Logcheck devel - Sep 2004 - Bug#270019: serial/lp rules for logcheck

At the moment I've no host with which to test ppp/lp things on.  If you (or
anyone) could provide complete regexes, (each beginning with ^ and ending with
$)  I will patch the rules accordingly.

If not, sending the full log lines is a good start.

Thanks!
-- 
[   Todd J. Troxell                                         ,''`.
      Student, Debian GNU/Linux Developer, SysAdmin, Geek  : :' :
      http://debian.org || http://rapidpacket.com/~xtat    `. `' 
                                                             `-     ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040905/43dbc034/attachment.pgp

Oops, forgot to copy the bug report on this.
here are the messages in the log.
----- Forwarded message from Ross Boylan <RossBoylan at
stanfordalumni.org> -----

Resent-From: rossboylan at stanfordalumni.org
X-USANET-From: 207.217.120.232 IN   RossBoylan at stanfordalumni.org
flamingo.mail.pas.earthlink.net
Date: Mon, 6 Sep 2004 12:56:42 -0700
To: Todd Troxell <ttroxell at debian.org>
Cc: Ross Boylan <RossBoylan at stanfordalumni.org>
Subject: Re: serial/lp rules for logcheck
From: Ross Boylan <RossBoylan at stanfordalumni.org>
Resent-Message-Id: <E1C4PeO-0001q1-00 at wheat.dslnorthwest.net>
Resent-Bcc:
Resent-Date: Mon, 06 Sep 2004 12:59:40 -0700

On Sun, Sep 05, 2004 at 08:22:21PM -0400, Todd Troxell
wrote:
> At the moment I've no host with which to test ppp/lp things on.  If you
(or
> anyone) could provide complete regexes, (each beginning with ^ and ending
with
> $)  I will patch the rules accordingly.
> 
> If not, sending the full log lines is a good start.
> 
> Thanks!
I'm not sure I'd get the patterns right, so I put the offending lines
at the bottom.  I have one pattern for which I didn't immediately find
an example:
pppd\[[[:digit:]]+\]: Perms of /dev/ttyS[[:digit:]] are ok, no 'mesg n'
neccesary.
Perhaps this message is obsolete.

I also notice the currently installed filters have a couple of lines
that are clearly too specific:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: Connect: ppp0 <-->
[.0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: Device ttyS1 is locked by pid
[0-9]+$

I also believe that ttySn is not the only possible name for serial
ports, but I'm not sure what the alternatives are.

Some of the lines below, and my corresponding patterns, appear to
match existing ppp patterns.  Some of my patterns may be redundant
with the ppp patters; some may differ in more or less obvious ways.

Here are some log lines that would be good to exclude, and match my
local exclusion patterns:

Sep  4 18:08:14 wheat kernel: CSLIP: code copyright 1989 Regents of the
University of California
Sep  4 18:08:14 wheat kernel: PPP generic driver version 2.4.2
Sep  4 18:08:18 wheat kernel: PPP BSD Compression module registered
Sep  4 18:08:20 wheat kernel: PPP Deflate Compression module registered
Sep  4 18:15:43 wheat kernel: parport0: PC-style at 0x378 [PCSPP]
Sep  4 18:15:43 wheat kernel: lp0: using parport0 (polling).
Sep  4 18:15:52 wheat kernel: lp0 off-line
Sep  4 19:08:58 wheat kernel: parport0: PC-style at 0x378 [PCSPP]
Sep  4 19:08:58 wheat kernel: parport0: Printer, Lexmark International Lexmark
Optra E310
Sep  5 14:23:58 wheat chat[10807]: abort on (BUSY)
Sep  5 14:23:58 wheat chat[10807]: abort on (NO CARRIER)
Sep  5 14:23:58 wheat chat[10807]: abort on (VOICE)
Sep  5 14:23:58 wheat chat[10807]: abort on (NO DIALTONE)
Sep  5 14:23:58 wheat chat[10807]: abort on (NO DIAL TONE)
Sep  5 14:23:58 wheat chat[10807]: abort on (NO ANSWER)
Sep  5 14:23:58 wheat chat[10807]: send (ATZ^M)
Sep  5 14:23:59 wheat chat[10807]: expect (OK)
Sep  5 14:23:59 wheat chat[10807]: ^M
Sep  5 14:23:59 wheat chat[10807]: OK
Sep  5 14:23:59 wheat chat[10807]:  -- got it 
Sep  5 14:23:59 wheat chat[10807]: send (ATDT2404278^M)
Sep  5 14:23:59 wheat chat[10807]: expect (CONNECT)
Sep  5 14:23:59 wheat chat[10807]: ^M
Sep  5 14:24:24 wheat chat[10807]: ATDT2404278^M^M
Sep  5 14:24:24 wheat chat[10807]: CONNECT
Sep  5 14:24:24 wheat chat[10807]:  -- got it 
Sep  5 14:24:24 wheat chat[10807]: send (\d)
Sep  5 14:24:25 wheat pppd[10806]: Serial connection established.
Sep  5 14:24:25 wheat pppd[10806]: using channel 1
Sep  5 14:24:25 wheat pppd[10806]: Using interface ppp0
Sep  5 14:24:25 wheat pppd[10806]: Connect: ppp0 <--> /dev/ttyS0
Sep  5 14:24:26 wheat pppd[10806]: sent [LCP ConfReq id=0x1 <asyncmap 0x0>
<magic 0xafd259fa> <pcomp> <accomp>]
Sep  5 14:24:29 wheat pppd[10806]: sent [LCP ConfReq id=0x1 <asyncmap 0x0>
<magic 0xafd259fa> <pcomp> <accomp>]
Sep  5 14:24:29 wheat pppd[10806]: rcvd [LCP ConfReq id=0x1 < 00 04 00 00>
<mru 1524> <asyncmap 0xa0000> <auth chap MD5> <pcomp>
<accomp> <mrru 1524> <endpoint [MAC:00:d0:52:01:3a:9e]> <
1b 04 02 02>]
Se
Sep  4 09:53:33 wheat pppd[12592]: pppd 2.4.2 started by ross, uid 1000
Sep  4 09:53:33 wheat pppd[12592]: Using interface ppp0
Sep  4 09:53:33 wheat pppd[12592]: Connect: ppp0 <--> /dev/tts/0
Sep  4 09:53:37 wheat pppd[12592]: PAP authentication succeeded
Sep  4 09:53:37 wheat pppd[12592]: kernel does not support PPP filtering
Sep  4 09:53:37 wheat pppd[12592]: Cannot determine ethernet address for proxy
ARP
Sep  4 09:53:37 wheat pppd[12592]: local  IP address 4.243.185.239
Sep  4 09:53:37 wheat pppd[12592]: remote IP address 209.244.43.20
Sep  4 09:53:37 wheat pppd[12592]: primary   DNS address 207.69.188.187
Sep  4 09:53:37 wheat pppd[12592]: secondary DNS address 207.69.188.186
Sep  4 12:41:35 wheat pppd[12592]: Terminating on signal 15.
Sep  4 12:41:36 wheat pppd[12592]: Connection terminated.
Sep  4 12:41:36 wheat pppd[12592]: Connect time 168.1 minutes.
Sep  4 12:41:36 wheat pppd[12592]: Sent 314432 bytes, received 1781295 bytes.
Sep  4 12:41:36 wheat pppd[12592]: Exit.

Sep  5 14:24:30 wheat pppd[10806]: Script /etc/ppp/ip-up started (pid 10908)
Sep  5 14:24:47 wheat pppd[10806]: Script /etc/ppp/ip-up finished (pid 10908),
status = 0x0
Sep  5 14:27:20 wheat pppd[10806]: Terminating on signal 15.
Sep  5 14:27:20 wheat pppd[10806]: Script /etc/ppp/ip-down started (pid 11143)

Sep  5 14:27:20 wheat pppd[10806]: Waiting for 1 child processes...

Sep  5 14:43:05 wheat pppd[11269]: PAP authentication succeeded
#Sep  5 14:43:05 wheat pppd[11269]: kernel does not support PPP filtering

Sep  6 06:15:05 wheat pppd[14210]: Modem hangup


----- End forwarded message -----

On Sat, 02 Oct 2004, Ross Boylan wrote:
> Sep  4 18:08:14 wheat kernel: CSLIP: code copyright 1989 Regents of the
University of California
> Sep  4 18:08:14 wheat kernel: PPP generic driver version 2.4.2
> Sep  4 18:08:18 wheat kernel: PPP BSD Compression module registered
> Sep  4 18:08:20 wheat kernel: PPP Deflate Compression module registered
> Sep  4 18:15:43 wheat kernel: parport0: PC-style at 0x378 [PCSPP]
> Sep  4 18:15:43 wheat kernel: lp0: using parport0 (polling).
> Sep  4 18:15:52 wheat kernel: lp0 off-line
> Sep  4 19:08:58 wheat kernel: parport0: PC-style at 0x378 [PCSPP]
> Sep  4 19:08:58 wheat kernel: parport0: Printer, Lexmark International
Lexmark Optra E310
> Sep  5 14:23:58 wheat chat[10807]: abort on (BUSY)
> Sep  5 14:23:58 wheat chat[10807]: abort on (NO CARRIER)
> Sep  5 14:23:58 wheat chat[10807]: abort on (VOICE)
> Sep  5 14:23:58 wheat chat[10807]: abort on (NO DIALTONE)
> Sep  5 14:23:58 wheat chat[10807]: abort on (NO DIAL TONE)
> Sep  5 14:23:58 wheat chat[10807]: abort on (NO ANSWER)
> Sep  5 14:23:58 wheat chat[10807]: send (ATZ^M)
> Sep  5 14:23:59 wheat chat[10807]: expect (OK)
> Sep  5 14:23:59 wheat chat[10807]: ^M
> Sep  5 14:23:59 wheat chat[10807]: OK
> Sep  5 14:23:59 wheat chat[10807]:  -- got it 
> Sep  5 14:23:59 wheat chat[10807]: send (ATDT2404278^M)
> Sep  5 14:23:59 wheat chat[10807]: expect (CONNECT)
> Sep  5 14:23:59 wheat chat[10807]: ^M
> Sep  5 14:24:24 wheat chat[10807]: ATDT2404278^M^M
> Sep  5 14:24:24 wheat chat[10807]: CONNECT
> Sep  5 14:24:24 wheat chat[10807]:  -- got it 
> Sep  5 14:24:24 wheat chat[10807]: send (\d)
> Sep  5 14:24:25 wheat pppd[10806]: Serial connection established.
> Sep  5 14:24:25 wheat pppd[10806]: using channel 1
> Sep  5 14:24:25 wheat pppd[10806]: Using interface ppp0
> Sep  5 14:24:25 wheat pppd[10806]: Connect: ppp0 <--> /dev/ttyS0
> Sep  5 14:24:26 wheat pppd[10806]: sent [LCP ConfReq id=0x1 <asyncmap
0x0> <magic 0xafd259fa> <pcomp> <accomp>]
> Sep  5 14:24:29 wheat pppd[10806]: sent [LCP ConfReq id=0x1 <asyncmap
0x0> <magic 0xafd259fa> <pcomp> <accomp>]
> Sep  5 14:24:29 wheat pppd[10806]: rcvd [LCP ConfReq id=0x1 < 00 04 00
00> <mru 1524> <asyncmap 0xa0000> <auth chap MD5>
<pcomp> <accomp> <mrru 1524> <endpoint
[MAC:00:d0:52:01:3a:9e]> < 1b 04 02 02>]
> Se
> Sep  4 09:53:33 wheat pppd[12592]: pppd 2.4.2 started by ross, uid 1000
> Sep  4 09:53:33 wheat pppd[12592]: Using interface ppp0
> Sep  4 09:53:33 wheat pppd[12592]: Connect: ppp0 <--> /dev/tts/0
> Sep  4 09:53:37 wheat pppd[12592]: PAP authentication succeeded
> Sep  4 09:53:37 wheat pppd[12592]: kernel does not support PPP filtering
> Sep  4 09:53:37 wheat pppd[12592]: Cannot determine ethernet address for
proxy ARP
> Sep  4 09:53:37 wheat pppd[12592]: local  IP address 4.243.185.239
> Sep  4 09:53:37 wheat pppd[12592]: remote IP address 209.244.43.20
> Sep  4 09:53:37 wheat pppd[12592]: primary   DNS address 207.69.188.187
> Sep  4 09:53:37 wheat pppd[12592]: secondary DNS address 207.69.188.186
> Sep  4 12:41:35 wheat pppd[12592]: Terminating on signal 15.
> Sep  4 12:41:36 wheat pppd[12592]: Connection terminated.
> Sep  4 12:41:36 wheat pppd[12592]: Connect time 168.1 minutes.
> Sep  4 12:41:36 wheat pppd[12592]: Sent 314432 bytes, received 1781295
bytes.
> Sep  4 12:41:36 wheat pppd[12592]: Exit.
> 
> Sep  5 14:24:30 wheat pppd[10806]: Script /etc/ppp/ip-up started (pid
10908)
> Sep  5 14:24:47 wheat pppd[10806]: Script /etc/ppp/ip-up finished (pid
10908), status = 0x0
> Sep  5 14:27:20 wheat pppd[10806]: Terminating on signal 15.
> Sep  5 14:27:20 wheat pppd[10806]: Script /etc/ppp/ip-down started (pid
11143)
> 
> Sep  5 14:27:20 wheat pppd[10806]: Waiting for 1 child processes...
> 
> Sep  5 14:43:05 wheat pppd[11269]: PAP authentication succeeded
> #Sep  5 14:43:05 wheat pppd[11269]: kernel does not support PPP filtering
> 
> Sep  6 06:15:05 wheat pppd[14210]: Modem hangup
these are mostly debug reports!
your bug reports are getting more and more annoying.
they are far from being reliable.

--
maks