Tamar Weinberg
2007-Jan-31 18:00 UTC
[Logcheck-devel] Logcheck configuration questions: format is not on a single line and I don't know why
Hi everyone, Please cc tweinberg AT 10e20 DOT com when you reply to this as I am not a mailing list subscriber. I have been using logcheck with a lot of success (on a RedHat ES 4.0 enterprise webserver), but I have run into some issues recently when I decided to tweak the logcheck.violations, logcheck.ignore, and logcheck.violations.ignore files to reduce the size of emails and to only include messages that are important to me. Now I?m seeing messages where the entire log report is on one line. This is not the case for all items that are logged which makes it much more difficult to troubleshoot. For example, I?m most concerned about mail intrusions and failed SSH login attempts. So one of my reports looks like this: Jan 31 00:46:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 01:32:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 01:48:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:04:33 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:20:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:35:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:50:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 03:36:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 03:52:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 04:23:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x] It?s on one line, instead of on distinct lines as it was previously (like this): Jan 31 00:46:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 01:32:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 01:48:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:04:33 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:20:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:35:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:50:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 03:36:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 03:52:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 04:23:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x] For me, the ?run on? line is really hard to read and I can?t figure out if the login attempt is legit or not (which is why I?ve masked the IP address in case it is). The changed logcheck.violations, logcheck.violations.ignore, and logcheck.ignore files are below ? but I?m not sure why this is happening. Can you please shed some light into the issue? Logcheck.violations.ignore: named.* qmail.* spamd.* pop3d: Connection proftpd.* proftpd* pop3d: IMAP connect sshd: Connection closed logcheck.violations: ! -ERR Password CWD etc DEBUG EXPN FAILURE ILLEGAL LOGIN FAILURE LOGIN REFUSED PERMITTED REFUSED RETR group RETR passwd RETR pwd.db ROOT LOGIN SITE EXEC VRFY "WIZ" admin alias database debug denied deny deny host expn failed illegal kernel: Oversized packet received from nested permitted reject rexec rshd securityalert setsender shutdown smrsh su root su: sucked unapproved vrfy attackalert logcheck.ignore: authsrv.*AUTHENTICATE cron.*CMD cron.*RELOAD cron.*STARTUP ftp-gw.*: exit host ftp-gw.*: permit host ftpd.*ANONYMOUS FTP LOGIN ftpd.*FTP LOGIN FROM ftpd.*retrieved ftpd.*stored http-gw.*: exit host http-gw.*: permit host imapd: IMAP connect from imapd-ssl.* mail.local named.*client named.*update named.*Lame delegation named.*Response from named.*answer queries named.*points to a CNAME named.*reloading named.*starting netacl.*: exit host netacl.*: permit host pop3d.* popper.*Unable popper: -ERR POP server at popper: -ERR Unknown command: "uidl". proftpd:* proftpd.* qmail.* qmail:*delivery qmail.*new msg qmail.*info msg qmail.*starting delivery qmail.*delivery qmail.*end msg qmail-queue.* rlogin-gw.*: exit host rlogin-gw.*: permit host sendmail.*User Unknown sendmail.*User Unknown sendmail.*alias database.*rebuilt sendmail.*aliases.*longest sendmail.*from sendmail.*lost input channel sendmail.*message-id sendmail.*putoutmsg sendmail.*return to sender sendmail.*return to sender sendmail.*stat sendmail.*timeout waiting smap.*host smapd.*daemon running smapd.*daemon running smapd.*deliveredsmapd.*delivered smtp_auth.*: spamd.* spamd.*processing spamd.*result spamd.*clean telnetd.*ttloop: peer died tn-gw.*: exit host tn-gw.*: permit host x-gw.*: exit host x-gw.*: permit host xinetd: warning xntpd.*Previous time adjustment didn't complete xntpd.*time reset root 1 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.17.17/661 - Release Date: 1/30/2007 11:30 PM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20070131/289ba620/attachment.htm
Tamar Weinberg
2007-Feb-13 15:17 UTC
[Logcheck-devel] RE: Logcheck configuration questions: format is not on a single line and I don't know why
Hi, Does anyone know the solution to this problem? I really like logcheck, but once I started trying to filter out the unnecessary noise (for my purposes ? the emails were too large for my server and my personal computer), I started encountering these issues. Thank you. _____ From: Tamar Weinberg [mailto:tweinberg at 10e20.com] Sent: Wednesday, January 31, 2007 1:01 PM To: 'logcheck-devel at lists.alioth.debian.org' Subject: Logcheck configuration questions: format is not on a single line and I don't know why Hi everyone, Please cc tweinberg AT 10e20 DOT com when you reply to this as I am not a mailing list subscriber. I have been using logcheck with a lot of success (on a RedHat ES 4.0 enterprise webserver), but I have run into some issues recently when I decided to tweak the logcheck.violations, logcheck.ignore, and logcheck.violations.ignore files to reduce the size of emails and to only include messages that are important to me. Now I?m seeing messages where the entire log report is on one line. This is not the case for all items that are logged which makes it much more difficult to troubleshoot. For example, I?m most concerned about mail intrusions and failed SSH login attempts. So one of my reports looks like this: Jan 31 00:46:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 01:32:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 01:48:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:04:33 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:20:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:35:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:50:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 03:36:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 03:52:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 04:23:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x] It?s on one line, instead of on distinct lines as it was previously (like this): Jan 31 00:46:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 01:32:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 01:48:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:04:33 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:20:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:35:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 02:50:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 03:36:32 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 03:52:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x] Jan 31 04:23:26 www pop3d: LOGIN FAILED, ip=[64.61.x.x] For me, the ?run on? line is really hard to read and I can?t figure out if the login attempt is legit or not (which is why I?ve masked the IP address in case it is). The changed logcheck.violations, logcheck.violations.ignore, and logcheck.ignore files are below ? but I?m not sure why this is happening. Can you please shed some light into the issue? Logcheck.violations.ignore: named.* qmail.* spamd.* pop3d: Connection proftpd.* proftpd* pop3d: IMAP connect sshd: Connection closed logcheck.violations: ! -ERR Password CWD etc DEBUG EXPN FAILURE ILLEGAL LOGIN FAILURE LOGIN REFUSED PERMITTED REFUSED RETR group RETR passwd RETR pwd.db ROOT LOGIN SITE EXEC VRFY "WIZ" admin alias database debug denied deny deny host expn failed illegal kernel: Oversized packet received from nested permitted reject rexec rshd securityalert setsender shutdown smrsh su root su: sucked unapproved vrfy attackalert logcheck.ignore: authsrv.*AUTHENTICATE cron.*CMD cron.*RELOAD cron.*STARTUP ftp-gw.*: exit host ftp-gw.*: permit host ftpd.*ANONYMOUS FTP LOGIN ftpd.*FTP LOGIN FROM ftpd.*retrieved ftpd.*stored http-gw.*: exit host http-gw.*: permit host imapd: IMAP connect from imapd-ssl.* mail.local named.*client named.*update named.*Lame delegation named.*Response from named.*answer queries named.*points to a CNAME named.*reloading named.*starting netacl.*: exit host netacl.*: permit host pop3d.* popper.*Unable popper: -ERR POP server at popper: -ERR Unknown command: "uidl". proftpd:* proftpd.* qmail.* qmail:*delivery qmail.*new msg qmail.*info msg qmail.*starting delivery qmail.*delivery qmail.*end msg qmail-queue.* rlogin-gw.*: exit host rlogin-gw.*: permit host sendmail.*User Unknown sendmail.*User Unknown sendmail.*alias database.*rebuilt sendmail.*aliases.*longest sendmail.*from sendmail.*lost input channel sendmail.*message-id sendmail.*putoutmsg sendmail.*return to sender sendmail.*return to sender sendmail.*stat sendmail.*timeout waiting smap.*host smapd.*daemon running smapd.*daemon running smapd.*deliveredsmapd.*delivered smtp_auth.*: spamd.* spamd.*processing spamd.*result spamd.*clean telnetd.*ttloop: peer died tn-gw.*: exit host tn-gw.*: permit host x-gw.*: exit host x-gw.*: permit host xinetd: warning xntpd.*Previous time adjustment didn't complete xntpd.*time reset root 1 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.17.17/661 - Release Date: 1/30/2007 11:30 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.441 / Virus Database: 268.17.37/682 - Release Date: 2/12/2007 1:23 PM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20070213/a2321df4/attachment.htm