Gabriel Niebler
2014-Feb-26 21:21 UTC
[Logcheck-devel] Bug#740203: logcheck-databse: proposed ignore rules for hostapd
Package: logcheck-database Version: 1.3.15 Severity: wishlist Tags: patch Dear Maintainers, I have logcheck running on a centralised loghost for my small home network, running Debian wheezy (stable). My wireless router, running OpenWRT, also logs to this host, to separate logfiles, and when I added these to logcheck.logfiles, I started getting emails from logcheck complaining about messages like these... <date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 IEEE 802.11: authenticated <date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 IEEE 802.11: associated (aid 2) <date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 IEEE 802.11: associated (aid 3) <date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 IEEE 802.11: deauthenticated due to local deauth request ... and... <date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 WPA: pairwise key handshake completed (RSN) <date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 WPA: group key handshake completed (RSN) <date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 WPA: received EAPOL-Key 2/2 Group with unexpected replay counter ... all of which are harmless. (To see this for the last line cf.: http://lists.shmoo.com/pipermail/hostap/2011-May/023166.html ) So I created "local-hostapd" in /etc/logcheck/ignore.d.server, which contains these lines: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} IEEE 802\.11: authenticated$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} IEEE 802\.11: associated \(aid [[:digit:]]\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} IEEE 802\.11: deauthenticated due to local deauth request$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} WPA: pairwise key handshake completed \(RSN\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} WPA: group key handshake completed \(RSN\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA ([0-9a-f]{2}:){5}[0-9a-f]{2} WPA: received EAPOL-Key 2/2 Group with unexpected replay counter$ I tested them and they work for me. Since 'hostapd' exists on Debian, too, and AFAIK logs the same messages, I propose creating "/etc/logcheck/ignore.d.server/hostapd" using these same ignore-filtering rules. Cheers - gabe -- System Information: Debian Release: 7.2 Architecture: armhf (armv6l) Kernel: Linux 3.6.11+ (PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Configuration Files: [Errno 13] Permission denied - all of them -- no debconf information