Logcheck devel - Feb 2005 - Rules for pure-ftpd [INFO] messages

Hey all,

In bug #295254 the submitted suggested added one rule for all [INFO]
messages, something like:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
\([.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\].*$

AFAIK using .* means using more resources when logcheck applies it
against every log message, at least that's how I remember it, but my
memory is a bit sketchy..

Rather than adding umpteen rules for every [INFO] message, would it be
better to use one rule with .* ..?

Thanks,

-- 
-jamie <jamie at silverdream.org> | spamtrap: spam at silverdream.org
 w: http://www.silverdream.org | p: sms at silverdream.org
 pgp key @ http://silverdream.org/~jps/pub.key
 21:30:02 up 17 min,  2 users,  load average: 2.65, 2.52, 1.58

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20050215/10f346af/attachment.pgp

On Tue, 15 Feb 2005, Jamie L. Penman-Smithson wrote:
> Hey all,
> 
> In bug #295254 the submitted suggested added one rule for all [INFO]
> messages, something like:
> 
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> \([.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\].*$
i object.
 
> AFAIK using .* means using more resources when logcheck applies it
> against every log message, at least that's how I remember it, but my
> memory is a bit sketchy..
that's correct. :)
 
> Rather than adding umpteen rules for every [INFO] message, would it be
> better to use one rule with .* ..?
pure-ftpd has quite a security record,
anyway please keep '.*' for remotely passed strings
to the particular daemon.
afair examples of usages are in the postfix rules set.

thanks for working out the [INFO] messages.

--
maks

ps thought that you were subscribed, so didn't cc you.
   hope that's ok?