Erich Schubert
2004-Jul-21 22:56 UTC
[Logcheck-devel] Bug#260743: logcheck-database: dhcp rule updates for failover support
Package: logcheck-database
Version: 1.2.23
Severity: minor
Hi,
a couple of minor corrections to the dhcp rule sets:
First of all, the hostname matching parts need to include the "._-"
signs (maybe . is not needed but it might be).
Then when using failover, log lines of type DHCPDISCOVER and DHCPREQUEST
may be entailed by the string ": load balance to peer
<somestring>".
I've also had the message ": wrong network." appended, when a
client
requested an ip adress out of a different domain, which will result in a
DHCPNAK. This is a common case with WLAN users i think.
I also added rules for dyndns support by dhcpd.
The modified rules are:
# Dyndns support for DHCP
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: [Aa]dded (new )?(forward|rewerse) map
from [._[:alnum:]-]+ to [._[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: Can't update forward map
[._[:alnum:]-]+ to [.0-9]+: no such RRset$
# Added load-balancing statements and hostname characters ._-
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPDISCOVER from [:[:alnum:]]+
(\([._[:alnum:]-]+\) |)via [[:alnum:]]+(: load-balance to peer [^ ]*|)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPREQUEST for [.0-9]+ (\([.0-9]+\)
)?from [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [[:alnum:]]+(: load-balance to
peer [^ ]*)?$
# added ._- to allowed chars for hostname
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPACK on [0-9.]+ to [[:alnum:]]+
(\([._[:alnum:]-]+\) )?via [[:alnum:]]+$
# if you are paranoid, you'll want to skip these rules:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPREQUEST for [.0-9]+ (\([.0-9]+\)
)?from [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [[:alnum:]]+: wrong network.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPNACK on [0-9.]+ to [[:alnum:]]+
via [[:alnum:]]+$
Thanks for your good work.
I'm expecting to get more rule updates soon. Should i submit them here or to
some mailing list?
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.6
Locale: LANG=de_DE.UTF-8 at euro, LC_CTYPE=de_DE.UTF-8 at euro
Versions of packages logcheck-database depends on:
ii debconf [debconf-2.0] 1.4.29 Debian configuration management sy
-- debconf information excluded
Erich Schubert
2004-Jul-21 23:28 UTC
[Logcheck-devel] Bug#260743: Acknowledgement (logcheck-database: dhcp rule updates for failover support)
Hi,
sorry, the rules still had a couple of weaknesses.
I'll post new rules using [.0-9]{7,15} for IPs, [:0-9a-f]{17} for MACs
etc. soon - after i've verified with a couple of reports that these
rules catch all my new log lines.
I'll also attach a pptpd rule file, if you want to.
Greetings,
Erich Schubert
--
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
The best things in life are free: Friendship and Love. //\
Zwei Freunde m?ssen sich im Herzen ?hneln, in allem anderen V_/_
k?nnen sie grundverschieden sein. --- Sully Prudhomme
maks attems
2004-Sep-20 23:21 UTC
Bug#260743: [Logcheck-devel] Bug#260743: logcheck-database: dhcp rule updates for failover support
tags 260743 pending thanks On Thu, 22 Jul 2004, Erich Schubert wrote:> a couple of minor corrections to the dhcp rule sets: > First of all, the hostname matching parts need to include the "._-" > signs (maybe . is not needed but it might be).already done in latest logcheck version.> Then when using failover, log lines of type DHCPDISCOVER and DHCPREQUEST > may be entailed by the string ": load balance to peer <somestring>".same.> I've also had the message ": wrong network." appended, when a client > requested an ip adress out of a different domain, which will result in a > DHCPNAK. This is a common case with WLAN users i think.feel free to open a seperate bug report.> I also added rules for dyndns support by dhcpd.added to current cvs. they look fine -- maks
Debian Bug Tracking System
2004-Sep-20 23:33 UTC
Processed: Re: [Logcheck-devel] Bug#260743: logcheck-database: dhcp rule updates for failover support
Processing commands for control at bugs.debian.org:> tags 260743 pendingBug#260743: logcheck-database: dhcp rule updates for failover support Tags were: moreinfo Tags added: pending> thanksStopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Debian Bug Tracking System
2004-Sep-22 21:03 UTC
[Logcheck-devel] Bug#260743: marked as done (logcheck-database: dhcp rule updates for failover support)
Your message dated Wed, 22 Sep 2004 16:47:06 -0400 with message-id <E1CAE14-0001Mu-00 at newraff.debian.org> and subject line Bug#260743: fixed in logcheck 1.2.28 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 21 Jul 2004 22:56:45 +0000>From erich at wintermute.xmldesign.de Wed Jul 21 15:56:45 2004Return-path: <erich at wintermute.xmldesign.de> Received: from legolas.drinsama.de [62.91.17.164] (postfix) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1BnQ0z-0008Ad-00; Wed, 21 Jul 2004 15:56:45 -0700 Received: from localhost (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id 673FAC4C091; Thu, 22 Jul 2004 00:56:42 +0200 (CEST) Received: from legolas.drinsama.de ([127.0.0.1]) by localhost (legolas [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 25448-06; Thu, 22 Jul 2004 00:56:41 +0200 (CEST) Received: from wintermute.xmldesign.de (pD958F795.dip.t-dialin.net [217.88.247.149]) by legolas.drinsama.de (Postfix) with ESMTP id 56776C4C08E; Thu, 22 Jul 2004 00:56:41 +0200 (CEST) Received: by wintermute.xmldesign.de (Postfix, from userid 1000) id A1AE8488024; Thu, 22 Jul 2004 00:56:51 +0200 (CEST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Erich Schubert <erich at debian.org> To: Debian Bug Tracking System <submit at bugs.debian.org> Subject: logcheck-database: dhcp rule updates for failover support X-Mailer: reportbug 2.63 Date: Thu, 22 Jul 2004 00:56:51 +0200 Message-Id: <20040721225651.A1AE8488024 at wintermute.xmldesign.de> X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at mucl.de Delivered-To: submit at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Package: logcheck-database Version: 1.2.23 Severity: minor Hi, a couple of minor corrections to the dhcp rule sets: First of all, the hostname matching parts need to include the "._-" signs (maybe . is not needed but it might be). Then when using failover, log lines of type DHCPDISCOVER and DHCPREQUEST may be entailed by the string ": load balance to peer <somestring>". I've also had the message ": wrong network." appended, when a client requested an ip adress out of a different domain, which will result in a DHCPNAK. This is a common case with WLAN users i think. I also added rules for dyndns support by dhcpd. The modified rules are: # Dyndns support for DHCP ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: [Aa]dded (new )?(forward|rewerse) map from [._[:alnum:]-]+ to [._[:alnum:]-]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: Can't update forward map [._[:alnum:]-]+ to [.0-9]+: no such RRset$ # Added load-balancing statements and hostname characters ._- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPDISCOVER from [:[:alnum:]]+ (\([._[:alnum:]-]+\) |)via [[:alnum:]]+(: load-balance to peer [^ ]*|)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPREQUEST for [.0-9]+ (\([.0-9]+\) )?from [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [[:alnum:]]+(: load-balance to peer [^ ]*)?$ # added ._- to allowed chars for hostname ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPACK on [0-9.]+ to [[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [[:alnum:]]+$ # if you are paranoid, you'll want to skip these rules: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPREQUEST for [.0-9]+ (\([.0-9]+\) )?from [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [[:alnum:]]+: wrong network.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPNACK on [0-9.]+ to [[:alnum:]]+ via [[:alnum:]]+$ Thanks for your good work. I'm expecting to get more rule updates soon. Should i submit them here or to some mailing list? -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.6 Locale: LANG=de_DE.UTF-8 at euro, LC_CTYPE=de_DE.UTF-8 at euro Versions of packages logcheck-database depends on: ii debconf [debconf-2.0] 1.4.29 Debian configuration management sy -- debconf information excluded --------------------------------------- Received: (at 260743-close) by bugs.debian.org; 22 Sep 2004 20:53:02 +0000>From katie at ftp-master.debian.org Wed Sep 22 13:53:02 2004Return-path: <katie at ftp-master.debian.org> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1CAE6o-0008LO-00; Wed, 22 Sep 2004 13:53:02 -0700 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1CAE14-0001Mu-00; Wed, 22 Sep 2004 16:47:06 -0400 From: Todd Troxell <ttroxell at debian.org> To: 260743-close at bugs.debian.org X-Katie: $Revision: 1.51 $ Subject: Bug#260743: fixed in logcheck 1.2.28 Message-Id: <E1CAE14-0001Mu-00 at newraff.debian.org> Sender: Archive Administrator <katie at ftp-master.debian.org> Date: Wed, 22 Sep 2004 16:47:06 -0400 Delivered-To: 260743-close at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Source: logcheck Source-Version: 1.2.28 We believe that the bug you reported is fixed in the latest version of logcheck, which is due to be installed in the Debian FTP archive: logcheck-database_1.2.28_all.deb to pool/main/l/logcheck/logcheck-database_1.2.28_all.deb logcheck_1.2.28.dsc to pool/main/l/logcheck/logcheck_1.2.28.dsc logcheck_1.2.28.tar.gz to pool/main/l/logcheck/logcheck_1.2.28.tar.gz logcheck_1.2.28_all.deb to pool/main/l/logcheck/logcheck_1.2.28_all.deb logtail_1.2.28_all.deb to pool/main/l/logcheck/logtail_1.2.28_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 260743 at bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster at debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Wednesday, 22 Sep 2004 16:35:03 -0500 Source: logcheck Binary: logcheck logtail logcheck-database Architecture: source all Version: 1.2.28 Distribution: unstable Urgency: low Maintainer: Debian logcheck Team <logcheck-devel at lists.alioth.debian.org> Changed-By: Todd Troxell <ttroxell at debian.org> Description: logcheck - Mails anomalies in the system logfiles to the administrator logcheck-database - A database of system log rules for the use of log checkers logtail - Print log file lines that have not been read Closes: 260743 270398 271286 271482 Changes: logcheck (1.2.28) unstable; urgency=low . maks: * Small fixes: join 2 lines in ignore.d.server/postfix, add '^' for start-of-line ignore.d.server/scponly (Closes: #270398) * Small rule update oidentd (Closes: #271286) * Check if logcheck has the permissions to read the offsetfiles. * Allow Hostname for logcheck mail to be set by commandline switch for log hosts. thanks to Joerg Jaspert <joerg at debian.org> * Minor comment fixes for picky readers. * Handle lack of permissions gracefully. (Closes: #271482) * Small update dhcp for dyndns support. (Closes: #260743) * Add a sendfile rule at level workstation for its connect syslogging. Files: 8c637493c86f9837bf562948ab13b2c0 668 admin optional logcheck_1.2.28.dsc 6e4d2752d7d6ff9ce715b72f54008d5b 81327 admin optional logcheck_1.2.28.tar.gz d1ffd289685832e7996435d5ae3c45cb 39542 admin optional logcheck_1.2.28_all.deb 4826a618a56a8972fbeb8d5d9ddb38ff 48216 admin optional logcheck-database_1.2.28_all.deb 304d26bb982ee707fc522222ef6eb58b 23138 admin optional logtail_1.2.28_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBUeJd4u3oQ3FHP2YRArC7AKCDxvbr8v3stHMV4A0F8bPxs2F+NQCfck+7 pLnknmV272C+HIjbcLRTrPk=7w+3 -----END PGP SIGNATURE-----
Seemingly Similar Threads
- Bug#271286: minor fix for ignore.d.server/oidentd
- Bug#275946: Acknowledgement (newline not recognized when logcheck sends emails)
- Bug#276317: logcheck-database: Namechange for ISC in /etc/logcheck/ignore.d.server/dhcp
- Bug#255560: logcheck-database: More Postfix rules
- Bug#260573: logcheck: ignore.d.paranoid/cron and ignore.d.server/cron swapped