David M. Dowdle
2004-May-14 20:56 UTC
[Logcheck-devel] Bug#249074: logcheck: can't get line to be ignored (user error?)
Package: logcheck
Version: 1.2.20
Severity: minor
last 2 lines of /etc/logcheck/ignord.d.server/sendmail:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-mta*|sm-msp*)\[[0-9]+\]:
[[:alnum:]]+: collect: unexpected
close on connection from (\[[0-9.]+\]|[._[:alnum:]-]+), sender=<[^>]+>$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*
550Blocked by http
note that last line was added by me. logcheck is running a "server"
level
clouded:/etc/logcheck/ignore.d.server# tail -40 /var/log/mail/mail.log |egrep
"^\w{3} [ :0-9]{11}
[._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .* 550Blocked by
http"
May 14 13:42:07 clouded sm-mta[14648]: ruleset=check_relay,
arg1=65-57-173-243.forestsavers.com,
arg2=65.57.173.243, relay=65-57-173-243.forestsavers.com [65.57.173.243],
reject=553 5.3.0 550Blocked by
http://www.stearns.org/sa-blacklist/
May 14 13:42:11 clouded sm-mta[14649]: ruleset=check_relay,
arg1=65-57-173-243.forestsavers.com,
arg2=65.57.173.243, relay=65-57-173-243.forestsavers.com [65.57.173.243],
reject=553 5.3.0 550Blocked by
http://www.stearns.org/sa-blacklist/
May 14 13:43:57 clouded sm-mta[14660]: i4EKhvCs014660: ruleset=check_mail,
arg1=<OWNER-NOLIST-DAILY*neopets**rosekitty*-org at sgosvr.com>,
relay=smtp106.imgsvr.com [69.8.178.106],
reject=553 5.3.0 <OWNER-NOLIST-DAILY*neopets**rosekitty*-org at
sgosvr.com>... 550Blocked by
http://www.stearns.org/sa-blacklist/
my regex appears to function, but these lines still show up in logcheck's
security emails (not violations).
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.21
Locale: LANG=C, LC_CTYPE=C
Versions of packages logcheck depends on:
ii adduser 3.53 Add and remove users and groups
ii cron 3.0pl1-83 management of regular background p
ii debconf [debconf 1.4.25 Debian configuration management sy
ii debianutils 2.8.2 Miscellaneous utilities specific t
ii lockfile-progs 0.1.10 Programs for locking and unlocking
ii logcheck-databas 1.2.20 A database of system log rules for
ii logtail 1.2.20 Returns parts of logfiles that hav
ii mailx 1:8.1.2-0.20031014cvs-2 A simple mail user agent
ii sendmail [mail-t 8.12.11.Final-5 A powerful, efficient, and scalabl
ii sysklogd [system 1.4.1-14 System Logging Daemon
-- debconf information:
* logcheck/noroot:
logcheck/changes:
* logcheck/install-note:
maks attems
2004-May-15 01:02 UTC
Bug#249074: [Logcheck-devel] Bug#249074: logcheck: can't get line to be ignored (user error?)
On Fri, 14 May 2004, David M. Dowdle wrote:> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .* 550Blocked by http > > note that last line was added by me. logcheck is running a "server" levelaboves regex is pretty generic, one shouldn't use '.*' without very good reason and every rule should end with an '$'.> clouded:/etc/logcheck/ignore.d.server# tail -40 /var/log/mail/mail.log |egrep "^\w{3} [ :0-9]{11} > [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .* 550Blocked by http" > May 14 13:42:07 clouded sm-mta[14648]: ruleset=check_relay, arg1=65-57-173-243.forestsavers.com, > arg2=65.57.173.243, relay=65-57-173-243.forestsavers.com [65.57.173.243], reject=553 5.3.0 550Blocked by > http://www.stearns.org/sa-blacklist/ > [..] > my regex appears to function, but these lines still show up in logcheck's security emails (not violations).well the sections were renamed, we haven't yet reordered the dirs, but aboves message should be reported under "Security Events" not "System Events". your best bet for ignoring such messages is to put your rule in violations.ignore.d in a file named 'local-sendmail'. anyways thanks for your bugreport and the helpfull log messages, we doublecheck tomorrow and will add an rule for aboves loglines for next release. a++ maks -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040515/8dce6d38/attachment.pgp
Debian Bug Tracking System
2004-Jun-03 10:18 UTC
[Logcheck-devel] Bug#249074: marked as done (logcheck: can't get line to be ignored (user error?))
Your message dated Thu, 03 Jun 2004 06:02:03 -0400 with message-id <E1BVp2x-000248-00 at newraff.debian.org> and subject line Bug#249074: fixed in logcheck 1.2.21 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 14 May 2004 20:56:25 +0000>From ddowdle at clouded.leopard.net Fri May 14 13:56:25 2004Return-path: <ddowdle at clouded.leopard.net> Received: from adsl-67-114-155-146.dsl.sntc01.pacbell.net (clouded.leopard.net) [67.114.155.146] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1BOjjF-0002MG-00; Fri, 14 May 2004 13:56:25 -0700 Received: from clouded.leopard.net (ddowdle at localhost [127.0.0.1]) by clouded.leopard.net (8.12.11/8.12.11/Debian-5) with ESMTP id i4EKuHj0015154 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 14 May 2004 13:56:17 -0700 Received: (from ddowdle at localhost) by clouded.leopard.net (8.12.11/8.12.11/Debian-5) id i4EKuHs8015152; Fri, 14 May 2004 13:56:17 -0700 Message-Id: <200405142056.i4EKuHs8015152 at clouded.leopard.net> Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "David M. Dowdle" <ddowdle at clouded.leopard.net> To: Debian Bug Tracking System <submit at bugs.debian.org> Subject: logcheck: can't get line to be ignored (user error?) X-Mailer: reportbug 2.58 Date: Fri, 14 May 2004 13:56:17 -0700 Delivered-To: submit at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: X-CrossAssassin-Score: 1 Package: logcheck Version: 1.2.20 Severity: minor last 2 lines of /etc/logcheck/ignord.d.server/sendmail: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-mta*|sm-msp*)\[[0-9]+\]: [[:alnum:]]+: collect: unexpected close on connection from (\[[0-9.]+\]|[._[:alnum:]-]+), sender=<[^>]+>$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .* 550Blocked by http note that last line was added by me. logcheck is running a "server" level clouded:/etc/logcheck/ignore.d.server# tail -40 /var/log/mail/mail.log |egrep "^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .* 550Blocked by http" May 14 13:42:07 clouded sm-mta[14648]: ruleset=check_relay, arg1=65-57-173-243.forestsavers.com, arg2=65.57.173.243, relay=65-57-173-243.forestsavers.com [65.57.173.243], reject=553 5.3.0 550Blocked by http://www.stearns.org/sa-blacklist/ May 14 13:42:11 clouded sm-mta[14649]: ruleset=check_relay, arg1=65-57-173-243.forestsavers.com, arg2=65.57.173.243, relay=65-57-173-243.forestsavers.com [65.57.173.243], reject=553 5.3.0 550Blocked by http://www.stearns.org/sa-blacklist/ May 14 13:43:57 clouded sm-mta[14660]: i4EKhvCs014660: ruleset=check_mail, arg1=<OWNER-NOLIST-DAILY*neopets**rosekitty*-org at sgosvr.com>, relay=smtp106.imgsvr.com [69.8.178.106], reject=553 5.3.0 <OWNER-NOLIST-DAILY*neopets**rosekitty*-org at sgosvr.com>... 550Blocked by http://www.stearns.org/sa-blacklist/ my regex appears to function, but these lines still show up in logcheck's security emails (not violations). -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.4.21 Locale: LANG=C, LC_CTYPE=C Versions of packages logcheck depends on: ii adduser 3.53 Add and remove users and groups ii cron 3.0pl1-83 management of regular background p ii debconf [debconf 1.4.25 Debian configuration management sy ii debianutils 2.8.2 Miscellaneous utilities specific t ii lockfile-progs 0.1.10 Programs for locking and unlocking ii logcheck-databas 1.2.20 A database of system log rules for ii logtail 1.2.20 Returns parts of logfiles that hav ii mailx 1:8.1.2-0.20031014cvs-2 A simple mail user agent ii sendmail [mail-t 8.12.11.Final-5 A powerful, efficient, and scalabl ii sysklogd [system 1.4.1-14 System Logging Daemon -- debconf information: * logcheck/noroot: logcheck/changes: * logcheck/install-note: --------------------------------------- Received: (at 249074-close) by bugs.debian.org; 3 Jun 2004 10:09:34 +0000>From katie at ftp-master.debian.org Thu Jun 03 03:09:34 2004Return-path: <katie at ftp-master.debian.org> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1BVpAE-0005TG-00; Thu, 03 Jun 2004 03:09:34 -0700 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1BVp2x-000248-00; Thu, 03 Jun 2004 06:02:03 -0400 From: Todd Troxell <ttroxell at debian.org> To: 249074-close at bugs.debian.org X-Katie: $Revision: 1.49 $ Subject: Bug#249074: fixed in logcheck 1.2.21 Message-Id: <E1BVp2x-000248-00 at newraff.debian.org> Sender: Archive Administrator <katie at ftp-master.debian.org> Date: Thu, 03 Jun 2004 06:02:03 -0400 Delivered-To: 249074-close at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: X-CrossAssassin-Score: 11 Source: logcheck Source-Version: 1.2.21 We believe that the bug you reported is fixed in the latest version of logcheck, which is due to be installed in the Debian FTP archive: logcheck-database_1.2.21_all.deb to pool/main/l/logcheck/logcheck-database_1.2.21_all.deb logcheck_1.2.21.dsc to pool/main/l/logcheck/logcheck_1.2.21.dsc logcheck_1.2.21.tar.gz to pool/main/l/logcheck/logcheck_1.2.21.tar.gz logcheck_1.2.21_all.deb to pool/main/l/logcheck/logcheck_1.2.21_all.deb logtail_1.2.21_all.deb to pool/main/l/logcheck/logtail_1.2.21_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 249074 at bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster at debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Thursday, 03 Jun 2004 05:49:47 -0500 Source: logcheck Binary: logcheck logtail logcheck-database Architecture: source all Version: 1.2.21 Distribution: unstable Urgency: low Maintainer: Debian logcheck Team <logcheck-devel at lists.alioth.debian.org> Changed-By: Todd Troxell <ttroxell at debian.org> Description: logcheck - Mails anomalies in the system logfiles to the administrator logcheck-database - A database of system log rules for the use of log checkers logtail - Print log file lines that have not been read Closes: 174173 182992 186849 192192 198767 213709 222240 226937 248409 248816 249074 249181 249324 250373 250374 251364 251463 252173 Changes: logcheck (1.2.21) unstable; urgency=low . maks: * Better description of logtail package. * Recommend use of an offsite email address in main conf. * Added and updated bind, cracklib, innd, kernel, logcheck, nntpcache, Login.app, proftp, postfix, pump, sendmail rulefiles. (Closes: #248816, #213709, #198767, #248409, #249074, #250374, #250373, #249181) * Added -v switch (outputs logcheck version). * Harden permissions regarding world. * Added and updated arpwatch, bind, gconf, gdm, kernel, openvpn, postfix, rpc.statd and spamd rules. thanks to Peter Palfrader <weasel at debian.org>. * New Config option for subject tags [logcheck]. * Lower all debconf messages priority. * Added and updated oidentd rules. (Closes: #186849) thanks to Tobias Wolter <towo+bugs at ydal.de> * Ignore normal use of su and sudo. (Closes: #182992, #192192) * Remove empty file innd. * Add switches to logtails default arguments. * Added cvs-build, cvs-clean debian/rules - stolen from apt. * Denote /etc/logcheck/logcheck.logfile as CFG in manpage and logcheck. * Move logtail.8 from debian to doc dir. * Added Japanese translation. thanks to Hideki Yamane (Closes: #251463) * Added French translation. thanks to R?mi Pannequin (Closes: #252173) * Fix bashishm in preinst and postinst. (Closes: #251364) todd: * Add debconf to logcheck Depends: * Check the return values of all commands that write to disk. (Closes: #174173) * Add NEWS.Debian to logcheck.docs (Followup to #247360) eevans: * Made addition of logcheck user and permissions/ownership changes a conditional of an upgrade from a version less than 1.2.19. (Closes: #249324) * Added a note to README.Debian on how to manually change the cronjob interval. (Closes: #222240, #226937) alfie: * src/logcheck: test also for readability for the header.txt and footer.txt. * debian/changelog: stripped all trailing whitespace from the file. * debian/*templates: Some small consistency and formating updates. Updated the debian/po/*.po files too. Files: ca12c9c51dc70453a7fcb1859f17ccc3 670 admin optional logcheck_1.2.21.dsc 2def0e9e4ccc428e49126c5e391e4597 72037 admin optional logcheck_1.2.21.tar.gz c87bba838b413e6f939edd7336e07579 36388 admin optional logcheck_1.2.21_all.deb 806b69d2d16042c4f2060df79d73a1bd 39956 admin optional logcheck-database_1.2.21_all.deb 2554603f91374e07d19293a5277ab153 21170 admin optional logtail_1.2.21_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD4DBQFAvvYw4u3oQ3FHP2YRAkukAKCztbEVc4ziE6zmo4VijzQHma/yKwCYvKTP 1FzcH4V8Ag3K8hSwSnDbvw==s9Dc -----END PGP SIGNATURE-----