the reportlevel.
                                    the reportlevel in there,
too.
>  
>  <p>Once this is done you might want to check the mails that are
sent, for the
>  first few days/weeks/months. If you find you are sent messages you do not
wish
>  to receive, just add the regular expressions (see
> +<manref name="regex" section="7"> and <manref
name="egrep" section="1">) that
> +correspond to these messages to the
> +<file>/etc/logcheck/ignore.d.{reportlevel}/local</file>. Try
to match the
 Uhm, I'm not sure if the {} around reportlevel here would be taken
correctly. I am not good in debiandoc but some <var> tag or such should
be better, IMHO.
> +hole logline. Details on howto write rules are explained in
>
+<file>/usr/share/doc/logcheck-database/README.logcheck-database.gz</file>
 Trailing . missing from this sentence.

 So long,
Alfie
-- 
"you learned how to creep and you learned how to crawl
 but you never really learned anything at all"
                                  -- Clawfinger, "Catch Me"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040712/bb6cb4d6/attachment.pgp

On Thu, Jul 15, 2004 at 03:14:18PM +0200, maximilian attems
wrote:
> hello javier,
> 
> this patch was discussed on logcheck-devel ml.
> hope it can get into sarge!
> corrects references of logcheck in harden-doc to current logcheck state,
> speaking of sarge/sid version and current cvs version. :)
> thanks for your effort!
Thanks for the patch. I've committed it to CVS and will produce new 
harden-doc packages soon.

Regards

Javier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040715/f3238ed2/attachment.pgp