Logcheck devel - Jul 2005 - Bug#316619: exim logs?

Package: logcheck   
Version: 1.2.40


Hello

(Why)Can't exim log file not be checked by logcheck?


In logcheck.logfiles i found a nasty

#/var/log/exim/mainlog

as i installed exim4 (debian 3.1) 
i removed the "#" and got an hourly 1:1 copy of the
"mainlog" file ;-)
(Lukly that were only some few local system mails).

I could not find any other hints to "exim" in logcheck except in
"cron".

Is exims not supported by exim, if why? 
If not, where could i find an "ignore.server" file? (The exim log 
format seems not fit to any other rules ).
Or has exim an own logchecker? If what its name?
Or don't i have to logcheck mainlog at all, because that's all
is syslog(?) too?


Google finds that question serveral times, 
but no "answer"/solution.
But exims is debian default MTA/MDA...
Is that a PCAK?
If what's wrong configured? (it's a default vebian)




#tail /var/log/exim/mainlog

2003-12-21 20:18:45 Start queue run: pid=8976
2003-12-21 20:18:45 End queue run: pid=8976
2003-12-21 20:20:01 1AY97R-0002LU-00 <= root at msi U=root P=local S=535
2003-12-21 20:20:01 1AY97R-0002LU-00 => user <root at msi> D=localuser
T=local_delivery
2003-12-21 20:20:01 1AY97R-0002LU-00 Completed
2003-12-21 20:23:01 Start queue run: pid=9353
2003-12-21 20:23:01 End queue run: pid=9353
2003-12-21 20:25:01 1AY9CH-0002RJ-00 <= root at msi U=root P=local S=535
2003-12-21 20:25:01 1AY9CH-0002RJ-00 => user <root at msi> D=localuser
T=local_delivery
2003-12-21 20:25:01 1AY9CH-0002RJ-00 Completed

hello,

On Sat, 02 Jul 2005, Rainer Zocholl wrote:
> (Why)Can't exim log file not be checked by logcheck?
good question,
seems like all the logcheck maintainers prefer postfix.
but there is nothing to stop you or anyone else to submit
nice exim rules for further inclusion.
> In logcheck.logfiles i found a nasty
> 
> #/var/log/exim/mainlog
that must by old, current doesnt mention that file afair.
 
> as i installed exim4 (debian 3.1) 
> i removed the "#" and got an hourly 1:1 copy of the
"mainlog" file ;-)
> (Lukly that were only some few local system mails).
sure,
current logcheck has no rules to deal with exim.
 
> Is exims not supported by exim, if why? 
> If not, where could i find an "ignore.server" file? (The exim log
> format seems not fit to any other rules ).
you need to create your own local-exim inside of ignore.d.server
> Or has exim an own logchecker? If what its name?
> Or don't i have to logcheck mainlog at all, because that's all
> is syslog(?) too?
depends on your goal.
 
 
> Google finds that question serveral times, 
> but no "answer"/solution.
yes i guess it is worthwile to spend some time on that,
so i did some rules to get started, find an attached local-exim4
will commit these to logcheck cvs soon.

it is based on just a small and quick mail usage of mine,
so i guess it will still miss a _lot_ of exim log messages.
would be great if you would post yours, so that rules can be enhanced.
 
> #tail /var/log/exim/mainlog
> 
> 2003-12-21 20:18:45 Start queue run: pid=8976
> 2003-12-21 20:18:45 End queue run: pid=8976
> 2003-12-21 20:20:01 1AY97R-0002LU-00 <= root at msi U=root P=local S=535
please post some newer logs that are not catched by attached rules.
thanks

--
maks
-------------- next part --------------
^[-0-9]{10} [0-9:]{8} (Start|End) queue run: pid=[0-9]+$
^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ Completed$
^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ => [_[:alnum:]-]+
<[@._[:alnum:]-]+> R=local_user T=mail_spool$
^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ => [@._[:alnum:]-]+
<[@._[:alnum:]-]+> R=dnslookup T=remote_smtp H=[._[:alnum:]-]+
\[[.0-9]{7,15}\]$
^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ => [@._[:alnum:]-]+ R=dnslookup
T=remote_smtp H=[._[:alnum:]-]+ \[[.0-9]{7,15}\]
X=TLS-1.0:RSA_AES_256_CBC_SHA:32$
^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ <= [@._[:alnum:]-]+ U=[_[:alnum:]-]+
P=local S=[0-9]+( id=[@._[:alnum:]-]+)?$
^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ <= [@._[:alnum:]-]+ H=[._[:alnum:]-]+
\[[.0-9]{7,15}\] P=esmtp S=[0-9]+ id=[@._[:alnum:]-]+$
^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ <= <> R=[_[:alnum:]-]+
U=[_[:alnum:]-]+ P=local S=[0-9]+$

Your message dated Mon, 22 Aug 2005 13:32:39 -0700
with message-id <E1E7IyF-0002y3-00 at spohr.debian.org>
and subject line Bug#316612: fixed in logcheck 1.2.41
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 2 Jul 2005 09:59:56
+0000
>From UseNet-Posting-Nospam-74308- at zocki.toppoint.de Sat Jul 02 02:59:56
2005
Return-path: <UseNet-Posting-Nospam-74308- at zocki.toppoint.de>
Received: from archer.toppoint.de (mail.toppoint.de) [195.244.243.1] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1Doemy-0002T4-00; Sat, 02 Jul 2005 02:59:56 -0700
Received: (from uucp at localhost)
	by mail.toppoint.de (8.11.7p1+Sun/8.11.7) id j629xsg11077
	for submit at bugs.debian.org; Sat, 2 Jul 2005 11:59:54 +0200
(MEST)
>Received: by zocki.toppoint.de (CrossPoint/FreeXP v3.40 RC3 (EMS) @
3108030130 R/C6515);
	02 Jul 2005 12:00:13 +0200
Date: 02 Jul 2005 12:00:00 +0200
From: Rainer Zocholl <UseNet-Posting-Nospam-74308- at zocki.toppoint.de>
To: <submit at bugs.debian.org>
Message-ID: <9$74W7fMgjB at zocki.toppoint.de>
Subject: exim logs?
X-Mailer: CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Organization: http://www.toppoint.de
X-ZC-Telefon: V+49-431-5606-550Q V+49-431-562136Q
X-XP-Version: CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515
X-RFC-Converter: E-UUZ/II [FreeXP v3.40.1a RC3] @ 200405292345
Received: from zocki.toppoint.de by archer.toppoint.de; Sat,  2 Jul 2005 11:59
MES
Content-Type: text/plain; charset=US-ASCII
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.3 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	MSGID_FROM_MTA_HEADER autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: logcheck   
Version: 1.2.40


Hello

(Why)Can't exim log file not be checked by logcheck?


In logcheck.logfiles i found a nasty

#/var/log/exim/mainlog

as i installed exim4 (debian 3.1) 
i removed the "#" and got an hourly 1:1 copy of the
"mainlog" file ;-)
(Lukly that were only some few local system mails).

I could not find any other hints to "exim" in logcheck except in
"cron".

Is exims not supported by exim, if why? 
If not, where could i find an "ignore.server" file? (The exim log 
format seems not fit to any other rules ).
Or has exim an own logchecker? If what its name?
Or don't i have to logcheck mainlog at all, because that's all
is syslog(?) too?


Google finds that question serveral times, 
but no "answer"/solution.
But exims is debian default MTA/MDA...
Is that a PCAK?
If what's wrong configured? (it's a default vebian)




#tail /var/log/exim/mainlog

2003-12-21 20:18:45 Start queue run: pid=8976
2003-12-21 20:18:45 End queue run: pid=8976
2003-12-21 20:20:01 1AY97R-0002LU-00 <= root at msi U=root P=local S=535
2003-12-21 20:20:01 1AY97R-0002LU-00 => user <root at msi> D=localuser
T=local_delivery
2003-12-21 20:20:01 1AY97R-0002LU-00 Completed
2003-12-21 20:23:01 Start queue run: pid=9353
2003-12-21 20:23:01 End queue run: pid=9353
2003-12-21 20:25:01 1AY9CH-0002RJ-00 <= root at msi U=root P=local S=535
2003-12-21 20:25:01 1AY9CH-0002RJ-00 => user <root at msi> D=localuser
T=local_delivery
2003-12-21 20:25:01 1AY9CH-0002RJ-00 Completed



---------------------------------------
Received: (at 316612-close) by bugs.debian.org; 22 Aug 2005 20:49:31
+0000
>From katie at spohr.debian.org Mon Aug 22 13:49:31 2005
Return-path: <katie at spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
	id 1E7IyF-0002y3-00; Mon, 22 Aug 2005 13:32:39 -0700
From: Todd Troxell <ttroxell at debian.org>
To: 316612-close at bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#316612: fixed in logcheck 1.2.41
Message-Id: <E1E7IyF-0002y3-00 at spohr.debian.org>
Sender: Archive Administrator <katie at spohr.debian.org>
Date: Mon, 22 Aug 2005 13:32:39 -0700
Delivered-To: 316612-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 14

Source: logcheck
Source-Version: 1.2.41

We believe that the bug you reported is fixed in the latest version of
logcheck, which is due to be installed in the Debian FTP archive:

logcheck-database_1.2.41_all.deb
  to pool/main/l/logcheck/logcheck-database_1.2.41_all.deb
logcheck_1.2.41.dsc
  to pool/main/l/logcheck/logcheck_1.2.41.dsc
logcheck_1.2.41.tar.gz
  to pool/main/l/logcheck/logcheck_1.2.41.tar.gz
logcheck_1.2.41_all.deb
  to pool/main/l/logcheck/logcheck_1.2.41_all.deb
logtail_1.2.41_all.deb
  to pool/main/l/logcheck/logtail_1.2.41_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 316612 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 22 Aug 2005 15:27:45 -0500
Source: logcheck
Binary: logcheck logtail logcheck-database
Architecture: source all
Version: 1.2.41
Distribution: unstable
Urgency: low
Maintainer: Debian logcheck Team <logcheck-devel at
lists.alioth.debian.org>
Changed-By: Todd Troxell <ttroxell at debian.org>
Description: 
 logcheck   - mails anomalies in the system logfiles to the administrator
 logcheck-database - database of system log rules for the use of log checkers
 logtail    - Print log file lines that have not been read
Closes: 311216 312597 312598 312729 313601 313603 314951 315507 316612 317642
317741 317772 318500 318731 320009 321506 322036 322179 322570
Changes: 
 logcheck (1.2.41) unstable; urgency=low
 .
   [ Jamie Penman-Smithson ]
   * Fix postfix rule to match "setting up TLS connection" messages
again.
   * Fix innd rule for "ME time" messages, add rule for innfeed
"ME time"
     messages.
   * Fix rules for gps to match messages with the null sender (<>).
   * Update cyrus/notifyd rule to match destination folders and subfolders too.
   * Update cyrus rules to suppress DBERROR db3: n lockers messages when
it's
     only 1-2 lockers, these messages are harmless as long as the number
     doesn't increase.
   * Update postfix lmtp rule to match messages given by amavis when discarding
     UBE and viruses.
   * Fix bug in the squid rule for "found whitespace" messages which
caused
     grep to choke due to unescaped { and } characters. (Closes: #311216)
   * Update innd nnrpd rule for latest version of INN.
   * Add a versioned dependency on grep to prevent bugs like #311216 happening
     in the first place.
   * Added Vietnamese translation, thanks to Clytie Siddall. (Closes: #312597)
   * Fix minor typo in logcheck-database.templates. (Closes: #312598)
   * Modify rules for successful ssh login messages to match when ssh/ssh2 is
     not specified at the end. (Closes: #312729)
   * Modified ignore.d.workstation/kernel to ignore nfs warnings about mount
     version. (Closes: #313601)
   * Fix postfix anvil rules to match max message/recipient rate and count
     messages.
   * Add the first rules for dkfilter, which implements domainkeys signing and
     verification for postfix.
   * Add rule for openssh-krb5 and add gssapi-with-mic to the list of auth
     alternatives. (Closes: #318500)
   * Add ovpn-tunnel rule to suppress "VERIFY OK: nsCertType=SERVER"
messages.
     Thanks to Martin Lohmeier <martin at mein-horde.de>. (Closes:
#320009)
 .
   [ Maximilian Attems ]
   * Suppress error message if hostname not set. (Closes: #314951)
   * Add another sshd rule for PARANOID /etc/hosts.deny setting.
   * Fix postfix rule concerning Service unavailable. (Closes: #315507)
   * Add some initial support for exim4 log messages. Pretty rudimentary
     stuff still, will need further refinements. (Closes: #316612)
   * First rule for amandad. (Closes: #313603)
   * Remention how to invoke logcheck with sudo.
   * Add an examples section to the manpage with my most usual invocation.
   * Fix rules for gconfd loglines.
   * Add rule for mailman admin loglines in violations.ignore.d/logcheck-postfix
     thanks toby cabot <toby at caboteria.org>. (Closes: #317772)
   * Fix hostname match in rbldnsd rule thanks sistemas at dedaloingenieros.com.
     (Closes: #317741)
   * Unifiy gdm rules, add a rule for X restart.
   * Beautify README.logcheck-database, uses markdown(1) syntax now.
     Added testing rules header to carify sections. (Closes: #317642, #318731)
   * Small manpage fixes.
   * Add 2 courier rules for ACCEPTED usernames and the started client module.
   * Add pdns rule for duplicate packets from recursor.
   * Fix cvs rule for exit code != 0. thanks Martin Lohmeier
     <martin at mein-horde.de> (Closes: #321506)
   * Fix hostname match in cups-lpd rules thanks Gilbert Laycock
     <gtl1 at mcs.le.ac.uk> (Closes: #322179)
   * Add horde3 rules for users login/logout thanks Martin Lohmeier
     <martin at mein-horde.de> (Closes: #322570)
   * Fix logcheck.8 rendering of docbook-to-man. (Closes: #322036)
 .
   [Todd Troxell]
   * Tweak descriptions to satisfy litian.
Files: 
 1885143b4845e7da6dc748ef4f2ec7fb 736 admin optional logcheck_1.2.41.dsc
 1a946e45f82a0dc98838c896510dfca9 101085 admin optional logcheck_1.2.41.tar.gz
 4ec4e8c0a9227a8c06a716675f8a0d3f 47870 admin optional logcheck_1.2.41_all.deb
 3bf53f05bfb119af9e2c1da3c8130f12 67460 admin optional
logcheck-database_1.2.41_all.deb
 078148d37c693d7dd9511355d70e7d40 29826 admin optional logtail_1.2.41_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFDCijR4u3oQ3FHP2YRAjnTAJwL7ztRs3iUx4sltg+pROJaxdf/QgCgtall
nSanCABtCnyTfEYFeoyVZQ4=M6Pk
-----END PGP SIGNATURE-----