toby cabot
2005-Aug-31 03:28 UTC
[Logcheck-devel] Bug#325800: logcheck: filters miss nfs mount/unmount messages
Package: logcheck
Version: 1.2.41
Severity: wishlist
Hi, thanks for maintaining logcheck, it works very well. At some
point it appears as if the log messages for nfs mounts and unmounts
changed out from under you. There's a rule in
/etc/logcheck/ignore.d.server/nfs to filter out messages like this:
Aug 22 21:00:49 phoenix mountd[29423]: authenticated mount request from
warthog.caboteria.org:601 for /home (/home)
but it expects the message to be slightly different: "rpc.mountd:"
instead of "mountd[29423]". I believe that adding the following line
to the file will catch those messages:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mountd\[[0-9]+\]: authenticated (un|)mount
request from [._[:alnum:]-]+:[0-9]+ for (/[[:alnum:]]*)+ \((/[[:alnum:]]*)+\)$
Thanks,
Toby
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.10-1-686-smp
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages logcheck depends on:
ii adduser 3.67 Add and remove users and groups
ii cron 3.0pl1-91 management of regular background p
ii debconf [debconf 1.4.58 Debian configuration management sy
ii debianutils 2.14.2 Miscellaneous utilities specific t
ii grep 2.5.1.ds1-5 GNU grep, egrep and fgrep
ii lockfile-progs 0.1.10 Programs for locking and unlocking
ii logcheck-databas 1.2.41 database of system log rules for t
ii logtail 1.2.41 Print log file lines that have not
ii mailx 1:8.1.2-0.20050715cvs-1 A simple mail user agent
ii postfix [mail-tr 2.2.4-1 A high-performance mail transport
ii sysklogd [system 1.4.1-17 System Logging Daemon
logcheck recommends no packages.
-- debconf information:
* logcheck/noroot:
logcheck/changes:
* logcheck/install-note:
maximilian attems
2005-Sep-01 18:31 UTC
Bug#325800: [Logcheck-devel] Bug#325800: logcheck: filters miss nfs mount/unmount messages
tags 325800 pending thanks On Tue, 30 Aug 2005, toby cabot wrote:> Hi, thanks for maintaining logcheck, it works very well. At some > point it appears as if the log messages for nfs mounts and unmounts > changed out from under you. There's a rule in > /etc/logcheck/ignore.d.server/nfs to filter out messages like this: > > Aug 22 21:00:49 phoenix mountd[29423]: authenticated mount request from warthog.caboteria.org:601 for /home (/home) > > but it expects the message to be slightly different: "rpc.mountd:" > instead of "mountd[29423]". I believe that adding the following line > to the file will catch those messages: > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mountd\[[0-9]+\]: authenticated (un|)mount request from [._[:alnum:]-]+:[0-9]+ for (/[[:alnum:]]*)+ \((/[[:alnum:]]*)+\)$ > > Thanks, > Tobythanks a lot for the catch and posting example message. added your rule to current cvs. will be part of next release. -- maks
Debian Bug Tracking System
2005-Sep-01 18:33 UTC
Processed: Re: [Logcheck-devel] Bug#325800: logcheck: filters miss nfs mount/unmount messages
Processing commands for control at bugs.debian.org:> tags 325800 pendingBug#325800: logcheck: filters miss nfs mount/unmount messages There were no tags set. Tags added: pending> thanksStopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Debian Bug Tracking System
2005-Oct-23 04:48 UTC
[Logcheck-devel] Bug#325800: marked as done (logcheck: filters miss nfs mount/unmount messages)
Your message dated Sat, 22 Oct 2005 21:32:06 -0700 with message-id <E1ETXWg-0003mp-00 at spohr.debian.org> and subject line Bug#325800: fixed in logcheck 1.2.42 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 31 Aug 2005 03:28:33 +0000>From toby at caboteria.org Tue Aug 30 20:28:33 2005Return-path: <toby at caboteria.org> Received: from smtp02.mrf.mail.rcn.net [207.172.4.62] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1EAJH7-0001U9-00; Tue, 30 Aug 2005 20:28:33 -0700 Received: from 207-172-209-236.c3-0.ded-ubr1.sbo-ded.ma.cable.rcn.com (HELO mail.caboteria.org) ([207.172.209.236]) by smtp02.mrf.mail.rcn.net with ESMTP; 30 Aug 2005 23:28:33 -0400 X-IronPort-AV: i="3.96,156,1122868800"; d="scan'208"; a="80099096:sNHT21617960" Received: by mail.caboteria.org (Postfix, from userid 1000) id 9AF84C438C; Tue, 30 Aug 2005 23:28:35 -0400 (EDT) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: toby cabot <toby at caboteria.org> To: Debian Bug Tracking System <submit at bugs.debian.org> Subject: logcheck: filters miss nfs mount/unmount messages X-Mailer: reportbug 3.17 Date: Tue, 30 Aug 2005 23:28:35 -0400 Message-Id: <20050831032835.9AF84C438C at mail.caboteria.org> Delivered-To: submit at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 Package: logcheck Version: 1.2.41 Severity: wishlist Hi, thanks for maintaining logcheck, it works very well. At some point it appears as if the log messages for nfs mounts and unmounts changed out from under you. There's a rule in /etc/logcheck/ignore.d.server/nfs to filter out messages like this: Aug 22 21:00:49 phoenix mountd[29423]: authenticated mount request from warthog.caboteria.org:601 for /home (/home) but it expects the message to be slightly different: "rpc.mountd:" instead of "mountd[29423]". I believe that adding the following line to the file will catch those messages: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mountd\[[0-9]+\]: authenticated (un|)mount request from [._[:alnum:]-]+:[0-9]+ for (/[[:alnum:]]*)+ \((/[[:alnum:]]*)+\)$ Thanks, Toby -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.10-1-686-smp Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages logcheck depends on: ii adduser 3.67 Add and remove users and groups ii cron 3.0pl1-91 management of regular background p ii debconf [debconf 1.4.58 Debian configuration management sy ii debianutils 2.14.2 Miscellaneous utilities specific t ii grep 2.5.1.ds1-5 GNU grep, egrep and fgrep ii lockfile-progs 0.1.10 Programs for locking and unlocking ii logcheck-databas 1.2.41 database of system log rules for t ii logtail 1.2.41 Print log file lines that have not ii mailx 1:8.1.2-0.20050715cvs-1 A simple mail user agent ii postfix [mail-tr 2.2.4-1 A high-performance mail transport ii sysklogd [system 1.4.1-17 System Logging Daemon logcheck recommends no packages. -- debconf information: * logcheck/noroot: logcheck/changes: * logcheck/install-note: --------------------------------------- Received: (at 325800-close) by bugs.debian.org; 23 Oct 2005 04:38:07 +0000>From katie at spohr.debian.org Sat Oct 22 21:38:07 2005Return-path: <katie at spohr.debian.org> Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1ETXWg-0003mp-00; Sat, 22 Oct 2005 21:32:06 -0700 From: Todd Troxell <ttroxell at debian.org> To: 325800-close at bugs.debian.org X-Katie: $Revision: 1.56 $ Subject: Bug#325800: fixed in logcheck 1.2.42 Message-Id: <E1ETXWg-0003mp-00 at spohr.debian.org> Sender: Archive Administrator <katie at spohr.debian.org> Date: Sat, 22 Oct 2005 21:32:06 -0700 Delivered-To: 325800-close at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-CrossAssassin-Score: 9 Source: logcheck Source-Version: 1.2.42 We believe that the bug you reported is fixed in the latest version of logcheck, which is due to be installed in the Debian FTP archive: logcheck-database_1.2.42_all.deb to pool/main/l/logcheck/logcheck-database_1.2.42_all.deb logcheck_1.2.42.dsc to pool/main/l/logcheck/logcheck_1.2.42.dsc logcheck_1.2.42.tar.gz to pool/main/l/logcheck/logcheck_1.2.42.tar.gz logcheck_1.2.42_all.deb to pool/main/l/logcheck/logcheck_1.2.42_all.deb logtail_1.2.42_all.deb to pool/main/l/logcheck/logtail_1.2.42_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 325800 at bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster at debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sat, 22 Oct 2005 23:14:54 -0400 Source: logcheck Binary: logcheck logtail logcheck-database Architecture: source all Version: 1.2.42 Distribution: unstable Urgency: low Maintainer: Debian logcheck Team <logcheck-devel at lists.alioth.debian.org> Changed-By: Todd Troxell <ttroxell at debian.org> Description: logcheck - mails anomalies in the system logfiles to the administrator logcheck-database - database of system log rules for the use of log checkers logtail - Print log file lines that have not been read Closes: 312393 324347 324451 324613 324615 324751 325800 325801 325874 327088 327100 327114 328251 328632 330208 331282 332707 332807 333233 333456 333461 334342 334415 335021 Changes: logcheck (1.2.42) unstable; urgency=low . [ maximilian attems ] * Add dccproc timeout rule. * Only source the conffile if we can read it. Should enable logcheck runs directly out of the logcheck source. * Default to send mail to local root otherwise messages go to Nirvana. * Check if conffile with list of logfiles is readable. * Fallback to read syslog if no logfile is provided. * Enhance bind rules ignore NSTATS loglines, remove dup. (Closes: #324751) * Add rule for recent nfs mountd messages. Thanks to toby cabot <toby at caboteria.org>. (Closes: #325800) * Move imap file to server level, not appropriate for paranoid. * Add imap ignore rule for moved bytes, seems pretty normal imap usage. Thanks to toby cabot <toby at caboteria.org>. (Closes: #325801) * Add rule for Postponed keyboard-interactive ssh logins. * Update some usb rules for usb-storage and phone devices. (Closes: #324347) * Update horde3 rules the identifier can be changed by the user to any char. Thanks to Martin Lohmeier <martin at mein-horde.de> (Closes: #324613) * Add imp4 rule for successful logins. Thanks to Martin Lohmeier <martin at mein-horde.de> (Closes: #324615) * Bumped standards to 3.6.2. * Fix exim4 rule for more modern tls string. * logcheck.8 fix add full path to README.logcheck-database.gz. (Closes: #328632) . [ Jamie Penman-Smithson ] * Add the first rules for mon. Thanks to Robbert Muller <muller at muze.nl>. (Closes: #324451) * Modify dovecot rules to match ipv6 addresses too. (Closes: #327088) * Add first polypaudio rules in workstation to suppress module-alsa-sink.c messages. (Closes: #331282) * Add first rules for tftpd, suppress 'connect' and 'get file' messages. (Closes: #333456) * Fix dovecot rules to match the new format log messages in 1.0. (Closes: #332707, #333461) * Fix proftpd rules to match ipv6 addresses. Thanks to Elmar Hoffmann <elho at elho.net> (Closes: #332807) * Update ssh rules to suppress reverse DNS warnings. Thanks to Elmar Hoffmann <elho at elho.net> (Closes: #333233) * Update nagios rules to match host UNREACHABLE notification messages. (Closes: #325874) * Add the first rules for popa3d. (Closes: #328251) * Fix group permissions for /var/lock/logcheck on install or upgrade so logcheck can be executed by the logcheck group. (Closes: #330208) * Add Swedish translation, thanks to Daniel Nylander <yeager at lidkoping.net>. (Closes: #334415) * Fix anvil max rate rule to match statistics messages when postfix is bound to a specific IP. (Closes: #334342) * Modify spamd rules to match log message format in 3.1. (Closes: #335021) . [ Todd Troxell ] * Add check for lockfile-progs to aid non-debian installations. * Set logcheck to remove cleanup trap if an error occours while getting lockfile. This will prevent many confusing error messages. * Add error reporting on -o option * Add IPv6 support to bind rules. Thanks Marco Nenciarin <mnencia at prato.linux.it> (Closes: #327100) * Add IPV6 support to postfix rules. Thanks Marco Nenciarin <mnencia at prato.linux.it> (Closes: #327114) * Add INSTALL documentation for manual/non-Debian installation. * Add 5 receive rules for hylafax's FaxGetty. * Call adduser without --home flag in postinst. (Closes: #312393) Files: bb7c028e97c78ab67d9c8417de1d1d3b 736 admin optional logcheck_1.2.42.dsc a17f485774e5c00cb314b74c30d0929c 104787 admin optional logcheck_1.2.42.tar.gz e06b1c7bea38cf6b8a6977df05997481 48606 admin optional logcheck_1.2.42_all.deb 54f5ed99e3e602561f69e39cf5236800 66628 admin optional logcheck-database_1.2.42_all.deb f2875097308d99e0663d9d583b1548b5 30976 admin optional logtail_1.2.42_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDWw344u3oQ3FHP2YRAm+4AJ4g+FoIjbpI67yD8N9sBXE+Gok5pQCfRF7+ K2Akj9p3eKdJdHqBKRFJjfA=lJbY -----END PGP SIGNATURE-----