Logcheck devel - Apr 2005 - Bug#305350: logcheck-database: postfix file could be shortened

Package: logcheck-database
Version: 1.2.37
Severity: wishlist
Tags: patch

Consider:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: TLS connection
established (to|from) [^[:space:]]+: (TLSv1|SSLv[23]) with cipher [^[:space:]]+
\([/0-9]+ bits\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: setting up TLS
connection from [._[:alnum:]-]+\[[0-9.]{7,15}\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: TLS connection
established (to|from) [^[:space:]]+: (TLSv1|SSLv[23]) with cipher [^[:space:]]+
\([/0-9]+ bits\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: setting up TLS
connection to [._[:alnum:]-]+$

Could be:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: TLS connection
established (to|from) [^[:space:]]+: (TLSv1|SSLv[23]) with cipher [^[:space:]]+
\([/0-9]+ bits\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: setting up TLS
connection to [._[:alnum:]-]+$

There are also several instances of (smtp|smtpd) that could be shortened
to smtpd? as well.  Sorry to be pedantic - I was just reviewing local
logcheck rules and trying to match against yours when I noticed these
things, so I thought I'd pass it on.  ISTM that it is both more
efficient and more readable.

Thanks,

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686-smp
Locale: LANG=C, LC_CTYPE=en_US.ISO-8859-15 (charmap=ISO-8859-15) (ignored:
LC_ALL set to en_US.ISO-8859-15)

Versions of packages logcheck-database depends on:
ii  debconf [debconf-2.0]         1.4.48     Debian configuration management sy

-- debconf information:
* logcheck-database/rules-directories-note:
  logcheck-database/standard-rename-note:
  logcheck-database/conffile-cleanup: false

-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran at debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20050419/b040f078/attachment.pgp

package logcheck-database
tags 305350 pending
thanks

On Tue, 2005-04-19 at 10:54 -0400, Stephen Gran wrote:
> Consider:
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: TLS connection
established (to|from) [^[:space:]]+: (TLSv1|SSLv[23]) with cipher [^[:space:]]+
\([/0-9]+ bits\)$
<snip>
> Could be:
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: TLS connection
established (to|from) [^[:space:]]+: (TLSv1|SSLv[23]) with cipher [^[:space:]]+
\([/0-9]+ bits\)$
<snip>
> There are also several instances of (smtp|smtpd) that could be shortened
> to smtpd? as well.  Sorry to be pedantic - I was just reviewing local
> logcheck rules and trying to match against yours when I noticed these
> things, so I thought I'd pass it on.  ISTM that it is both more
> efficient and more readable.
I've modified the rules in CVS, there were some in
violations.ignore.d/logcheck-postfix that I've cleaned up as well.

Thanks for your bug report,

-- 
-jamie <jamie at silverdream.org> | spamtrap: spam at silverdream.org
 w: http://www.silverdream.org | p: sms at silverdream.org
 pgp key @ http://silverdream.org/~jps/pub.key
 21:30:02 up 17 min,  2 users,  load average: 2.65, 2.52, 1.58

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20050419/44c759df/attachment.pgp

Processing commands for control at bugs.debian.org:
> package logcheck-database
Ignoring bugs not assigned to: logcheck-database
> tags 305350 pending
Bug#305350: logcheck-database: postfix file could be shortened
Tags were: patch
Tags added: pending
> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Your message dated Sun, 29 May 2005 00:47:11 -0400
with message-id <E1DcFhf-0001jk-00 at newraff.debian.org>
and subject line Bug#305350: fixed in logcheck 1.2.40
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 19 Apr 2005 14:54:17
+0000
>From steve at lobefin.net Tue Apr 19 07:54:17 2005
Return-path: <steve at lobefin.net>
Received: from mail.lobefin.net [216.158.52.98] (Debian-exim)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DNu7F-00014H-00; Tue, 19 Apr 2005 07:54:17 -0700
Received: from lobefin.net ([216.158.52.108] helo=gashuffer.lobefin.net)
	by mail.lobefin.net with asmtp (TLS-1.0:RSA_AES_128_CBC_SHA:16)
	(Exim 4.34)
	id 1DNu7E-00040k-OI; Tue, 19 Apr 2005 10:54:16 -0400
Received: from steve by gashuffer.lobefin.net with local (Exim 4.50)
	id 1DNu7D-0005Hr-L3; Tue, 19 Apr 2005 10:54:15 -0400
Date: Tue, 19 Apr 2005 10:54:15 -0400
From: Stephen Gran <sgran at debian.org>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: logcheck-database: postfix file could be shortened
Message-ID: <20050419145415.GA17313 at gashuffer.lobefin.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
boundary="nFreZHaLTZJo0R7j"
Content-Disposition: inline
X-Reportbug-Version: 3.9
X-Editor: VIM - Vi IMproved 6.3 
X-OS: Linux gashuffer 2.6.10-1-686-smp i686
X-Uptime: 8 days
X-Latin: Hodie decimo tertio Kalendas Maias MMDCCLVIII ab urbe condita est
X-Date: Today is Prickle-Prickle, the 36th day of Discord in the YOLD 3171
X-DDate: Only 2431132 Shopping Days Left Before X-Day. You are what you see. 
X-Motto: debian/rules
User-Agent: Mutt/1.5.9i
X-Authenticated-Sender: steve
X-Scanned-By: ClamAV at mail.lobefin.net
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--nFreZHaLTZJo0R7j
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: logcheck-database
Version: 1.2.37
Severity: wishlist
Tags: patch

Consider:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: TLS connection
established (to|from) [^[:space:]]+: (TLSv1|SSLv[23]) with cipher [^[:space:]]+
\([/0-9]+ bits\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: setting up TLS
connection from [._[:alnum:]-]+\[[0-9.]{7,15}\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: TLS connection
established (to|from) [^[:space:]]+: (TLSv1|SSLv[23]) with cipher [^[:space:]]+
\([/0-9]+ bits\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: setting up TLS
connection to [._[:alnum:]-]+$

Could be:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: TLS connection
established (to|from) [^[:space:]]+: (TLSv1|SSLv[23]) with cipher [^[:space:]]+
\([/0-9]+ bits\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: setting up TLS
connection to [._[:alnum:]-]+$

There are also several instances of (smtp|smtpd) that could be shortened
to smtpd? as well.  Sorry to be pedantic - I was just reviewing local
logcheck rules and trying to match against yours when I noticed these
things, so I thought I'd pass it on.  ISTM that it is both more
efficient and more readable.

Thanks,

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686-smp
Locale: LANG=3DC, LC_CTYPE=3Den_US.ISO-8859-15 (charmap=3DISO-8859-15) (ignored:
LC_ALL set to en_US.ISO-8859-15)

Versions of packages logcheck-database depends on:
ii  debconf [debconf-2.0]         1.4.48     Debian configuration management sy

-- debconf information:
* logcheck-database/rules-directories-note:
  logcheck-database/standard-rename-note:
  logcheck-database/conffile-cleanup: false

--=20
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran at debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

--nFreZHaLTZJo0R7j
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCZRuXSYIMHOpZA44RAtvOAJ9zX5cK2EOxCMo6ma6C1Wvnem7s/QCdEus3
3lYoqedxYOzSmb43tQk/ZAE=dRZA
-----END PGP SIGNATURE-----

--nFreZHaLTZJo0R7j--

---------------------------------------
Received: (at 305350-close) by bugs.debian.org; 29 May 2005 04:53:22
+0000
>From katie at ftp-master.debian.org Sat May 28 21:53:21 2005
Return-path: <katie at ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DcFnd-0004Xm-00; Sat, 28 May 2005 21:53:21 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DcFhf-0001jk-00; Sun, 29 May 2005 00:47:11 -0400
From: Todd Troxell <ttroxell at debian.org>
To: 305350-close at bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#305350: fixed in logcheck 1.2.40
Message-Id: <E1DcFhf-0001jk-00 at newraff.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Sun, 29 May 2005 00:47:11 -0400
Delivered-To: 305350-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 4

Source: logcheck
Source-Version: 1.2.40

We believe that the bug you reported is fixed in the latest version of
logcheck, which is due to be installed in the Debian FTP archive:

logcheck-database_1.2.40_all.deb
  to pool/main/l/logcheck/logcheck-database_1.2.40_all.deb
logcheck_1.2.40.dsc
  to pool/main/l/logcheck/logcheck_1.2.40.dsc
logcheck_1.2.40.tar.gz
  to pool/main/l/logcheck/logcheck_1.2.40.tar.gz
logcheck_1.2.40_all.deb
  to pool/main/l/logcheck/logcheck_1.2.40_all.deb
logtail_1.2.40_all.deb
  to pool/main/l/logcheck/logtail_1.2.40_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 305350 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sunday, 29 May 2005 00:24:00 -0500
Source: logcheck
Binary: logcheck logtail logcheck-database
Architecture: source all
Version: 1.2.40
Distribution: unstable
Urgency: low
Maintainer: Debian logcheck Team <logcheck-devel at
lists.alioth.debian.org>
Changed-By: Todd Troxell <ttroxell at debian.org>
Description: 
 logcheck   - Mails anomalies in the system logfiles to the administrator
 logcheck-database - A database of system log rules for the use of log checkers
 logtail    - Print log file lines that have not been read
Closes: 125794 191637 303661 305350 306388 306695 307588 307675 307889 308249
308800 309084 310423
Changes: 
 logcheck (1.2.40) unstable; urgency=low
 .
   jamie:
   * Improve postfix rules in ignore.d.server/postfix and
     violations.ignore.d/logcheck-postfix. (Closes: #305350)
   * Add postfix rule for "Temporary failure in name resolution"
messages.
   * Add rules for policyd, add comma to throttle rule.
   * Add nagios rules for PROCESS_SERVICE_CHECK_RESULT messages.
     (Closes: #306695)
   * Add more ntp rules for "adjusting local clock" messages. (Closes:
#303661)
   * Add postfix rule for "unknown SPF result" messages when using the
     libspf2 patch.
   * Add rule for bind 9.3 "FORMERR resolving" messages.
   * Add more nagios rules for SERVICE_FLAPPING messages and
     ENABLE_*_NOTIFICATIONS messages.
   * Fix udev rules to match alphanumeric device names and subdirectories in
     front of %k. (Closes: #307588)
   * Add bind rule to suppress NSTATS messages. (Closes: #307675)
   * Add nagios rule for "HOST EVENT HANDLER" messages.
   * Add cyrus rules to match notifyd messages.
   * Add first rule for grinch, an open relay checker for postfix.
   * Set a default for FQDN and only set the value of HOSTNAME once we've
read
     logcheck.conf. The FQDN option now works. (Closes: #308249)
   * Minor changes to innd rules. Add rule to match innfeed "Connection
     refused" messages.
   * Add nagios rule for ENABLE_NOTIFICATIONS messages.
   * Add postfix rule to suppress "certificate has expired" messages.
   * Add postfix rule for "misplaced delimiter" hostname warnings.
   * Add nagios rules to match ACKNOWLEDGEMENT, ADD_SVC_COMMENT, HOST_DOWNTIME
     and DISABLE_SVC_NOTIFICATIONS messages.
   * Add the first rules for qpopper and qpopper-drac. (Closes: #125794,
     #191637)
   * Fix innd rules in violations.ignore.d/logcheck-innd for innfeed to match
     "global/final seconds.." messages.
   * Correct innd rule for perl filter rejection messages to match hostnames
with
     hyphens and underscores too.
   * Adjust the anvil rule to match "max connection" messages with
port 587
     (submission).
   * Add section to README.logcheck-database about submitting rules.
   * Modify rules for dovecot to also match messages from the pop3 daemon.
     (Closes: #310423)
   * Minor changes to innd rules. Add rule for readclose messages.
   * Add postfix rule in violations.ignore.d/logcheck-postfix to suppress
     dNSNames mismatch messages.
   * Add innd rule for innfeed hostChkCxns messages.
   * Fix postfix rule in violations.ignore.d/logcheck-postfix to match
     CommonName mis-match messages when verifying broken certs where the CN is
     empty.
   maks:
   * Add some pppd rules for pppoatm usage.
   * Fix hostname match in cvsd rules.
   * Add some first preliminary iptables rules for iptables REJECT logging
     ignore.d.server/kernel for UDP packets.
   * Add jabberd, ssh, rsync rules from Peter Palfrader <weasel at
debian.org>.
     The ssh rule ignores network scanning noise (not the account brutforcing).
   * Added dot to username match in scponly rule.
   * Match more strictly ipv4 address in dhcpd + dhclient rules.
   * Add to ignore.d.server/dhcpd initial udhcpd lines. (Closes: #306388)
   * Minor additions to logcheck(8).
   * Add rule for cron nss_ldap message in ignore.d.server/cron.
   * Generalise kernel message no IPv6 routers present level workstation.
   * Update rsync daemon rule thanks Paul Slootman <paul at debian.org>
     (Closes: #308800)
   * Update postfix peer verification rule match. (Closes: #307889)
   * Beautify logcheck.postinst don't call dpkg --compare-versions when no
$2.
   * Correct proftpd rules thanks to  Tilman Koschnick <til at
subnetz.org>
     (Closes: #309084)
   todd:
   * Add Eric Evans as an uploader.
Files: 
 a2beb31d9b0f4e68ea3d5a547e59d845 735 admin optional logcheck_1.2.40.dsc
 5d551961f207686d742238091a9690c5 97252 admin optional logcheck_1.2.40.tar.gz
 deb784701a1d13b4da69bd6d0f8ed7ca 46382 admin optional logcheck_1.2.40_all.deb
 3ac5cdadfb09a143bd66c5a4a27639ac 64426 admin optional
logcheck-database_1.2.40_all.deb
 a0b8e138cbb9d5585c1ad79a3ff000f1 28726 admin optional logtail_1.2.40_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCmUXt4u3oQ3FHP2YRAqkUAKDYDcqorsem0NETNuseoz6moBQguQCgvhNq
3T0fWVOMl7Gh0vgqtAIiVCM=fFmU
-----END PGP SIGNATURE-----