Gabriel Niebler
2014-Feb-26 21:21 UTC
[Logcheck-devel] Bug#740203: logcheck-databse: proposed ignore rules for hostapd
Package: logcheck-database
Version: 1.3.15
Severity: wishlist
Tags: patch
Dear Maintainers,
I have logcheck running on a centralised loghost for my small home network,
running Debian wheezy (stable). My wireless router, running OpenWRT, also
logs to this host, to separate logfiles, and when I added these to
logcheck.logfiles, I started getting emails from logcheck complaining about
messages like these...
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 IEEE 802.11:
authenticated
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 IEEE 802.11:
associated (aid 2)
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 IEEE 802.11:
associated (aid 3)
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 IEEE 802.11:
deauthenticated due to local deauth request
... and...
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 WPA:
pairwise key handshake completed (RSN)
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 WPA: group
key handshake completed (RSN)
<date> <hostname> hostapd: wlan0: STA 88:88:88:88:88:88 WPA:
received EAPOL-Key 2/2 Group with unexpected replay counter
... all of which are harmless.
(To see this for the last line cf.:
http://lists.shmoo.com/pipermail/hostap/2011-May/023166.html )
So I created "local-hostapd" in /etc/logcheck/ignore.d.server,
which contains these lines:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA
([0-9a-f]{2}:){5}[0-9a-f]{2} IEEE 802\.11: authenticated$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA
([0-9a-f]{2}:){5}[0-9a-f]{2} IEEE 802\.11: associated \(aid [[:digit:]]\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA
([0-9a-f]{2}:){5}[0-9a-f]{2} IEEE 802\.11: deauthenticated due to local deauth
request$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA
([0-9a-f]{2}:){5}[0-9a-f]{2} WPA: pairwise key handshake completed \(RSN\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA
([0-9a-f]{2}:){5}[0-9a-f]{2} WPA: group key handshake completed \(RSN\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hostapd: [[:alnum:]]+: STA
([0-9a-f]{2}:){5}[0-9a-f]{2} WPA: received EAPOL-Key 2/2 Group with unexpected
replay counter$
I tested them and they work for me.
Since 'hostapd' exists on Debian, too, and AFAIK logs the same
messages, I propose creating "/etc/logcheck/ignore.d.server/hostapd"
using these same ignore-filtering rules.
Cheers
- gabe
-- System Information:
Debian Release: 7.2
Architecture: armhf (armv6l)
Kernel: Linux 3.6.11+ (PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-- Configuration Files: [Errno 13] Permission denied - all of them
-- no debconf information