Logcheck devel - Jun 2004 - templates cleanup part2

hello 

based on Alfie's proposal regarding 
"Template: logcheck-database/rules-directories-note"


 - /etc/logcheck/cracking.ignore.d [for local use only]

this note regarding the cracking.ingore.d is confusing, what is meant is:

 - /etc/logcheck/cracking.ignore.d [no rules from logcheck-database itself]

we might even want to drop that message as in normal mode of operation,
i never found it necessary to add local rules there?

- These directories may contain files named "logcheck" (containing
minimal
generic alert/override patterns), "(packagename)" (containing patterns
- specific to that one package) or "local" (created by the local
- administrator to contain patterns tailored for a particular site).
Logcheck will then use rules collected from all the files found in the
appropriate directories.
     
+ These directories may contain files prefixed "logcheck-" (containing
generic alert/override patterns), "(packagename)" (containing patterns
+ specific to that one package) or prefixed "local-" (created by the
local
+ administrator to contain patterns tailored for a particular site).
Logcheck will then use rules collected from all the files found in the
appropriate directories.


removed the "minimal" logcheck-database rule set seems far from
minimal.
didn't mention the local file as admins will find local-foo easier
for their setup.
thanks for your comments. as it's your initial proposition Alfie
feel free to commit if no one objects?

a++ maks

* maks attems <debian at sternwelten.at> [2004-06-10
14:10]:
> based on Alfie's proposal regarding 
> "Template: logcheck-database/rules-directories-note"
> 
>  - /etc/logcheck/cracking.ignore.d [for local use only]
> 
> this note regarding the cracking.ingore.d is confusing, what is meant is:
> 
>  - /etc/logcheck/cracking.ignore.d [no rules from logcheck-database itself]
> 
> we might even want to drop that message as in normal mode of operation,
> i never found it necessary to add local rules there?
 I wouldn't drop it because it can make sense. E.g. I will add entries
for this message locally:

May 28 10:40:53 tausendmorgenwald dhclient: receive_packet failed on eth0:
Network is down
Jun  9 18:57:51 tausendmorgenwald shutdown[8355]: shutting down for system halt

 And some others, because I don't regard them as a security problem, but
don't want to force ignoring them for others.
> + These directories may contain files prefixed "logcheck-"
(containing
> generic alert/override patterns), "(packagename)" (containing
patterns
> + specific to that one package) or prefixed "local-" (created by
the local
> + administrator to contain patterns tailored for a particular site).
> Logcheck will then use rules collected from all the files found in the
> appropriate directories.
 object:

These directories may contain files prefixed with "logcheck-"
(containing
generic alert/override patterns), named "(packagename)" (containing
patterns
specific to that one package) or prefixed with "local-" (created by
the local
administrator to contain patterns tailored for a particular site).
Logcheck will then use rules collected from all the files found in the
appropriate directories.

 Changes: "prefixed _with_", "named" added. In our last
discussion I got
the opinion that we have also "local" as possible filename? I
don't want
that to get dropped, and am using it.
> didn't mention the local file as admins will find local-foo easier
> for their setup.
 Do you think so? Why? I think local itself is easier, I don't see the
need to have multiple local files sitting around....

 So long,
Alfie
-- 
The biggest difference is that now I can hear bass.  I had almost forgotten
that Metallica isn't a teenage girl band.
         -- Lars Wirzenius,
<http://liw.iki.fi/liw/log/2004-02.html#20040212c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040611/0c384962/attachment.pgp