Brendon Baumgartner
2004-Oct-26 08:28 UTC
[Logcheck-devel] Bug#278337: logcheck: perdition adds extra spaces on SOME syslog messages
Package: logcheck Version: 1.2.29 Severity: minor Tags: patch Whew. First, thanks for all the work on this guys. Tracking these rules is a real stinker. maximilian attems and the rest of the team has done a great job. Here are tested rules for perdition. (different from whats in CVS). Notice the messed up spacing at the end. Maybe a bug should be filed with perdition as well? I don't know of any program that does this. It's not even consistent!! maximilian suggested I use the latest perdition rules. I did, and low and behold, it wasn't working. I then looked closer. I checked /var/log/syslog, and yes, those spaces do exist, and yes, there are TWO spaces on the Connect message, not one. I'm using perdition 1.15-2 btw. ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Connect: [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}->[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} $ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Auth: [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}->[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} user=\"[[:alnum:]+[:punct:]+]+\" server=\"[[:alnum:]+[:punct:]]+\" port=\"[0-9]+\" status=\"ok\" $ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Close: [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}->[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} user=\"[[:alnum:]+[:punct:]+]+\" received=[0-9]+ sent=[0-9]+ $ -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.4.22 Locale: LANG=C, LC_CTYPE=C Versions of packages logcheck depends on: ii adduser 3.51 Add and remove users and groups ii cron 3.0pl1-86 management of regular background p ii debconf [debconf 1.3.20 Debian configuration management sy ii debianutils 2.6.1 Miscellaneous utilities specific t ii lockfile-progs 0.1.10 Programs for locking and unlocking ii logcheck-databas 1.2.29 A database of system log rules for ii logtail 1.2.29 Print log file lines that have not ii mailx 1:8.1.2-0.20031014cvs-1 A simple mail user agent ii perl 5.8.3-3 Larry Wall's Practical Extraction ii postfix [mail-tr 2.1.4-5 A high-performance mail transport ii sysklogd [system 1.4.1-10 System Logging Daemon -- debconf information: logcheck/changes: * logcheck/install-note:
brendon at brendon.com
2004-Oct-26 08:54 UTC
[Logcheck-devel] Bug#278337: Acknowledgement (logcheck: perdition adds extra spaces on SOME syslog messages)
I noticed snmpd was also reporting messages it shouldn't have. So logcheck WAS removing trailing spaces from syslog lines. One line was changed from 1.28 to 1.29 and that seems to be the problem. 632c632 < $SORT -m $TMPDIR/logoutput/* | uniq | sed -e 's/ *$//' | cat \ ---> $SORT $TMPDIR/logoutput/* | sed -e 's/[[:space:]]+$//' | cat \So, ignore my previous post. Don't change the logcheck rule. Patch logcheck. Here is a solution that works. 632c632 < $SORT $TMPDIR/logoutput/* | sed -e 's/[[:space:]]+$//' | cat \ ---> $SORT $TMPDIR/logoutput/* | sed -e 's/[[:space:]]*$//' | cat \-brendon
Debian Bug Tracking System
2004-Nov-02 06:03 UTC
[Logcheck-devel] Bug#278337: marked as done (logcheck: perdition adds extra spaces on SOME syslog messages)
Your message dated Tue, 02 Nov 2004 00:47:04 -0500 with message-id <E1COrVY-0000B3-00 at newraff.debian.org> and subject line Bug#278337: fixed in logcheck 1.2.30 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 26 Oct 2004 08:28:22 +0000>From brendon at solara.netcal.com Tue Oct 26 01:28:22 2004Return-path: <brendon at solara.netcal.com> Received: from solara.netcal.com [208.184.76.77] (postfix) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1CMMgo-0005YU-00; Tue, 26 Oct 2004 01:28:22 -0700 Received: by solara.netcal.com (Postfix, from userid 1000) id B10D41010C; Tue, 26 Oct 2004 01:28:19 -0700 (PDT) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Brendon Baumgartner <brendon at brendon.com> To: Debian Bug Tracking System <submit at bugs.debian.org> Subject: logcheck: perdition adds extra spaces on SOME syslog messages X-Mailer: reportbug 2.63 Date: Tue, 26 Oct 2004 01:28:19 -0700 Message-Id: <20041026082819.B10D41010C at solara.netcal.com> Delivered-To: submit at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Package: logcheck Version: 1.2.29 Severity: minor Tags: patch Whew. First, thanks for all the work on this guys. Tracking these rules is a real stinker. maximilian attems and the rest of the team has done a great job. Here are tested rules for perdition. (different from whats in CVS). Notice the messed up spacing at the end. Maybe a bug should be filed with perdition as well? I don't know of any program that does this. It's not even consistent!! maximilian suggested I use the latest perdition rules. I did, and low and behold, it wasn't working. I then looked closer. I checked /var/log/syslog, and yes, those spaces do exist, and yes, there are TWO spaces on the Connect message, not one. I'm using perdition 1.15-2 btw. ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Connect: [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}->[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} $ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Auth: [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}->[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} user=\"[[:alnum:]+[:punct:]+]+\" server=\"[[:alnum:]+[:punct:]]+\" port=\"[0-9]+\" status=\"ok\" $ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Close: [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}->[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} user=\"[[:alnum:]+[:punct:]+]+\" received=[0-9]+ sent=[0-9]+ $ -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.4.22 Locale: LANG=C, LC_CTYPE=C Versions of packages logcheck depends on: ii adduser 3.51 Add and remove users and groups ii cron 3.0pl1-86 management of regular background p ii debconf [debconf 1.3.20 Debian configuration management sy ii debianutils 2.6.1 Miscellaneous utilities specific t ii lockfile-progs 0.1.10 Programs for locking and unlocking ii logcheck-databas 1.2.29 A database of system log rules for ii logtail 1.2.29 Print log file lines that have not ii mailx 1:8.1.2-0.20031014cvs-1 A simple mail user agent ii perl 5.8.3-3 Larry Wall's Practical Extraction ii postfix [mail-tr 2.1.4-5 A high-performance mail transport ii sysklogd [system 1.4.1-10 System Logging Daemon -- debconf information: logcheck/changes: * logcheck/install-note: --------------------------------------- Received: (at 278337-close) by bugs.debian.org; 2 Nov 2004 05:54:12 +0000>From katie at ftp-master.debian.org Mon Nov 01 21:54:12 2004Return-path: <katie at ftp-master.debian.org> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1COrcS-0008Li-00; Mon, 01 Nov 2004 21:54:12 -0800 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1COrVY-0000B3-00; Tue, 02 Nov 2004 00:47:04 -0500 From: Todd Troxell <ttroxell at debian.org> To: 278337-close at bugs.debian.org X-Katie: $Revision: 1.51 $ Subject: Bug#278337: fixed in logcheck 1.2.30 Message-Id: <E1COrVY-0000B3-00 at newraff.debian.org> Sender: Archive Administrator <katie at ftp-master.debian.org> Date: Tue, 02 Nov 2004 00:47:04 -0500 Delivered-To: 278337-close at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: X-CrossAssassin-Score: 4 Source: logcheck Source-Version: 1.2.30 We believe that the bug you reported is fixed in the latest version of logcheck, which is due to be installed in the Debian FTP archive: logcheck-database_1.2.30_all.deb to pool/main/l/logcheck/logcheck-database_1.2.30_all.deb logcheck_1.2.30.dsc to pool/main/l/logcheck/logcheck_1.2.30.dsc logcheck_1.2.30.tar.gz to pool/main/l/logcheck/logcheck_1.2.30.tar.gz logcheck_1.2.30_all.deb to pool/main/l/logcheck/logcheck_1.2.30_all.deb logtail_1.2.30_all.deb to pool/main/l/logcheck/logtail_1.2.30_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 278337 at bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster at debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Tuesday, 02 Nov 2004 00:21:41 -0500 Source: logcheck Binary: logcheck logtail logcheck-database Architecture: source all Version: 1.2.30 Distribution: unstable Urgency: low Maintainer: Debian logcheck Team <logcheck-devel at lists.alioth.debian.org> Changed-By: Todd Troxell <ttroxell at debian.org> Description: logcheck - Mails anomalies in the system logfiles to the administrator logcheck-database - A database of system log rules for the use of log checkers logtail - Print log file lines that have not been read Closes: 277635 277636 277782 278337 Changes: logcheck (1.2.30) unstable; urgency=low . maks: * Move pptpd rules to level server. * Small typo fixes in docs. * New rules for bind, courier, cpqarrayd, dhcp, jabberd, nagios, ntp, openvpn, postfix, slapd, smartd, smokeping, squid, ssh, thy, uptimed. all for level server thanks to Peter Palfrader <weasel at debian.org>. * Logcheck/rules: Don't take locale for granted use character class instead. * Fix 2 samba rules at level server. (closes: #277635) * Added rules for perdition, postfix, pure-ftpd, snmpd. thanks to Brendon Baumgartner <brendon at brendon.com> * Small enhancment courier rule. * Simplify logic in logcheck-postinst. jamie: * Add rules for dnsmasq. (closes: #277636) * Add rules for hylafax. * Add violations.ignore.d rules for hylafax. alfie: * Fix sed error to really remove trailing spaces. (closes: #278337) * Add myself to uploaders field because of stable releases. todd: * Remove chown from debian/rules. (closes: #277782) Files: f7ecf621697688c1ca6705e234fb9908 703 admin optional logcheck_1.2.30.dsc 997fc66d90b62581b6f499a215172ac2 86232 admin optional logcheck_1.2.30.tar.gz fa9e5de917aa1215fa95cb0b7f361415 40484 admin optional logcheck_1.2.30_all.deb a8d58ffc3656c38bfb67f0a3a26fd9cd 53674 admin optional logcheck-database_1.2.30_all.deb 4b866f21f9fc1bf2e0ea9c040dde653b 24058 admin optional logtail_1.2.30_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBhxoR4u3oQ3FHP2YRAveWAJ0QBA3LVgMcXyoQhTV0IYgklDKYeACfdXIv d9iNSWwqszWiYsWf9x4hohU=lbKP -----END PGP SIGNATURE-----