Logcheck devel - Jul 2005 - Bug#317642: How to debug logcheck?

Package: logcheck   
Version: 1.2.39

Hello

i change the rules but logcheck seems to ignore them

One example:

REPORTLEVEL="server"

logcheck send mails containing:

Security Events
=-=-=-=-=-=-=-Jul 10 09:11:53 machine ipop3ds[10304]: AUTHENTICATE CRAM-MD5
failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]
Jul  9 14:09:56 machine ipop3ds[4934]: AUTHENTICATE CRAM-MD5 failure
host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]


i don't want to see those messages (currently)

So i added a new rule to ipopd-ssl

[20:22:44]machine:/etc/logcheck/ignore.d.server# grep AUTH * 
ipopd-ssl:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure
host=p.*.dip0.t-ipconnect.de \[84\.141\..*\]
logcheck.dpkg-old:authsrv.*AUTHENTICATE

(BTW: Wouldn't it be better to add an entire new file?)


If i test the rule file with that:

/etc/logcheck/ignore.d.server# egrep -f ipopd-ssl /var/log/syslog

i exactly get the lines i don't want to see in logcheck output, 
so i assume that rule is OK.

As there is the "magical" word "failure" i have to add that
rule to
violations.ignore too, or?

[20:23:22]machine:/etc/logcheck/violations.ignore.d# grep AUTH *
logcheck-ipop3:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure
host=p.*\.dip0\.t-ipconnect\.de \[84\.141\..*\]


/etc/logcheck/violations.ignore.d# egrep -f logcheck-ipop3 /var/log/syslog
gves
Jul  9 11:31:21 machine ipop3ds[29588]: AUTHENTICATE CRAM-MD5 failure 
host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]


So i assume the rules are right, or?

But why are they ignored by logcheck?
I meanwhile have the feeling that logcheck is using entire 
other rule files than i edit (box root kitted?)
Is there a way to debug logcheck?
"-d" seems to give only a hints to program flow but 
seems to be only a "one shot" so i can't debug the rules
effective.

Isn't there somewhere a tool (bayes?) where i can feed the
"unwanted" lines to which in future are ignored by logcheck?
(Like "tiger" does which only reports changes/new lines)
Currently the "optimization" of the rule set took several weeks(!)
as i have to wait hours to veryfy the trivialest change.


What's the intended way to debug rules sets?

Why does the "egrep" trick can't be used to verify the rules?
(What is logcheck adding to the rules to make them fail?)

How can i verify which rules files logcheck really uses?

Where are the used rules (files that contens) logged?

How can i run "logcheck" repetely to debug?

On Sun, 10 Jul 2005, Rainer Zocholl wrote:
> Hello
> 
> i change the rules but logcheck seems to ignore them
> 
> One example:
> 
> REPORTLEVEL="server"
> 
> logcheck send mails containing:
> 
> Security Events
> =-=-=-=-=-=-=-> Jul 10 09:11:53 machine ipop3ds[10304]: AUTHENTICATE
CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]
> Jul  9 14:09:56 machine ipop3ds[4934]: AUTHENTICATE CRAM-MD5 failure
host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]
> 
> 
> i don't want to see those messages (currently)
> 
> So i added a new rule to ipopd-ssl
> 
> [20:22:44]machine:/etc/logcheck/ignore.d.server# grep AUTH * 
> ipopd-ssl:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure
host=p.*.dip0.t-ipconnect.de \[84\.141\..*\]
> logcheck.dpkg-old:authsrv.*AUTHENTICATE
> 
> (BTW: Wouldn't it be better to add an entire new file?)
yes add your local-packagename file.
 
> If i test the rule file with that:
> 
> /etc/logcheck/ignore.d.server# egrep -f ipopd-ssl /var/log/syslog
> 
> i exactly get the lines i don't want to see in logcheck output, 
> so i assume that rule is OK.
> 
> As there is the "magical" word "failure" i have to add
that rule to
> violations.ignore too, or?
> 
> [20:23:22]machine:/etc/logcheck/violations.ignore.d# grep AUTH *
logcheck-ipop3:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure
host=p.*\.dip0\.t-ipconnect\.de \[84\.141\..*\]
> 
> 
> /etc/logcheck/violations.ignore.d# egrep -f logcheck-ipop3 /var/log/syslog
> gves
> Jul  9 11:31:21 machine ipop3ds[29588]: AUTHENTICATE CRAM-MD5 failure 
> host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]
> 
> 
> So i assume the rules are right, or?
i wouldn't recommend aboves rule for upstream inclusion,
but they look right.
 
> But why are they ignored by logcheck?
did you check the permissions of the file you added/changed.
ls -l /etc/logcheck/ignore.d.server/ssh
-rw-r-----  1 root logcheck 1165 2005-04-03 01:00
/etc/logcheck/ignore.d.server/ssh

maybe your umask is too restrictive and aboves file can't be read
by logcheck? please post the output of 
ls -l /etc/logcheck/violations.ignore.d/logcheck-ipop3
> I meanwhile have the feeling that logcheck is using entire 
> other rule files than i edit (box root kitted?)
> Is there a way to debug logcheck?
> "-d" seems to give only a hints to program flow but 
> seems to be only a "one shot" so i can't debug the rules
effective.
would be cool to see if aboves rule is mentioned in the debug hints.
did you check?
 
> Isn't there somewhere a tool (bayes?) where i can feed the
> "unwanted" lines to which in future are ignored by logcheck?
> (Like "tiger" does which only reports changes/new lines)
> Currently the "optimization" of the rule set took several
weeks(!)
> as i have to wait hours to veryfy the trivialest change.
why? just invoke it from the commandline.
if you have sudo installed
sudo -u logcheck logcheck [options]
for example
sudo -u logcheck logcheck -t -o -d

else if you don't have sudo installed
su -s /bin/bash -c \"/usr/sbin/logcheck [options]\" logcheck
 
 
> What's the intended way to debug rules sets?
> 
> Why does the "egrep" trick can't be used to verify the rules?
> (What is logcheck adding to the rules to make them fail?)
> 
> How can i verify which rules files logcheck really uses?
run debug.
 
> Where are the used rules (files that contens) logged?
not atm.
 
> How can i run "logcheck" repetely to debug?
see aboves.

i will add some examples to current manpage.

--
maks

Your message dated Mon, 22 Aug 2005 13:32:39 -0700
with message-id <E1E7IyF-0002y5-00 at spohr.debian.org>
and subject line Bug#317642: fixed in logcheck 1.2.41
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 10 Jul 2005 11:02:26
+0000
>From UseNet-Posting-Nospam-74308- at zocki.toppoint.de Sun Jul 10 04:02:26
2005
Return-path: <UseNet-Posting-Nospam-74308- at zocki.toppoint.de>
Received: from archer.toppoint.de (mail.toppoint.de) [195.244.243.1] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DrZZp-0000o6-00; Sun, 10 Jul 2005 04:02:26 -0700
Received: (from uucp at localhost)
	by mail.toppoint.de (8.11.7p1+Sun/8.11.7) id j6AB2EG29770
	for submit at bugs.debian.org; Sun, 10 Jul 2005 13:02:14 +0200
(MEST)
>Received: by zocki.toppoint.de (CrossPoint/FreeXP v3.40 RC3 (EMS) @
3108030130 R/C6515);
	10 Jul 2005 13:01:52 +0200
Date: 10 Jul 2005 13:01:00 +0200
From: Rainer Zocholl <UseNet-Posting-Nospam-74308- at zocki.toppoint.de>
To: <submit at bugs.debian.org>
Message-ID: <9$am0-WbgjB at zocki.toppoint.de>
Subject: How to debug logcheck?
X-Mailer: CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Organization: http://www.toppoint.de
X-ZC-Telefon: V+49-431-5606-550Q V+49-431-562136Q
X-XP-Version: CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515
X-RFC-Converter: E-UUZ/II [FreeXP v3.40.1a RC3] @ 200405292345
Received: from zocki.toppoint.de by archer.toppoint.de; Sun, 10 Jul 2005 13:02
MES
Content-Type: text/plain; charset=US-ASCII
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.3 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	MSGID_FROM_MTA_HEADER autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: logcheck   
Version: 1.2.39

Hello

i change the rules but logcheck seems to ignore them

One example:

REPORTLEVEL="server"

logcheck send mails containing:

Security Events
=-=-=-=-=-=-=-Jul 10 09:11:53 machine ipop3ds[10304]: AUTHENTICATE CRAM-MD5
failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]
Jul  9 14:09:56 machine ipop3ds[4934]: AUTHENTICATE CRAM-MD5 failure
host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]


i don't want to see those messages (currently)

So i added a new rule to ipopd-ssl

[20:22:44]machine:/etc/logcheck/ignore.d.server# grep AUTH * 
ipopd-ssl:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure
host=p.*.dip0.t-ipconnect.de \[84\.141\..*\]
logcheck.dpkg-old:authsrv.*AUTHENTICATE

(BTW: Wouldn't it be better to add an entire new file?)


If i test the rule file with that:

/etc/logcheck/ignore.d.server# egrep -f ipopd-ssl /var/log/syslog

i exactly get the lines i don't want to see in logcheck output, 
so i assume that rule is OK.

As there is the "magical" word "failure" i have to add that
rule to
violations.ignore too, or?

[20:23:22]machine:/etc/logcheck/violations.ignore.d# grep AUTH *
logcheck-ipop3:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure
host=p.*\.dip0\.t-ipconnect\.de \[84\.141\..*\]


/etc/logcheck/violations.ignore.d# egrep -f logcheck-ipop3 /var/log/syslog
gves
Jul  9 11:31:21 machine ipop3ds[29588]: AUTHENTICATE CRAM-MD5 failure 
host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]


So i assume the rules are right, or?

But why are they ignored by logcheck?
I meanwhile have the feeling that logcheck is using entire 
other rule files than i edit (box root kitted?)
Is there a way to debug logcheck?
"-d" seems to give only a hints to program flow but 
seems to be only a "one shot" so i can't debug the rules
effective.

Isn't there somewhere a tool (bayes?) where i can feed the
"unwanted" lines to which in future are ignored by logcheck?
(Like "tiger" does which only reports changes/new lines)
Currently the "optimization" of the rule set took several weeks(!)
as i have to wait hours to veryfy the trivialest change.


What's the intended way to debug rules sets?

Why does the "egrep" trick can't be used to verify the rules?
(What is logcheck adding to the rules to make them fail?)

How can i verify which rules files logcheck really uses?

Where are the used rules (files that contens) logged?

How can i run "logcheck" repetely to debug?



---------------------------------------
Received: (at 317642-close) by bugs.debian.org; 22 Aug 2005 20:45:57
+0000
>From katie at spohr.debian.org Mon Aug 22 13:45:57 2005
Return-path: <katie at spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
	id 1E7IyF-0002y5-00; Mon, 22 Aug 2005 13:32:39 -0700
From: Todd Troxell <ttroxell at debian.org>
To: 317642-close at bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#317642: fixed in logcheck 1.2.41
Message-Id: <E1E7IyF-0002y5-00 at spohr.debian.org>
Sender: Archive Administrator <katie at spohr.debian.org>
Date: Mon, 22 Aug 2005 13:32:39 -0700
Delivered-To: 317642-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 4

Source: logcheck
Source-Version: 1.2.41

We believe that the bug you reported is fixed in the latest version of
logcheck, which is due to be installed in the Debian FTP archive:

logcheck-database_1.2.41_all.deb
  to pool/main/l/logcheck/logcheck-database_1.2.41_all.deb
logcheck_1.2.41.dsc
  to pool/main/l/logcheck/logcheck_1.2.41.dsc
logcheck_1.2.41.tar.gz
  to pool/main/l/logcheck/logcheck_1.2.41.tar.gz
logcheck_1.2.41_all.deb
  to pool/main/l/logcheck/logcheck_1.2.41_all.deb
logtail_1.2.41_all.deb
  to pool/main/l/logcheck/logtail_1.2.41_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 317642 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 22 Aug 2005 15:27:45 -0500
Source: logcheck
Binary: logcheck logtail logcheck-database
Architecture: source all
Version: 1.2.41
Distribution: unstable
Urgency: low
Maintainer: Debian logcheck Team <logcheck-devel at
lists.alioth.debian.org>
Changed-By: Todd Troxell <ttroxell at debian.org>
Description: 
 logcheck   - mails anomalies in the system logfiles to the administrator
 logcheck-database - database of system log rules for the use of log checkers
 logtail    - Print log file lines that have not been read
Closes: 311216 312597 312598 312729 313601 313603 314951 315507 316612 317642
317741 317772 318500 318731 320009 321506 322036 322179 322570
Changes: 
 logcheck (1.2.41) unstable; urgency=low
 .
   [ Jamie Penman-Smithson ]
   * Fix postfix rule to match "setting up TLS connection" messages
again.
   * Fix innd rule for "ME time" messages, add rule for innfeed
"ME time"
     messages.
   * Fix rules for gps to match messages with the null sender (<>).
   * Update cyrus/notifyd rule to match destination folders and subfolders too.
   * Update cyrus rules to suppress DBERROR db3: n lockers messages when
it's
     only 1-2 lockers, these messages are harmless as long as the number
     doesn't increase.
   * Update postfix lmtp rule to match messages given by amavis when discarding
     UBE and viruses.
   * Fix bug in the squid rule for "found whitespace" messages which
caused
     grep to choke due to unescaped { and } characters. (Closes: #311216)
   * Update innd nnrpd rule for latest version of INN.
   * Add a versioned dependency on grep to prevent bugs like #311216 happening
     in the first place.
   * Added Vietnamese translation, thanks to Clytie Siddall. (Closes: #312597)
   * Fix minor typo in logcheck-database.templates. (Closes: #312598)
   * Modify rules for successful ssh login messages to match when ssh/ssh2 is
     not specified at the end. (Closes: #312729)
   * Modified ignore.d.workstation/kernel to ignore nfs warnings about mount
     version. (Closes: #313601)
   * Fix postfix anvil rules to match max message/recipient rate and count
     messages.
   * Add the first rules for dkfilter, which implements domainkeys signing and
     verification for postfix.
   * Add rule for openssh-krb5 and add gssapi-with-mic to the list of auth
     alternatives. (Closes: #318500)
   * Add ovpn-tunnel rule to suppress "VERIFY OK: nsCertType=SERVER"
messages.
     Thanks to Martin Lohmeier <martin at mein-horde.de>. (Closes:
#320009)
 .
   [ Maximilian Attems ]
   * Suppress error message if hostname not set. (Closes: #314951)
   * Add another sshd rule for PARANOID /etc/hosts.deny setting.
   * Fix postfix rule concerning Service unavailable. (Closes: #315507)
   * Add some initial support for exim4 log messages. Pretty rudimentary
     stuff still, will need further refinements. (Closes: #316612)
   * First rule for amandad. (Closes: #313603)
   * Remention how to invoke logcheck with sudo.
   * Add an examples section to the manpage with my most usual invocation.
   * Fix rules for gconfd loglines.
   * Add rule for mailman admin loglines in violations.ignore.d/logcheck-postfix
     thanks toby cabot <toby at caboteria.org>. (Closes: #317772)
   * Fix hostname match in rbldnsd rule thanks sistemas at dedaloingenieros.com.
     (Closes: #317741)
   * Unifiy gdm rules, add a rule for X restart.
   * Beautify README.logcheck-database, uses markdown(1) syntax now.
     Added testing rules header to carify sections. (Closes: #317642, #318731)
   * Small manpage fixes.
   * Add 2 courier rules for ACCEPTED usernames and the started client module.
   * Add pdns rule for duplicate packets from recursor.
   * Fix cvs rule for exit code != 0. thanks Martin Lohmeier
     <martin at mein-horde.de> (Closes: #321506)
   * Fix hostname match in cups-lpd rules thanks Gilbert Laycock
     <gtl1 at mcs.le.ac.uk> (Closes: #322179)
   * Add horde3 rules for users login/logout thanks Martin Lohmeier
     <martin at mein-horde.de> (Closes: #322570)
   * Fix logcheck.8 rendering of docbook-to-man. (Closes: #322036)
 .
   [Todd Troxell]
   * Tweak descriptions to satisfy litian.
Files: 
 1885143b4845e7da6dc748ef4f2ec7fb 736 admin optional logcheck_1.2.41.dsc
 1a946e45f82a0dc98838c896510dfca9 101085 admin optional logcheck_1.2.41.tar.gz
 4ec4e8c0a9227a8c06a716675f8a0d3f 47870 admin optional logcheck_1.2.41_all.deb
 3bf53f05bfb119af9e2c1da3c8130f12 67460 admin optional
logcheck-database_1.2.41_all.deb
 078148d37c693d7dd9511355d70e7d40 29826 admin optional logtail_1.2.41_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFDCijR4u3oQ3FHP2YRAjnTAJwL7ztRs3iUx4sltg+pROJaxdf/QgCgtall
nSanCABtCnyTfEYFeoyVZQ4=M6Pk
-----END PGP SIGNATURE-----

Your message dated Mon, 22 Aug 2005 13:32:39 -0700
with message-id <E1E7IyF-0002yD-00 at spohr.debian.org>
and subject line Bug#318731: fixed in logcheck 1.2.41
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 10 Jul 2005 11:02:26
+0000
>From UseNet-Posting-Nospam-74308- at zocki.toppoint.de Sun Jul 10 04:02:26
2005
Return-path: <UseNet-Posting-Nospam-74308- at zocki.toppoint.de>
Received: from archer.toppoint.de (mail.toppoint.de) [195.244.243.1] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DrZZp-0000o6-00; Sun, 10 Jul 2005 04:02:26 -0700
Received: (from uucp at localhost)
	by mail.toppoint.de (8.11.7p1+Sun/8.11.7) id j6AB2EG29770
	for submit at bugs.debian.org; Sun, 10 Jul 2005 13:02:14 +0200
(MEST)
>Received: by zocki.toppoint.de (CrossPoint/FreeXP v3.40 RC3 (EMS) @
3108030130 R/C6515);
	10 Jul 2005 13:01:52 +0200
Date: 10 Jul 2005 13:01:00 +0200
From: Rainer Zocholl <UseNet-Posting-Nospam-74308- at zocki.toppoint.de>
To: <submit at bugs.debian.org>
Message-ID: <9$am0-WbgjB at zocki.toppoint.de>
Subject: How to debug logcheck?
X-Mailer: CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Organization: http://www.toppoint.de
X-ZC-Telefon: V+49-431-5606-550Q V+49-431-562136Q
X-XP-Version: CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515
X-RFC-Converter: E-UUZ/II [FreeXP v3.40.1a RC3] @ 200405292345
Received: from zocki.toppoint.de by archer.toppoint.de; Sun, 10 Jul 2005 13:02
MES
Content-Type: text/plain; charset=US-ASCII
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.3 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	MSGID_FROM_MTA_HEADER autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: logcheck   
Version: 1.2.39

Hello

i change the rules but logcheck seems to ignore them

One example:

REPORTLEVEL="server"

logcheck send mails containing:

Security Events
=-=-=-=-=-=-=-Jul 10 09:11:53 machine ipop3ds[10304]: AUTHENTICATE CRAM-MD5
failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]
Jul  9 14:09:56 machine ipop3ds[4934]: AUTHENTICATE CRAM-MD5 failure
host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]


i don't want to see those messages (currently)

So i added a new rule to ipopd-ssl

[20:22:44]machine:/etc/logcheck/ignore.d.server# grep AUTH * 
ipopd-ssl:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure
host=p.*.dip0.t-ipconnect.de \[84\.141\..*\]
logcheck.dpkg-old:authsrv.*AUTHENTICATE

(BTW: Wouldn't it be better to add an entire new file?)


If i test the rule file with that:

/etc/logcheck/ignore.d.server# egrep -f ipopd-ssl /var/log/syslog

i exactly get the lines i don't want to see in logcheck output, 
so i assume that rule is OK.

As there is the "magical" word "failure" i have to add that
rule to
violations.ignore too, or?

[20:23:22]machine:/etc/logcheck/violations.ignore.d# grep AUTH *
logcheck-ipop3:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure
host=p.*\.dip0\.t-ipconnect\.de \[84\.141\..*\]


/etc/logcheck/violations.ignore.d# egrep -f logcheck-ipop3 /var/log/syslog
gves
Jul  9 11:31:21 machine ipop3ds[29588]: AUTHENTICATE CRAM-MD5 failure 
host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]


So i assume the rules are right, or?

But why are they ignored by logcheck?
I meanwhile have the feeling that logcheck is using entire 
other rule files than i edit (box root kitted?)
Is there a way to debug logcheck?
"-d" seems to give only a hints to program flow but 
seems to be only a "one shot" so i can't debug the rules
effective.

Isn't there somewhere a tool (bayes?) where i can feed the
"unwanted" lines to which in future are ignored by logcheck?
(Like "tiger" does which only reports changes/new lines)
Currently the "optimization" of the rule set took several weeks(!)
as i have to wait hours to veryfy the trivialest change.


What's the intended way to debug rules sets?

Why does the "egrep" trick can't be used to verify the rules?
(What is logcheck adding to the rules to make them fail?)

How can i verify which rules files logcheck really uses?

Where are the used rules (files that contens) logged?

How can i run "logcheck" repetely to debug?



---------------------------------------
Received: (at 318731-close) by bugs.debian.org; 22 Aug 2005 20:45:56
+0000
>From katie at spohr.debian.org Mon Aug 22 13:45:55 2005
Return-path: <katie at spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
	id 1E7IyF-0002yD-00; Mon, 22 Aug 2005 13:32:39 -0700
From: Todd Troxell <ttroxell at debian.org>
To: 318731-close at bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#318731: fixed in logcheck 1.2.41
Message-Id: <E1E7IyF-0002yD-00 at spohr.debian.org>
Sender: Archive Administrator <katie at spohr.debian.org>
Date: Mon, 22 Aug 2005 13:32:39 -0700
Delivered-To: 318731-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 6

Source: logcheck
Source-Version: 1.2.41

We believe that the bug you reported is fixed in the latest version of
logcheck, which is due to be installed in the Debian FTP archive:

logcheck-database_1.2.41_all.deb
  to pool/main/l/logcheck/logcheck-database_1.2.41_all.deb
logcheck_1.2.41.dsc
  to pool/main/l/logcheck/logcheck_1.2.41.dsc
logcheck_1.2.41.tar.gz
  to pool/main/l/logcheck/logcheck_1.2.41.tar.gz
logcheck_1.2.41_all.deb
  to pool/main/l/logcheck/logcheck_1.2.41_all.deb
logtail_1.2.41_all.deb
  to pool/main/l/logcheck/logtail_1.2.41_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 318731 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 22 Aug 2005 15:27:45 -0500
Source: logcheck
Binary: logcheck logtail logcheck-database
Architecture: source all
Version: 1.2.41
Distribution: unstable
Urgency: low
Maintainer: Debian logcheck Team <logcheck-devel at
lists.alioth.debian.org>
Changed-By: Todd Troxell <ttroxell at debian.org>
Description: 
 logcheck   - mails anomalies in the system logfiles to the administrator
 logcheck-database - database of system log rules for the use of log checkers
 logtail    - Print log file lines that have not been read
Closes: 311216 312597 312598 312729 313601 313603 314951 315507 316612 317642
317741 317772 318500 318731 320009 321506 322036 322179 322570
Changes: 
 logcheck (1.2.41) unstable; urgency=low
 .
   [ Jamie Penman-Smithson ]
   * Fix postfix rule to match "setting up TLS connection" messages
again.
   * Fix innd rule for "ME time" messages, add rule for innfeed
"ME time"
     messages.
   * Fix rules for gps to match messages with the null sender (<>).
   * Update cyrus/notifyd rule to match destination folders and subfolders too.
   * Update cyrus rules to suppress DBERROR db3: n lockers messages when
it's
     only 1-2 lockers, these messages are harmless as long as the number
     doesn't increase.
   * Update postfix lmtp rule to match messages given by amavis when discarding
     UBE and viruses.
   * Fix bug in the squid rule for "found whitespace" messages which
caused
     grep to choke due to unescaped { and } characters. (Closes: #311216)
   * Update innd nnrpd rule for latest version of INN.
   * Add a versioned dependency on grep to prevent bugs like #311216 happening
     in the first place.
   * Added Vietnamese translation, thanks to Clytie Siddall. (Closes: #312597)
   * Fix minor typo in logcheck-database.templates. (Closes: #312598)
   * Modify rules for successful ssh login messages to match when ssh/ssh2 is
     not specified at the end. (Closes: #312729)
   * Modified ignore.d.workstation/kernel to ignore nfs warnings about mount
     version. (Closes: #313601)
   * Fix postfix anvil rules to match max message/recipient rate and count
     messages.
   * Add the first rules for dkfilter, which implements domainkeys signing and
     verification for postfix.
   * Add rule for openssh-krb5 and add gssapi-with-mic to the list of auth
     alternatives. (Closes: #318500)
   * Add ovpn-tunnel rule to suppress "VERIFY OK: nsCertType=SERVER"
messages.
     Thanks to Martin Lohmeier <martin at mein-horde.de>. (Closes:
#320009)
 .
   [ Maximilian Attems ]
   * Suppress error message if hostname not set. (Closes: #314951)
   * Add another sshd rule for PARANOID /etc/hosts.deny setting.
   * Fix postfix rule concerning Service unavailable. (Closes: #315507)
   * Add some initial support for exim4 log messages. Pretty rudimentary
     stuff still, will need further refinements. (Closes: #316612)
   * First rule for amandad. (Closes: #313603)
   * Remention how to invoke logcheck with sudo.
   * Add an examples section to the manpage with my most usual invocation.
   * Fix rules for gconfd loglines.
   * Add rule for mailman admin loglines in violations.ignore.d/logcheck-postfix
     thanks toby cabot <toby at caboteria.org>. (Closes: #317772)
   * Fix hostname match in rbldnsd rule thanks sistemas at dedaloingenieros.com.
     (Closes: #317741)
   * Unifiy gdm rules, add a rule for X restart.
   * Beautify README.logcheck-database, uses markdown(1) syntax now.
     Added testing rules header to carify sections. (Closes: #317642, #318731)
   * Small manpage fixes.
   * Add 2 courier rules for ACCEPTED usernames and the started client module.
   * Add pdns rule for duplicate packets from recursor.
   * Fix cvs rule for exit code != 0. thanks Martin Lohmeier
     <martin at mein-horde.de> (Closes: #321506)
   * Fix hostname match in cups-lpd rules thanks Gilbert Laycock
     <gtl1 at mcs.le.ac.uk> (Closes: #322179)
   * Add horde3 rules for users login/logout thanks Martin Lohmeier
     <martin at mein-horde.de> (Closes: #322570)
   * Fix logcheck.8 rendering of docbook-to-man. (Closes: #322036)
 .
   [Todd Troxell]
   * Tweak descriptions to satisfy litian.
Files: 
 1885143b4845e7da6dc748ef4f2ec7fb 736 admin optional logcheck_1.2.41.dsc
 1a946e45f82a0dc98838c896510dfca9 101085 admin optional logcheck_1.2.41.tar.gz
 4ec4e8c0a9227a8c06a716675f8a0d3f 47870 admin optional logcheck_1.2.41_all.deb
 3bf53f05bfb119af9e2c1da3c8130f12 67460 admin optional
logcheck-database_1.2.41_all.deb
 078148d37c693d7dd9511355d70e7d40 29826 admin optional logtail_1.2.41_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFDCijR4u3oQ3FHP2YRAjnTAJwL7ztRs3iUx4sltg+pROJaxdf/QgCgtall
nSanCABtCnyTfEYFeoyVZQ4=M6Pk
-----END PGP SIGNATURE-----