Logcheck devel - Jun 2004 - Bug#254133: logcheck: additional innd rules

Package: logcheck
Version: 1.2.22a
Severity: minor

There are some messages from INN which are not being filtered:

Jun 13 00:46:08 lorien innfeed[24951]: news.jgaa.com final seconds 38585 offered
1862 accepted 30 refused 1722 rejected 7 missing 0 accsize 130781 rejsize 335084
spooled 0 on_close 0 unspooled 0 deferred 103/0.0 requeued 0 queue
0.0/200:100,0,0,0,0,0
Jun 13 00:46:08 lorien innfeed[24951]: gw.efnet.com final seconds 38585 offered
7841 accepted 149 refused 6494 rejected 0 missing 0 accsize 801400 rejsize 0
spooled 0 on_close 0 unspooled 0 deferred 1199/0.0 requeued 0 queue
0.0/200:100,0,0,0,0,0
Jun 13 00:46:39 lorien innd: gw.efnet.com:34 closed seconds 1539
accepted 0 refused 4 rejected 1 duplicate 1 accepted size 0 duplicate
size 9392
Jun 13 00:53:01 lorien innfeed[24951]: news.uhro.net final seconds 861
offered 82 accepted 0 refused 65 rejected 17 missing 0 accsize 0 rejsize
46154 spooled 0 on_close 0 unspooled 0 deferred 0/0.0 requeued 0 queue
0.0/200:100,0,0,0,0,0
Jun 13 00:56:37 lorien innfeed[24951]: gw.efnet.com checkpoint seconds
600 offered 371 accepted 0 refused 357 rejected 0 missing 0 accsize 0
rejsize 0 spooled 0 on_close 0 unspooled 0 deferred 14/0.2 requeued 0
queue 0.1/200:96,4,0,0,0,0
Jun 13 00:58:05 lorien innd: news.uhro.net:21 checkpoint seconds 58
accepted 49 refused 4 rejected 1 duplicate 0 accepted size 103030
duplicate size 0
Jun 13 00:06:49 lorien innd: ME time 614087 hishave 12902(265) hiswrite
16807(104) hissync 233(2) idle 247176(313) artclean 110(111) artwrite
226569(104) artcncl 0(0) hishave/artcncl 0(0) hiswrite/artcncl 0(0)
artlog/artcncl 0(0) hisgrep/artcncl 0(0) sitesend 559(208) overv
39371(104) perl 37468(104) nntpread 5285(341) artparse 85(308) artlog
722(176) datamove 481(152)

The following regexps match some of the above:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innfeed\[[0-9]+\]: [a-z\.]+
(final|checkpoint) seconds [0-9]+ offered [0-9]+ accepted [0-9]+ refused
[0-9]+ rejected [0-9]+ missing [0-9]+ accsize [0-9]+ rejsize [0-9]+
spooled [0-9]+ on_close [0-9]+ unspooled [0-9]+ deferred [0-9]+/[0-9\.]+
requeued [0-9]+ queue [0-9\.]+/[0-9\:\,]+$

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: [a-z0-9\:\.]+
(final|checkpoint|closed) seconds [0-9]+ accepted [0-9]+ refused [0-9]+
rejected [0-9]+ duplicate [0-9]+ accepted size [0-9]+ duplicate size
[0-9]+$

I'll have a go at the other one tomorrow when I'm not feeling as
exhausted as I am now

Thanks,

-- 
-jamie <jamie at silverdream.org> | spamtrap: spam at silverdream.org
 w: http://www.silverdream.org | p: sms at silverdream.org
 pgp key @ http://silverdream.org/~jps/pub.key
 04:30:01 up 2 days, 13:39, 13 users,  load average: 2.10, 2.19, 2.31

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040613/11e0fc7b/attachment.pgp

On Sun, 2004-06-13 at 01:46, Jamie L. Penman-Smithson
wrote:
> Package: logcheck
> Version: 1.2.22a
> Severity: minor
> 
> There are some messages from INN which are not being filtered:
They are currently listed as Sec Events:

Security Events
=-=-=-=-=-=-=-Jun 13 02:03:31 lorien innfeed[24951]: news.uhro.net checkpoint
seconds
4200 offered 287 accepted 5 refused 98 rejected 183 missing 1 accsize
15459 rejsize 659172 spooled 0 on_close 0 unspooled 3 deferred 0/0.0
requeued 0 queue 0.0/200:100,0,0,0,0,0

I forgot to say that they should go in
logcheck.violations.d/logcheck-innd

In addition I just noticed:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd:
(localhost\:[0-9]+|[[[:alnum:]]+:[0-9]+) (closed|checkpoint) seconds
[0-9]+ accepted [0-9]+ refused [0-9]+ rejected [0-9]+ duplicate [0-9]+
accepted size [0-9]+ duplicate size [0-9]+$

..which doesn't work. As I understand it [[[:alnum:]]+:[0-9]+ will only
match if the hostname is an IP, which is not always going to be the
case? It also does not match on innd [...] final seconds [...] messages.

-j

-- 
-jamie <jamie at silverdream.org> | spamtrap: spam at silverdream.org
 w: http://www.silverdream.org | p: sms at silverdream.org
 pgp key @ http://silverdream.org/~jps/pub.key
 10:30:01 up 3 days, 31 min, 13 users,  load average: 1.13, 0.99, 0.75

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040613/dc3f63c1/attachment.pgp

More from innfeed which are currently not filtered:

Jun 13 10:03:29 lorien innfeed[24951]: news.uhro.net spooling no active
connections
Jun 13 10:03:59 lorien innfeed[24951]: news.uhro.net:0 connected
Jun 13 10:03:59 lorien innfeed[24951]: news.uhro.net remote MODE STREAM
Jun 13 10:03:59 lorien innfeed[24951]: news.uhro.net final seconds 30
spooled 1 on_close 0 sleeping 1
Jun 13 09:03:05 lorien innfeed[24951]: ME articles active 0 bytes 0
Jun 13 09:03:05 lorien innfeed[24951]: ME articles total 49 bytes 0

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innfeed\[[0-9]+\]: [a-zA-Z0-9\.]+
spooling no active connections$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innfeed\[[0-9]+\]:
[a-zA-Z0-9\.]+:[0-9]+ connected$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innfeed\[[0-9]+\]: [a-zA-Z0-9\.]+
remote MODE STREAM$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innfeed\[[0-9]+\]: [a-zA-Z0-9\.]+
final seconds [0-9]+ spooled [0-9]+ on_close [0-9]+ sleeping [0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innfeed\[[0-9]+\]: ME articles
(active|total) [0-9]+ bytes [0-9]+$

Phew..!

-- 
-jamie <jamie at silverdream.org> | spamtrap: spam at silverdream.org
 w: http://www.silverdream.org | p: sms at silverdream.org
 pgp key @ http://silverdream.org/~jps/pub.key
 10:30:01 up 3 days, 31 min, 13 users,  load average: 1.13, 0.99, 0.75

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040613/0505c1d5/attachment.pgp

Your message dated Thu, 08 Jul 2004 23:32:06 -0400
with message-id <E1Bim7K-0004VL-00 at newraff.debian.org>
and subject line Bug#254133: fixed in logcheck 1.2.23
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 13 Jun 2004 04:21:43
+0000
>From jamie at silverdream.org Sat Jun 12 21:21:43 2004
Return-path: <jamie at silverdream.org>
Received: from lorien.silverdream.org [62.3.218.19] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BZMV4-0006U8-00; Sat, 12 Jun 2004 21:21:43 -0700
Received: from localhost (evenstar.silverdream.org [62.3.218.21])
	by lorien.silverdream.org (Postfix) with ESMTP id 77C66962C
	for <submit at bugs.debian.org>; Sun, 13 Jun 2004 05:21:05 +0100 (BST)
Received: from lorien.silverdream.org ([62.3.218.19])
	by localhost (evenstar.silverdream.org [62.3.218.21]) (amavisd-new, port 10024)
	with LMTP id 10543-06-8 for <submit at bugs.debian.org>;
	Sun, 13 Jun 2004 05:18:04 +0100 (BST)
Received: from oasis.silverdream.hq (pegasus.pinklemon.net [62.3.218.17])
	(using TLSv1 with cipher RC4-MD5 (128/128 bits))
	(No client certificate requested)
	by lorien.silverdream.org (Postfix) with ESMTP id 5974DAB13
	for <submit at bugs.debian.org>; Sun, 13 Jun 2004 01:46:16 +0100 (BST)
Subject: logcheck: additional innd rules
From: "Jamie L. Penman-Smithson" <jamie at silverdream.org>
Reply-To: jamie at silverdream.org
To: submit at bugs.debian.org
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="=-f+2NlLRvaFeWw2jaXv5W"
Organization: PinkLemon Internet Services
Message-Id: <1087087569.9528.154.camel at oasis.silverdream.hq>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 
Date: Sun, 13 Jun 2004 01:46:09 +0100
X-Virus-Scanned: by amavisd-new-20030616-p7 (Debian) at silverdream.org
X-Complaints-To: contact postmaster at silverdream.org
X-Report-Spam: forward spam to report-spam at silverdream.org
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_01,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 


--=-f+2NlLRvaFeWw2jaXv5W
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Package: logcheck
Version: 1.2.22a
Severity: minor

There are some messages from INN which are not being filtered:

Jun 13 00:46:08 lorien innfeed[24951]: news.jgaa.com final seconds 38585 offered
1862 accepted 30 refused 1722 rejected 7 missing 0 accsize 130781 rejsize 335084
spooled 0 on_close 0 unspooled 0 deferred 103/0.0 requeued 0 queue
0.0/200:100,0,0,0,0,0
Jun 13 00:46:08 lorien innfeed[24951]: gw.efnet.com final seconds 38585 offered
7841 accepted 149 refused 6494 rejected 0 missing 0 accsize 801400 rejsize 0
spooled 0 on_close 0 unspooled 0 deferred 1199/0.0 requeued 0 queue
0.0/200:100,0,0,0,0,0
Jun 13 00:46:39 lorien innd: gw.efnet.com:34 closed seconds 1539
accepted 0 refused 4 rejected 1 duplicate 1 accepted size 0 duplicate
size 9392
Jun 13 00:53:01 lorien innfeed[24951]: news.uhro.net final seconds 861
offered 82 accepted 0 refused 65 rejected 17 missing 0 accsize 0 rejsize
46154 spooled 0 on_close 0 unspooled 0 deferred 0/0.0 requeued 0 queue
0.0/200:100,0,0,0,0,0
Jun 13 00:56:37 lorien innfeed[24951]: gw.efnet.com checkpoint seconds
600 offered 371 accepted 0 refused 357 rejected 0 missing 0 accsize 0
rejsize 0 spooled 0 on_close 0 unspooled 0 deferred 14/0.2 requeued 0
queue 0.1/200:96,4,0,0,0,0
Jun 13 00:58:05 lorien innd: news.uhro.net:21 checkpoint seconds 58
accepted 49 refused 4 rejected 1 duplicate 0 accepted size 103030
duplicate size 0
Jun 13 00:06:49 lorien innd: ME time 614087 hishave 12902(265) hiswrite
16807(104) hissync 233(2) idle 247176(313) artclean 110(111) artwrite
226569(104) artcncl 0(0) hishave/artcncl 0(0) hiswrite/artcncl 0(0)
artlog/artcncl 0(0) hisgrep/artcncl 0(0) sitesend 559(208) overv
39371(104) perl 37468(104) nntpread 5285(341) artparse 85(308) artlog
722(176) datamove 481(152)

The following regexps match some of the above:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innfeed\[[0-9]+\]: [a-z\.]+
(final|checkpoint) seconds [0-9]+ offered [0-9]+ accepted [0-9]+ refused
[0-9]+ rejected [0-9]+ missing [0-9]+ accsize [0-9]+ rejsize [0-9]+
spooled [0-9]+ on_close [0-9]+ unspooled [0-9]+ deferred [0-9]+/[0-9\.]+
requeued [0-9]+ queue [0-9\.]+/[0-9\:\,]+$

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: [a-z0-9\:\.]+
(final|checkpoint|closed) seconds [0-9]+ accepted [0-9]+ refused [0-9]+
rejected [0-9]+ duplicate [0-9]+ accepted size [0-9]+ duplicate size
[0-9]+$

I'll have a go at the other one tomorrow when I'm not feeling as
exhausted as I am now

Thanks,

--=20
-jamie <jamie at silverdream.org> | spamtrap: spam at silverdream.org
 w: http://www.silverdream.org | p: sms at silverdream.org
 pgp key @ http://silverdream.org/~jps/pub.key
 04:30:01 up 2 days, 13:39, 13 users,  load average: 2.10, 2.19, 2.31


--=-f+2NlLRvaFeWw2jaXv5W
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBAy6PR0mxM1DK1CAsRAgmwAJ9rQbNruuYkFNVUD+JZB0BiM88+jgCdFzxY
prhB54iOEuSZIgjJ7vjDuQ0=fvJh
-----END PGP SIGNATURE-----

--=-f+2NlLRvaFeWw2jaXv5W--


---------------------------------------
Received: (at 254133-close) by bugs.debian.org; 9 Jul 2004 03:38:19
+0000
>From katie at ftp-master.debian.org Thu Jul 08 20:38:19 2004
Return-path: <katie at ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BimDK-0006MS-00; Thu, 08 Jul 2004 20:38:18 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1Bim7K-0004VL-00; Thu, 08 Jul 2004 23:32:06 -0400
From: Todd Troxell <ttroxell at debian.org>
To: 254133-close at bugs.debian.org
X-Katie: $Revision: 1.51 $
Subject: Bug#254133: fixed in logcheck 1.2.23
Message-Id: <E1Bim7K-0004VL-00 at newraff.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Thu, 08 Jul 2004 23:32:06 -0400
Delivered-To: 254133-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 
X-CrossAssassin-Score: 9

Source: logcheck
Source-Version: 1.2.23

We believe that the bug you reported is fixed in the latest version of
logcheck, which is due to be installed in the Debian FTP archive:

logcheck-database_1.2.23_all.deb
  to pool/main/l/logcheck/logcheck-database_1.2.23_all.deb
logcheck_1.2.23.dsc
  to pool/main/l/logcheck/logcheck_1.2.23.dsc
logcheck_1.2.23.tar.gz
  to pool/main/l/logcheck/logcheck_1.2.23.tar.gz
logcheck_1.2.23_all.deb
  to pool/main/l/logcheck/logcheck_1.2.23_all.deb
logtail_1.2.23_all.deb
  to pool/main/l/logcheck/logtail_1.2.23_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 254133 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thursday, 12 Jul 2004 22:55:19 -0500
Source: logcheck
Binary: logcheck logtail logcheck-database
Architecture: source all
Version: 1.2.23
Distribution: unstable
Urgency: low
Maintainer: Debian logcheck Team <logcheck-devel at
lists.alioth.debian.org>
Changed-By: Todd Troxell <ttroxell at debian.org>
Description: 
 logcheck   - Mails anomalies in the system logfiles to the administrator
 logcheck-database - A database of system log rules for the use of log checkers
 logtail    - Print log file lines that have not been read
Closes: 149567 186372 190101 234385 244171 253861 253879 253998 254133 254681
255560 256549
Changes: 
 logcheck (1.2.23) unstable; urgency=low
 .
   maks:
   * Remove logcheck pre-dependency on logtail.
   * Added imapproxy, kernel, nfs, scponly rules.
   * Updated dhcpd, innd, postfix, su, sudo rules.
     (Closes: #253879, #244171, #190101, #254681, #253861, #186372, #255560).
   * Fix locale dependent regexes.
   * Implemented testing mode to logcheck - doesn't update offset.
   * Added -l LOG switch for test runs on new log files.
     thanks todd for ideas and first work (Closes: #234385).
   * Add -m switch to specify recipient. (Closes: #149567).
   alfie:
   * debian/logcheck-database.templates: Clearified the rules-directories-note
     template and got updates for all translations. Thanks for fast responses!
   todd:
   * Update innfeed rules (Closes: #254133).
   * Update dhcp3 rules (Closes: #256549).
   * Change postinst script to set permissions on versions previous to 1.2.23
   (Closes: #253998).
   * Add postfix rule for lmtp.
   * Add Rule for cyrus imap/SQUAT annoyance.
   * Spamd update for unknown message id.
   * Add Kernel and bonobo rules for workstations.
Files: 
 194681a5833e247adcd50c6ffe0e4a43 670 admin optional logcheck_1.2.23.dsc
 ec715b8a1160751367dabdecb4ddfeb4 74885 admin optional logcheck_1.2.23.tar.gz
 14ba0cd447909d769867efbd331960e6 37348 admin optional logcheck_1.2.23_all.deb
 bad26ea13036470994f54bf9e1c3c18b 42778 admin optional
logcheck-database_1.2.23_all.deb
 ba84ae48e13e927d3e4da649913768e6 21788 admin optional logtail_1.2.23_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA7gsO4u3oQ3FHP2YRApstAKCSu6oScQckvbfjz0y3DuA51fD8dwCgw0Dc
Np43xnp5o9CWVR4xuRbUqx4=MYFx
-----END PGP SIGNATURE-----