Logcheck devel - Jun 2004 - Bug#253861: logcheck: Please add support for imapproxy

Package: logcheck
Version: 1.2.22a
Severity: wishlist


There is no support for imapproxy, and it would be a great help if it
was added.  Following are two sample lines from the syslog:

Jun 11 09:36:55 MyHost in.imapproxyd[30845]: LOGOUT:
'"MyUser"' from
server sd [13]
Jun 11 09:37:02 MyHost in.imapproxyd[30846]: LOGIN: '"MyUser"'
(xxx.xxx.xxx.xx:yyyyy) on existing sd [13]

It's untested, but I think following regexes would work:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGOUT:
'"\w+"' from server sd \[[:digit:]\]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGIN:
'"\w+"' \([._[:alnum:]-]+:[0-9]+\) on existing sd
\[[:digit:]\]

Thank you for creating a very usefull tool.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: sparc
Kernel: Linux 2.4.21
Locale: LANG=C, LC_CTYPE=C

Versions of packages logcheck depends on:
ii  adduser          3.56                    Add and remove users and groups
ii  cron             3.0pl1-83               management of regular background p
ii  debconf [debconf 1.4.28                  Debian configuration management sy
ii  debianutils      2.8.2                   Miscellaneous utilities specific t
ii  lockfile-progs   0.1.10                  Programs for locking and unlocking
ii  logcheck-databas 1.2.22a                 A database of system log rules for
ii  logtail          1.2.22a                 Print log file lines that have not
ii  mailx            1:8.1.2-0.20040524cvs-1 A simple mail user agent
ii  perl             5.8.4-2                 Larry Wall's Practical
Extraction
ii  postfix [mail-tr 2.1.1-3                 A high-performance mail transport 
ii  sysklogd [system 1.4.1-14                System Logging Daemon

-- debconf information:
  logcheck/changes:
* logcheck/install-note:

tag 253861 pending
thanks

hello bojan,

On Fri, 11 Jun 2004, Bojan Baros wrote:
> was added.  Following are two sample lines from the syslog:
> 
> Jun 11 09:36:55 MyHost in.imapproxyd[30845]: LOGOUT:
'"MyUser"' from
> server sd [13]
> Jun 11 09:37:02 MyHost in.imapproxyd[30846]: LOGIN:
'"MyUser"'
> (xxx.xxx.xxx.xx:yyyyy) on existing sd [13]
> 
> It's untested, but I think following regexes would work:
could you please test the attached rules on your server.
put it inside /etc/logcheck/ignore.d.server
(assuming you are not using paranoid mode).
hope to read you soon.

a++ maks

-------------- next part --------------
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGOUT:
'"[_[:alnum:]-]+"' from server sd \[[0-9]+\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGIN:
'"[_[:alnum:]-]+"'
\([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\) on existing sd \[[0-9]+\]$
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040611/6ad5187c/attachment.pgp

Processing commands for control at bugs.debian.org:
> tag 253861 pending
Bug#253861: logcheck: Please add support for imapproxy
There were no tags set.
Tags added: pending
> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Bojan Baros said:
> maks attems said:
>> On Fri, 11 Jun 2004, Bojan Baros wrote:
>>
>>> maks attems said:
>>> > could you please test the attached rules on your server.
>>> > put it inside /etc/logcheck/ignore.d.server
>>> > (assuming you are not using paranoid mode).
>>> > hope to read you soon.
>>>
>>> It did not work.  I think there may be some spacing issues.
>>
>> well so try to correct them. :)
>>
>>> I have produced and tested my own regexpes, and they are attached
to
>>> this
>>> email.
>>
>>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGOUT:
>>> '"\w+"' from server sd \[[0-9]+\]
>>> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGIN:
>>> '"\w+"' \([.0-9]+:[0-9]+\) on existing sd
\[[0-9]+\]
>>
>> i see, but
>> *) those don't end with a '$', so don't match a hole
line
>> *) \w+ is not sufficient for a username [_[:alnum:]-]+ is
>> *) [.0-9]+ for an ip should be at least [.0-9]{7,15}
>>
>> please correct those issues in you rules
>> or fix the ones i sent you.
>>
>> i'll merge that to logcheck cvs.
>> a++ maks
>
>
> I appologize for the misunderstanding.
>
> Attached is modified imapproxy filter, based on your original ones.
>
> About some of the pointed out mistakes, I only got the ideas from other
> files.  If you want, I can identify some of those files and modify them to
> meet the specs.
>
> Thank you.
>
> Bojan
Hello Maks.

I have discovered another 2 messages created by imapproxy that should be
ignored.  Attached is the new (tested) imapproxy ignore file with updated
expressions.

Bojan
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: imapproxy
Url:
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040614/3effad06/attachment.txt

Your message dated Thu, 08 Jul 2004 23:32:06 -0400
with message-id <E1Bim7K-0004VF-00 at newraff.debian.org>
and subject line Bug#253861: fixed in logcheck 1.2.23
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Jun 2004 14:11:21
+0000
>From bojan at blis.dyndns.org Fri Jun 11 07:11:21 2004
Return-path: <bojan at blis.dyndns.org>
Received: from rwcrmhc12.comcast.net [216.148.227.85] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BYmkb-0000E4-00; Fri, 11 Jun 2004 07:11:21 -0700
Received: from blis.dyndns.org ([68.37.12.97])
          by comcast.net (rwcrmhc12) with ESMTP
          id <2004061114104801400c2mufe>; Fri, 11 Jun 2004 14:10:48 +0000
Received: from localhost (Salsa [127.0.0.1])
	by blis.dyndns.org (Postfix) with ESMTP id 43E3C40AD;
	Fri, 11 Jun 2004 10:12:03 -0400 (EDT)
Received: from blis.dyndns.org ([127.0.0.1])
	by localhost (Salsa [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
	id 31076-02; Fri, 11 Jun 2004 10:12:01 -0400 (EDT)
Received: by blis.dyndns.org (Postfix, from userid 1000)
	id 5423040A9; Fri, 11 Jun 2004 10:12:01 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Bojan Baros <bojan at blis.dyndns.org>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: logcheck: Please add support for imapproxy
X-Mailer: reportbug 2.61
Date: Fri, 11 Jun 2004 10:12:00 -0400
Message-Id: <20040611141201.5423040A9 at blis.dyndns.org>
X-Virus-Scanned: by amavisd-new-20030616-p7 (Debian) at blis.dyndns.org
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Package: logcheck
Version: 1.2.22a
Severity: wishlist


There is no support for imapproxy, and it would be a great help if it
was added.  Following are two sample lines from the syslog:

Jun 11 09:36:55 MyHost in.imapproxyd[30845]: LOGOUT:
'"MyUser"' from
server sd [13]
Jun 11 09:37:02 MyHost in.imapproxyd[30846]: LOGIN: '"MyUser"'
(xxx.xxx.xxx.xx:yyyyy) on existing sd [13]

It's untested, but I think following regexes would work:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGOUT:
'"\w+"' from server sd \[[:digit:]\]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGIN:
'"\w+"' \([._[:alnum:]-]+:[0-9]+\) on existing sd
\[[:digit:]\]

Thank you for creating a very usefull tool.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: sparc
Kernel: Linux 2.4.21
Locale: LANG=C, LC_CTYPE=C

Versions of packages logcheck depends on:
ii  adduser          3.56                    Add and remove users and groups
ii  cron             3.0pl1-83               management of regular background p
ii  debconf [debconf 1.4.28                  Debian configuration management sy
ii  debianutils      2.8.2                   Miscellaneous utilities specific t
ii  lockfile-progs   0.1.10                  Programs for locking and unlocking
ii  logcheck-databas 1.2.22a                 A database of system log rules for
ii  logtail          1.2.22a                 Print log file lines that have not
ii  mailx            1:8.1.2-0.20040524cvs-1 A simple mail user agent
ii  perl             5.8.4-2                 Larry Wall's Practical
Extraction
ii  postfix [mail-tr 2.1.1-3                 A high-performance mail transport 
ii  sysklogd [system 1.4.1-14                System Logging Daemon

-- debconf information:
  logcheck/changes:
* logcheck/install-note:

---------------------------------------
Received: (at 253861-close) by bugs.debian.org; 9 Jul 2004 03:38:05
+0000
>From katie at ftp-master.debian.org Thu Jul 08 20:38:05 2004
Return-path: <katie at ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BimD7-0006KJ-00; Thu, 08 Jul 2004 20:38:05 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1Bim7K-0004VF-00; Thu, 08 Jul 2004 23:32:06 -0400
From: Todd Troxell <ttroxell at debian.org>
To: 253861-close at bugs.debian.org
X-Katie: $Revision: 1.51 $
Subject: Bug#253861: fixed in logcheck 1.2.23
Message-Id: <E1Bim7K-0004VF-00 at newraff.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Thu, 08 Jul 2004 23:32:06 -0400
Delivered-To: 253861-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 
X-CrossAssassin-Score: 6

Source: logcheck
Source-Version: 1.2.23

We believe that the bug you reported is fixed in the latest version of
logcheck, which is due to be installed in the Debian FTP archive:

logcheck-database_1.2.23_all.deb
  to pool/main/l/logcheck/logcheck-database_1.2.23_all.deb
logcheck_1.2.23.dsc
  to pool/main/l/logcheck/logcheck_1.2.23.dsc
logcheck_1.2.23.tar.gz
  to pool/main/l/logcheck/logcheck_1.2.23.tar.gz
logcheck_1.2.23_all.deb
  to pool/main/l/logcheck/logcheck_1.2.23_all.deb
logtail_1.2.23_all.deb
  to pool/main/l/logcheck/logtail_1.2.23_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 253861 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thursday, 12 Jul 2004 22:55:19 -0500
Source: logcheck
Binary: logcheck logtail logcheck-database
Architecture: source all
Version: 1.2.23
Distribution: unstable
Urgency: low
Maintainer: Debian logcheck Team <logcheck-devel at
lists.alioth.debian.org>
Changed-By: Todd Troxell <ttroxell at debian.org>
Description: 
 logcheck   - Mails anomalies in the system logfiles to the administrator
 logcheck-database - A database of system log rules for the use of log checkers
 logtail    - Print log file lines that have not been read
Closes: 149567 186372 190101 234385 244171 253861 253879 253998 254133 254681
255560 256549
Changes: 
 logcheck (1.2.23) unstable; urgency=low
 .
   maks:
   * Remove logcheck pre-dependency on logtail.
   * Added imapproxy, kernel, nfs, scponly rules.
   * Updated dhcpd, innd, postfix, su, sudo rules.
     (Closes: #253879, #244171, #190101, #254681, #253861, #186372, #255560).
   * Fix locale dependent regexes.
   * Implemented testing mode to logcheck - doesn't update offset.
   * Added -l LOG switch for test runs on new log files.
     thanks todd for ideas and first work (Closes: #234385).
   * Add -m switch to specify recipient. (Closes: #149567).
   alfie:
   * debian/logcheck-database.templates: Clearified the rules-directories-note
     template and got updates for all translations. Thanks for fast responses!
   todd:
   * Update innfeed rules (Closes: #254133).
   * Update dhcp3 rules (Closes: #256549).
   * Change postinst script to set permissions on versions previous to 1.2.23
   (Closes: #253998).
   * Add postfix rule for lmtp.
   * Add Rule for cyrus imap/SQUAT annoyance.
   * Spamd update for unknown message id.
   * Add Kernel and bonobo rules for workstations.
Files: 
 194681a5833e247adcd50c6ffe0e4a43 670 admin optional logcheck_1.2.23.dsc
 ec715b8a1160751367dabdecb4ddfeb4 74885 admin optional logcheck_1.2.23.tar.gz
 14ba0cd447909d769867efbd331960e6 37348 admin optional logcheck_1.2.23_all.deb
 bad26ea13036470994f54bf9e1c3c18b 42778 admin optional
logcheck-database_1.2.23_all.deb
 ba84ae48e13e927d3e4da649913768e6 21788 admin optional logtail_1.2.23_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA7gsO4u3oQ3FHP2YRApstAKCSu6oScQckvbfjz0y3DuA51fD8dwCgw0Dc
Np43xnp5o9CWVR4xuRbUqx4=MYFx
-----END PGP SIGNATURE-----