Logcheck devel - Dec 2009 - Bug#560245: logcheck: violations.ignore.d causes lines to not show up at any level

Package: logcheck
Version: 1.2.68
Severity: important


Adding an exclusion to violations.ignore.d causes matching lines to not 
show up at all.  The same applies to cracking.ignore.d.  As a result,
important message my be inadvertentlly missed.

For example, suppose you have a program that outputs: 
        
        This is a failure test
        
This would show up a a SECURITY event.  It isn't really a SECURITY
event, so you exclude it in violations.ignore.d.  Now it does not show
up as a SECURITY event, but it also does not show up as a SYSTEM event.
That behavior is not what I would expect.  I could potentially be missing
important events.

It is easy to test:
        
  logger -p kern.notice This is a failure test
  run logcheck 

You will get an email showing a SECURITY event.

Add "This is a failure test" to a file in violations.ignore.d.

  logger -p kern.notice This is a failure test
  run logcheck 

You will not get any notification of the event.

I cannot off the top of my head think of an easy fix.  I for one would
MUCH rather have duplicate messages than risk missing something
important.

-- System Information:
Debian Release: 5.0
  APT prefers jaunty-updates
  APT policy: (500, 'jaunty-updates'), (500, 'jaunty-security'),
(500, 'jaunty')
Architecture: i386 (i686)

Kernel: Linux 2.6.28-16-generic (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages logcheck depends on:
ii  adduser     3.110ubuntu5                 add and remove users and groups
ii  bsd-mailx [ 8.1.2-0.20081101cvs-2ubuntu1 A simple mail user agent
ii  cron        3.0pl1-105ubuntu1.1          management of regular background p
ii  lockfile-pr 0.1.11ubuntu2                Programs for locking and unlocking
ii  logtail     1.2.68                       Print log file lines that have not
ii  postfix [ma 2.5.5-1.1                    High-performance mail transport ag
ii  sysklogd [s 1.5-5ubuntu3                 System Logging Daemon

Versions of packages logcheck recommends:
ii  logcheck-database             1.2.68     database of system log rules for t

Versions of packages logcheck suggests:
pn  syslog-summary                <none>     (no description available)

-- no debconf information

tags 560245 +wontfix
thanks

Dan D Niles wrote:
> Adding an exclusion to violations.ignore.d causes matching lines to not 
> show up at all.  The same applies to cracking.ignore.d.  As a result,
> important message my be inadvertentlly missed.
> 
> For example, suppose you have a program that outputs: 
>         
>         This is a failure test
>         
> This would show up a a SECURITY event.  It isn't really a SECURITY
> event, so you exclude it in violations.ignore.d.  Now it does not show
> up as a SECURITY event, but it also does not show up as a SYSTEM event.
> That behavior is not what I would expect.
The current behavior is due to the design of logcheck and avoids 
duplicate rules in {cracking,violations}.ignore.d/ and ignore.d.*/. 
Additionally the behavior is documented in README.logcheck-database.gz. 
So I'm tagging this bug as wontfix.
> 
> I cannot off the top of my head think of an easy fix.  I for one would
> MUCH rather have duplicate messages than risk missing something
> important.
> 
To avoid false ignored messages, you can ensure that the rules in
violations.ignore.d are as specific as possible.

Greetings

Hannes

Processing commands for control at bugs.debian.org:
> tags 560245 +wontfix
Bug #560245 [logcheck] logcheck: violations.ignore.d causes lines to not show up
at any level
Added tag(s) wontfix.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
560245: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560245
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems