Logcheck devel - Dec 2009 - more local-* files

Folks,

I have a few local-* files that you may find useful.  Please use as you 
see fit. No doubt, some will require refinement for public distribution. 
  See attached.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: logcheck.local.tgz
Type: application/octet-stream
Size: 1839 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20091214/6decd318/attachment.obj>

Dan Langille <dan at langille.org> wrote:
> I have a few local-* files that you may find useful.  Please use as you 
> see fit. No doubt, some will require refinement for public distribution. 
Thanks for sharing these with us.  Unfortunately, there's not much that
can be salvaged here, as most rules are much too loose to be distributed
as-is, and we don't have the original log messages to match them with.

Nevertheless, here are some comments:

- I think you'll find that many of your postfix and dovecot rules are
  already taken care of by the latest logcheck-database release.  (Some
  others seem to be obsolete, and do not appear in the source code at
  all.)  Would you be willing to give 1.3.x a whirl, and report on what
  is missing?

- I'm attaching a tentative rulefile for stunnel; could you also give it
  a try?

- The amavis-new package includes its own logcheck rules, so you should
  forward your suggestions to its maintainer(s).  This was also the case
  with ntpd, but your particular rule has already been taken care of by
  #498992.

- I could not find a trace of newsyslog in Debian; is this something you
  installed on your own?


Again, thanks for your help!



  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel((
LOG[[:digit:]])?\[[:[:digit:]]+\])?: SSL_read .*: Connection reset by peer$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel((
LOG[[:digit:]])?\[[:[:digit:]]+\])?: .* connected from .*$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel((
LOG[[:digit:]])?\[[:[:digit:]]+\])?: VERIFY OK: depth=[0-9]+, .*$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel((
LOG[[:digit:]])?\[[:[:digit:]]+\])?: Received signal 15; terminating$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel((
LOG[[:digit:]])?\[[:[:digit:]]+\])?: stunnel [0-9.]+ on i386-pc-linux-gnu
PTHREAD\+POLL\+IPv6\+LIBWRAP with OpenSSL [0-9a-z.]+ [0-9]{2} \w{3} [0-9]{4}$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel((
LOG[[:digit:]])?\[[:[:digit:]]+\])?: [0-9]+ clients allowed$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel((
LOG[[:digit:]])?\[[:[:digit:]]+\])?: SSL_accept: Peer suddenly disconnected$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel((
LOG[[:digit:]])?\[[:[:digit:]]+\])?: [._[:alnum:]-]+ accepted connection from
[.:[:xdigit:]]+:[[:digit:]]+$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel((
LOG[[:digit:]])?\[[:[:digit:]]+\])?: connect_blocking: connected
[.:[:xdigit:]]+:[[:digit:]]+$
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel((
LOG[[:digit:]])?\[[:[:digit:]]+\])?: [._[:alnum:]-]+ connected remote server
from [.:[:xdigit:]]+:[[:digit:]]+$


-- 
LOAD "LINUX",8,1
		-- Topic on #LinuxGER