Package: logcheck Version: 1.2.39 Hello i change the rules but logcheck seems to ignore them One example: REPORTLEVEL="server" logcheck send mails containing: Security Events =-=-=-=-=-=-=-Jul 10 09:11:53 machine ipop3ds[10304]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] Jul 9 14:09:56 machine ipop3ds[4934]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] i don't want to see those messages (currently) So i added a new rule to ipopd-ssl [20:22:44]machine:/etc/logcheck/ignore.d.server# grep AUTH * ipopd-ssl:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*.dip0.t-ipconnect.de \[84\.141\..*\] logcheck.dpkg-old:authsrv.*AUTHENTICATE (BTW: Wouldn't it be better to add an entire new file?) If i test the rule file with that: /etc/logcheck/ignore.d.server# egrep -f ipopd-ssl /var/log/syslog i exactly get the lines i don't want to see in logcheck output, so i assume that rule is OK. As there is the "magical" word "failure" i have to add that rule to violations.ignore too, or? [20:23:22]machine:/etc/logcheck/violations.ignore.d# grep AUTH * logcheck-ipop3:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*\.dip0\.t-ipconnect\.de \[84\.141\..*\] /etc/logcheck/violations.ignore.d# egrep -f logcheck-ipop3 /var/log/syslog gves Jul 9 11:31:21 machine ipop3ds[29588]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] So i assume the rules are right, or? But why are they ignored by logcheck? I meanwhile have the feeling that logcheck is using entire other rule files than i edit (box root kitted?) Is there a way to debug logcheck? "-d" seems to give only a hints to program flow but seems to be only a "one shot" so i can't debug the rules effective. Isn't there somewhere a tool (bayes?) where i can feed the "unwanted" lines to which in future are ignored by logcheck? (Like "tiger" does which only reports changes/new lines) Currently the "optimization" of the rule set took several weeks(!) as i have to wait hours to veryfy the trivialest change. What's the intended way to debug rules sets? Why does the "egrep" trick can't be used to verify the rules? (What is logcheck adding to the rules to make them fail?) How can i verify which rules files logcheck really uses? Where are the used rules (files that contens) logged? How can i run "logcheck" repetely to debug?
maximilian attems
2005-Jul-11 11:55 UTC
Bug#317642: [Logcheck-devel] Bug#317642: How to debug logcheck?
On Sun, 10 Jul 2005, Rainer Zocholl wrote:> Hello > > i change the rules but logcheck seems to ignore them > > One example: > > REPORTLEVEL="server" > > logcheck send mails containing: > > Security Events > =-=-=-=-=-=-=-> Jul 10 09:11:53 machine ipop3ds[10304]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] > Jul 9 14:09:56 machine ipop3ds[4934]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] > > > i don't want to see those messages (currently) > > So i added a new rule to ipopd-ssl > > [20:22:44]machine:/etc/logcheck/ignore.d.server# grep AUTH * > ipopd-ssl:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*.dip0.t-ipconnect.de \[84\.141\..*\] > logcheck.dpkg-old:authsrv.*AUTHENTICATE > > (BTW: Wouldn't it be better to add an entire new file?)yes add your local-packagename file.> If i test the rule file with that: > > /etc/logcheck/ignore.d.server# egrep -f ipopd-ssl /var/log/syslog > > i exactly get the lines i don't want to see in logcheck output, > so i assume that rule is OK. > > As there is the "magical" word "failure" i have to add that rule to > violations.ignore too, or? > > [20:23:22]machine:/etc/logcheck/violations.ignore.d# grep AUTH * logcheck-ipop3:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*\.dip0\.t-ipconnect\.de \[84\.141\..*\] > > > /etc/logcheck/violations.ignore.d# egrep -f logcheck-ipop3 /var/log/syslog > gves > Jul 9 11:31:21 machine ipop3ds[29588]: AUTHENTICATE CRAM-MD5 failure > host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] > > > So i assume the rules are right, or?i wouldn't recommend aboves rule for upstream inclusion, but they look right.> But why are they ignored by logcheck?did you check the permissions of the file you added/changed. ls -l /etc/logcheck/ignore.d.server/ssh -rw-r----- 1 root logcheck 1165 2005-04-03 01:00 /etc/logcheck/ignore.d.server/ssh maybe your umask is too restrictive and aboves file can't be read by logcheck? please post the output of ls -l /etc/logcheck/violations.ignore.d/logcheck-ipop3> I meanwhile have the feeling that logcheck is using entire > other rule files than i edit (box root kitted?) > Is there a way to debug logcheck? > "-d" seems to give only a hints to program flow but > seems to be only a "one shot" so i can't debug the rules effective.would be cool to see if aboves rule is mentioned in the debug hints. did you check?> Isn't there somewhere a tool (bayes?) where i can feed the > "unwanted" lines to which in future are ignored by logcheck? > (Like "tiger" does which only reports changes/new lines) > Currently the "optimization" of the rule set took several weeks(!) > as i have to wait hours to veryfy the trivialest change.why? just invoke it from the commandline. if you have sudo installed sudo -u logcheck logcheck [options] for example sudo -u logcheck logcheck -t -o -d else if you don't have sudo installed su -s /bin/bash -c \"/usr/sbin/logcheck [options]\" logcheck> What's the intended way to debug rules sets? > > Why does the "egrep" trick can't be used to verify the rules? > (What is logcheck adding to the rules to make them fail?) > > How can i verify which rules files logcheck really uses?run debug.> Where are the used rules (files that contens) logged?not atm.> How can i run "logcheck" repetely to debug?see aboves. i will add some examples to current manpage. -- maks
Debian Bug Tracking System
2005-Aug-22 20:48 UTC
[Logcheck-devel] Bug#317642: marked as done (How to debug logcheck?)
Your message dated Mon, 22 Aug 2005 13:32:39 -0700 with message-id <E1E7IyF-0002y5-00 at spohr.debian.org> and subject line Bug#317642: fixed in logcheck 1.2.41 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 10 Jul 2005 11:02:26 +0000>From UseNet-Posting-Nospam-74308- at zocki.toppoint.de Sun Jul 10 04:02:26 2005Return-path: <UseNet-Posting-Nospam-74308- at zocki.toppoint.de> Received: from archer.toppoint.de (mail.toppoint.de) [195.244.243.1] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DrZZp-0000o6-00; Sun, 10 Jul 2005 04:02:26 -0700 Received: (from uucp at localhost) by mail.toppoint.de (8.11.7p1+Sun/8.11.7) id j6AB2EG29770 for submit at bugs.debian.org; Sun, 10 Jul 2005 13:02:14 +0200 (MEST)>Received: by zocki.toppoint.de (CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515);10 Jul 2005 13:01:52 +0200 Date: 10 Jul 2005 13:01:00 +0200 From: Rainer Zocholl <UseNet-Posting-Nospam-74308- at zocki.toppoint.de> To: <submit at bugs.debian.org> Message-ID: <9$am0-WbgjB at zocki.toppoint.de> Subject: How to debug logcheck? X-Mailer: CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Organization: http://www.toppoint.de X-ZC-Telefon: V+49-431-5606-550Q V+49-431-562136Q X-XP-Version: CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515 X-RFC-Converter: E-UUZ/II [FreeXP v3.40.1a RC3] @ 200405292345 Received: from zocki.toppoint.de by archer.toppoint.de; Sun, 10 Jul 2005 13:02 MES Content-Type: text/plain; charset=US-ASCII Delivered-To: submit at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-7.3 required=4.0 tests=BAYES_00,HAS_PACKAGE, MSGID_FROM_MTA_HEADER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Package: logcheck Version: 1.2.39 Hello i change the rules but logcheck seems to ignore them One example: REPORTLEVEL="server" logcheck send mails containing: Security Events =-=-=-=-=-=-=-Jul 10 09:11:53 machine ipop3ds[10304]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] Jul 9 14:09:56 machine ipop3ds[4934]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] i don't want to see those messages (currently) So i added a new rule to ipopd-ssl [20:22:44]machine:/etc/logcheck/ignore.d.server# grep AUTH * ipopd-ssl:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*.dip0.t-ipconnect.de \[84\.141\..*\] logcheck.dpkg-old:authsrv.*AUTHENTICATE (BTW: Wouldn't it be better to add an entire new file?) If i test the rule file with that: /etc/logcheck/ignore.d.server# egrep -f ipopd-ssl /var/log/syslog i exactly get the lines i don't want to see in logcheck output, so i assume that rule is OK. As there is the "magical" word "failure" i have to add that rule to violations.ignore too, or? [20:23:22]machine:/etc/logcheck/violations.ignore.d# grep AUTH * logcheck-ipop3:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*\.dip0\.t-ipconnect\.de \[84\.141\..*\] /etc/logcheck/violations.ignore.d# egrep -f logcheck-ipop3 /var/log/syslog gves Jul 9 11:31:21 machine ipop3ds[29588]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] So i assume the rules are right, or? But why are they ignored by logcheck? I meanwhile have the feeling that logcheck is using entire other rule files than i edit (box root kitted?) Is there a way to debug logcheck? "-d" seems to give only a hints to program flow but seems to be only a "one shot" so i can't debug the rules effective. Isn't there somewhere a tool (bayes?) where i can feed the "unwanted" lines to which in future are ignored by logcheck? (Like "tiger" does which only reports changes/new lines) Currently the "optimization" of the rule set took several weeks(!) as i have to wait hours to veryfy the trivialest change. What's the intended way to debug rules sets? Why does the "egrep" trick can't be used to verify the rules? (What is logcheck adding to the rules to make them fail?) How can i verify which rules files logcheck really uses? Where are the used rules (files that contens) logged? How can i run "logcheck" repetely to debug? --------------------------------------- Received: (at 317642-close) by bugs.debian.org; 22 Aug 2005 20:45:57 +0000>From katie at spohr.debian.org Mon Aug 22 13:45:57 2005Return-path: <katie at spohr.debian.org> Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1E7IyF-0002y5-00; Mon, 22 Aug 2005 13:32:39 -0700 From: Todd Troxell <ttroxell at debian.org> To: 317642-close at bugs.debian.org X-Katie: $Revision: 1.56 $ Subject: Bug#317642: fixed in logcheck 1.2.41 Message-Id: <E1E7IyF-0002y5-00 at spohr.debian.org> Sender: Archive Administrator <katie at spohr.debian.org> Date: Mon, 22 Aug 2005 13:32:39 -0700 Delivered-To: 317642-close at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-CrossAssassin-Score: 4 Source: logcheck Source-Version: 1.2.41 We believe that the bug you reported is fixed in the latest version of logcheck, which is due to be installed in the Debian FTP archive: logcheck-database_1.2.41_all.deb to pool/main/l/logcheck/logcheck-database_1.2.41_all.deb logcheck_1.2.41.dsc to pool/main/l/logcheck/logcheck_1.2.41.dsc logcheck_1.2.41.tar.gz to pool/main/l/logcheck/logcheck_1.2.41.tar.gz logcheck_1.2.41_all.deb to pool/main/l/logcheck/logcheck_1.2.41_all.deb logtail_1.2.41_all.deb to pool/main/l/logcheck/logtail_1.2.41_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 317642 at bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster at debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 22 Aug 2005 15:27:45 -0500 Source: logcheck Binary: logcheck logtail logcheck-database Architecture: source all Version: 1.2.41 Distribution: unstable Urgency: low Maintainer: Debian logcheck Team <logcheck-devel at lists.alioth.debian.org> Changed-By: Todd Troxell <ttroxell at debian.org> Description: logcheck - mails anomalies in the system logfiles to the administrator logcheck-database - database of system log rules for the use of log checkers logtail - Print log file lines that have not been read Closes: 311216 312597 312598 312729 313601 313603 314951 315507 316612 317642 317741 317772 318500 318731 320009 321506 322036 322179 322570 Changes: logcheck (1.2.41) unstable; urgency=low . [ Jamie Penman-Smithson ] * Fix postfix rule to match "setting up TLS connection" messages again. * Fix innd rule for "ME time" messages, add rule for innfeed "ME time" messages. * Fix rules for gps to match messages with the null sender (<>). * Update cyrus/notifyd rule to match destination folders and subfolders too. * Update cyrus rules to suppress DBERROR db3: n lockers messages when it's only 1-2 lockers, these messages are harmless as long as the number doesn't increase. * Update postfix lmtp rule to match messages given by amavis when discarding UBE and viruses. * Fix bug in the squid rule for "found whitespace" messages which caused grep to choke due to unescaped { and } characters. (Closes: #311216) * Update innd nnrpd rule for latest version of INN. * Add a versioned dependency on grep to prevent bugs like #311216 happening in the first place. * Added Vietnamese translation, thanks to Clytie Siddall. (Closes: #312597) * Fix minor typo in logcheck-database.templates. (Closes: #312598) * Modify rules for successful ssh login messages to match when ssh/ssh2 is not specified at the end. (Closes: #312729) * Modified ignore.d.workstation/kernel to ignore nfs warnings about mount version. (Closes: #313601) * Fix postfix anvil rules to match max message/recipient rate and count messages. * Add the first rules for dkfilter, which implements domainkeys signing and verification for postfix. * Add rule for openssh-krb5 and add gssapi-with-mic to the list of auth alternatives. (Closes: #318500) * Add ovpn-tunnel rule to suppress "VERIFY OK: nsCertType=SERVER" messages. Thanks to Martin Lohmeier <martin at mein-horde.de>. (Closes: #320009) . [ Maximilian Attems ] * Suppress error message if hostname not set. (Closes: #314951) * Add another sshd rule for PARANOID /etc/hosts.deny setting. * Fix postfix rule concerning Service unavailable. (Closes: #315507) * Add some initial support for exim4 log messages. Pretty rudimentary stuff still, will need further refinements. (Closes: #316612) * First rule for amandad. (Closes: #313603) * Remention how to invoke logcheck with sudo. * Add an examples section to the manpage with my most usual invocation. * Fix rules for gconfd loglines. * Add rule for mailman admin loglines in violations.ignore.d/logcheck-postfix thanks toby cabot <toby at caboteria.org>. (Closes: #317772) * Fix hostname match in rbldnsd rule thanks sistemas at dedaloingenieros.com. (Closes: #317741) * Unifiy gdm rules, add a rule for X restart. * Beautify README.logcheck-database, uses markdown(1) syntax now. Added testing rules header to carify sections. (Closes: #317642, #318731) * Small manpage fixes. * Add 2 courier rules for ACCEPTED usernames and the started client module. * Add pdns rule for duplicate packets from recursor. * Fix cvs rule for exit code != 0. thanks Martin Lohmeier <martin at mein-horde.de> (Closes: #321506) * Fix hostname match in cups-lpd rules thanks Gilbert Laycock <gtl1 at mcs.le.ac.uk> (Closes: #322179) * Add horde3 rules for users login/logout thanks Martin Lohmeier <martin at mein-horde.de> (Closes: #322570) * Fix logcheck.8 rendering of docbook-to-man. (Closes: #322036) . [Todd Troxell] * Tweak descriptions to satisfy litian. Files: 1885143b4845e7da6dc748ef4f2ec7fb 736 admin optional logcheck_1.2.41.dsc 1a946e45f82a0dc98838c896510dfca9 101085 admin optional logcheck_1.2.41.tar.gz 4ec4e8c0a9227a8c06a716675f8a0d3f 47870 admin optional logcheck_1.2.41_all.deb 3bf53f05bfb119af9e2c1da3c8130f12 67460 admin optional logcheck-database_1.2.41_all.deb 078148d37c693d7dd9511355d70e7d40 29826 admin optional logtail_1.2.41_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFDCijR4u3oQ3FHP2YRAjnTAJwL7ztRs3iUx4sltg+pROJaxdf/QgCgtall nSanCABtCnyTfEYFeoyVZQ4=M6Pk -----END PGP SIGNATURE-----
Debian Bug Tracking System
2005-Aug-22 20:48 UTC
[Logcheck-devel] Bug#317642: marked as done (How to debug logcheck?)
Your message dated Mon, 22 Aug 2005 13:32:39 -0700 with message-id <E1E7IyF-0002yD-00 at spohr.debian.org> and subject line Bug#318731: fixed in logcheck 1.2.41 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 10 Jul 2005 11:02:26 +0000>From UseNet-Posting-Nospam-74308- at zocki.toppoint.de Sun Jul 10 04:02:26 2005Return-path: <UseNet-Posting-Nospam-74308- at zocki.toppoint.de> Received: from archer.toppoint.de (mail.toppoint.de) [195.244.243.1] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DrZZp-0000o6-00; Sun, 10 Jul 2005 04:02:26 -0700 Received: (from uucp at localhost) by mail.toppoint.de (8.11.7p1+Sun/8.11.7) id j6AB2EG29770 for submit at bugs.debian.org; Sun, 10 Jul 2005 13:02:14 +0200 (MEST)>Received: by zocki.toppoint.de (CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515);10 Jul 2005 13:01:52 +0200 Date: 10 Jul 2005 13:01:00 +0200 From: Rainer Zocholl <UseNet-Posting-Nospam-74308- at zocki.toppoint.de> To: <submit at bugs.debian.org> Message-ID: <9$am0-WbgjB at zocki.toppoint.de> Subject: How to debug logcheck? X-Mailer: CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Organization: http://www.toppoint.de X-ZC-Telefon: V+49-431-5606-550Q V+49-431-562136Q X-XP-Version: CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515 X-RFC-Converter: E-UUZ/II [FreeXP v3.40.1a RC3] @ 200405292345 Received: from zocki.toppoint.de by archer.toppoint.de; Sun, 10 Jul 2005 13:02 MES Content-Type: text/plain; charset=US-ASCII Delivered-To: submit at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-7.3 required=4.0 tests=BAYES_00,HAS_PACKAGE, MSGID_FROM_MTA_HEADER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Package: logcheck Version: 1.2.39 Hello i change the rules but logcheck seems to ignore them One example: REPORTLEVEL="server" logcheck send mails containing: Security Events =-=-=-=-=-=-=-Jul 10 09:11:53 machine ipop3ds[10304]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] Jul 9 14:09:56 machine ipop3ds[4934]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] i don't want to see those messages (currently) So i added a new rule to ipopd-ssl [20:22:44]machine:/etc/logcheck/ignore.d.server# grep AUTH * ipopd-ssl:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*.dip0.t-ipconnect.de \[84\.141\..*\] logcheck.dpkg-old:authsrv.*AUTHENTICATE (BTW: Wouldn't it be better to add an entire new file?) If i test the rule file with that: /etc/logcheck/ignore.d.server# egrep -f ipopd-ssl /var/log/syslog i exactly get the lines i don't want to see in logcheck output, so i assume that rule is OK. As there is the "magical" word "failure" i have to add that rule to violations.ignore too, or? [20:23:22]machine:/etc/logcheck/violations.ignore.d# grep AUTH * logcheck-ipop3:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*\.dip0\.t-ipconnect\.de \[84\.141\..*\] /etc/logcheck/violations.ignore.d# egrep -f logcheck-ipop3 /var/log/syslog gves Jul 9 11:31:21 machine ipop3ds[29588]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] So i assume the rules are right, or? But why are they ignored by logcheck? I meanwhile have the feeling that logcheck is using entire other rule files than i edit (box root kitted?) Is there a way to debug logcheck? "-d" seems to give only a hints to program flow but seems to be only a "one shot" so i can't debug the rules effective. Isn't there somewhere a tool (bayes?) where i can feed the "unwanted" lines to which in future are ignored by logcheck? (Like "tiger" does which only reports changes/new lines) Currently the "optimization" of the rule set took several weeks(!) as i have to wait hours to veryfy the trivialest change. What's the intended way to debug rules sets? Why does the "egrep" trick can't be used to verify the rules? (What is logcheck adding to the rules to make them fail?) How can i verify which rules files logcheck really uses? Where are the used rules (files that contens) logged? How can i run "logcheck" repetely to debug? --------------------------------------- Received: (at 318731-close) by bugs.debian.org; 22 Aug 2005 20:45:56 +0000>From katie at spohr.debian.org Mon Aug 22 13:45:55 2005Return-path: <katie at spohr.debian.org> Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1E7IyF-0002yD-00; Mon, 22 Aug 2005 13:32:39 -0700 From: Todd Troxell <ttroxell at debian.org> To: 318731-close at bugs.debian.org X-Katie: $Revision: 1.56 $ Subject: Bug#318731: fixed in logcheck 1.2.41 Message-Id: <E1E7IyF-0002yD-00 at spohr.debian.org> Sender: Archive Administrator <katie at spohr.debian.org> Date: Mon, 22 Aug 2005 13:32:39 -0700 Delivered-To: 318731-close at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-CrossAssassin-Score: 6 Source: logcheck Source-Version: 1.2.41 We believe that the bug you reported is fixed in the latest version of logcheck, which is due to be installed in the Debian FTP archive: logcheck-database_1.2.41_all.deb to pool/main/l/logcheck/logcheck-database_1.2.41_all.deb logcheck_1.2.41.dsc to pool/main/l/logcheck/logcheck_1.2.41.dsc logcheck_1.2.41.tar.gz to pool/main/l/logcheck/logcheck_1.2.41.tar.gz logcheck_1.2.41_all.deb to pool/main/l/logcheck/logcheck_1.2.41_all.deb logtail_1.2.41_all.deb to pool/main/l/logcheck/logtail_1.2.41_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 318731 at bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster at debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 22 Aug 2005 15:27:45 -0500 Source: logcheck Binary: logcheck logtail logcheck-database Architecture: source all Version: 1.2.41 Distribution: unstable Urgency: low Maintainer: Debian logcheck Team <logcheck-devel at lists.alioth.debian.org> Changed-By: Todd Troxell <ttroxell at debian.org> Description: logcheck - mails anomalies in the system logfiles to the administrator logcheck-database - database of system log rules for the use of log checkers logtail - Print log file lines that have not been read Closes: 311216 312597 312598 312729 313601 313603 314951 315507 316612 317642 317741 317772 318500 318731 320009 321506 322036 322179 322570 Changes: logcheck (1.2.41) unstable; urgency=low . [ Jamie Penman-Smithson ] * Fix postfix rule to match "setting up TLS connection" messages again. * Fix innd rule for "ME time" messages, add rule for innfeed "ME time" messages. * Fix rules for gps to match messages with the null sender (<>). * Update cyrus/notifyd rule to match destination folders and subfolders too. * Update cyrus rules to suppress DBERROR db3: n lockers messages when it's only 1-2 lockers, these messages are harmless as long as the number doesn't increase. * Update postfix lmtp rule to match messages given by amavis when discarding UBE and viruses. * Fix bug in the squid rule for "found whitespace" messages which caused grep to choke due to unescaped { and } characters. (Closes: #311216) * Update innd nnrpd rule for latest version of INN. * Add a versioned dependency on grep to prevent bugs like #311216 happening in the first place. * Added Vietnamese translation, thanks to Clytie Siddall. (Closes: #312597) * Fix minor typo in logcheck-database.templates. (Closes: #312598) * Modify rules for successful ssh login messages to match when ssh/ssh2 is not specified at the end. (Closes: #312729) * Modified ignore.d.workstation/kernel to ignore nfs warnings about mount version. (Closes: #313601) * Fix postfix anvil rules to match max message/recipient rate and count messages. * Add the first rules for dkfilter, which implements domainkeys signing and verification for postfix. * Add rule for openssh-krb5 and add gssapi-with-mic to the list of auth alternatives. (Closes: #318500) * Add ovpn-tunnel rule to suppress "VERIFY OK: nsCertType=SERVER" messages. Thanks to Martin Lohmeier <martin at mein-horde.de>. (Closes: #320009) . [ Maximilian Attems ] * Suppress error message if hostname not set. (Closes: #314951) * Add another sshd rule for PARANOID /etc/hosts.deny setting. * Fix postfix rule concerning Service unavailable. (Closes: #315507) * Add some initial support for exim4 log messages. Pretty rudimentary stuff still, will need further refinements. (Closes: #316612) * First rule for amandad. (Closes: #313603) * Remention how to invoke logcheck with sudo. * Add an examples section to the manpage with my most usual invocation. * Fix rules for gconfd loglines. * Add rule for mailman admin loglines in violations.ignore.d/logcheck-postfix thanks toby cabot <toby at caboteria.org>. (Closes: #317772) * Fix hostname match in rbldnsd rule thanks sistemas at dedaloingenieros.com. (Closes: #317741) * Unifiy gdm rules, add a rule for X restart. * Beautify README.logcheck-database, uses markdown(1) syntax now. Added testing rules header to carify sections. (Closes: #317642, #318731) * Small manpage fixes. * Add 2 courier rules for ACCEPTED usernames and the started client module. * Add pdns rule for duplicate packets from recursor. * Fix cvs rule for exit code != 0. thanks Martin Lohmeier <martin at mein-horde.de> (Closes: #321506) * Fix hostname match in cups-lpd rules thanks Gilbert Laycock <gtl1 at mcs.le.ac.uk> (Closes: #322179) * Add horde3 rules for users login/logout thanks Martin Lohmeier <martin at mein-horde.de> (Closes: #322570) * Fix logcheck.8 rendering of docbook-to-man. (Closes: #322036) . [Todd Troxell] * Tweak descriptions to satisfy litian. Files: 1885143b4845e7da6dc748ef4f2ec7fb 736 admin optional logcheck_1.2.41.dsc 1a946e45f82a0dc98838c896510dfca9 101085 admin optional logcheck_1.2.41.tar.gz 4ec4e8c0a9227a8c06a716675f8a0d3f 47870 admin optional logcheck_1.2.41_all.deb 3bf53f05bfb119af9e2c1da3c8130f12 67460 admin optional logcheck-database_1.2.41_all.deb 078148d37c693d7dd9511355d70e7d40 29826 admin optional logtail_1.2.41_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFDCijR4u3oQ3FHP2YRAjnTAJwL7ztRs3iUx4sltg+pROJaxdf/QgCgtall nSanCABtCnyTfEYFeoyVZQ4=M6Pk -----END PGP SIGNATURE-----