Jonas Meurer
2006-Mar-19 21:51 UTC
[Logcheck-devel] Bug#357841: false positives for some lines longer than 503 characters
Package: logcheck Version: 1.2.43a Severity: important hello, it seems like logcheck always outputs some log lines longer than 503 characters, even if they perfectly well match a given regex. i have the following entry in /etc/logcheck/ignore.d.server/syslog-ng: syslog-ng\[.*\]: Log statistics; processed='.*\(.*\)=.*', .* and in the file 'testlog' i have the following two lines: Mar 16 22:31:56 resivo syslog-ng[6932]: Log statistics; processed='source(s_all)=2186', processed='destination(df_auth)=407', processed='destination(df_news_dot_notice)=0', processed='destination(df_news_dot_err)=0', processed='destination(df_uucp)=0', processed='destination(df_mail)=0', processed='destination(df_user)=126', processed='destination(df_facility_dot_notice)=0', processed='destination(df_daemon)=1415', processed='destination(df_facility_dot_crit)=0', processed='destination(df_debu)=28' Mar 16 22:31:56 resivo syslog-ng[6932]: Log statistics; processed='source(s_all)=2186', processed='destination(df_auth)=407', processed='destination(df_news_dot_notice)=0', processed='destination(df_news_dot_err)=0', processed='destination(df_uucp)=0', processed='destination(df_mail)=0', processed='destination(df_user)=126', processed='destination(df_facility_dot_notice)=0', processed='destination(df_daemon)=1415', processed='destination(df_facility_dot_crit)=0', processed='destination(df_debug)=28' (both are exactly identical, except that the second one has one more character (third-last one). now see what logcheck gives: # sudo -u logcheck logcheck -o -s -t -l testlog This email is sent by logcheck. If you wish to no-longer receive it, you can either deinstall the logcheck package or modify its configuration file (/etc/logcheck/logcheck.conf). Security Events =-=-=-=-=-=-=-Mar 16 22:31:56 resivo syslog-ng[6932]: Log statistics; processed='source(s_all)=2186', processed='destination(df_auth)=407', processed='destination(df_news_dot_notice)=0', processed='destination(df_news_dot_err)=0', processed='destination(df_uucp)=0', processed='destination(df_mail)=0', processed='destination(df_user)=126', processed='destination(df_facility_dot_notice)=0', processed='destination(df_daemon)=1415', processed='destination(df_facility_dot_crit)=0', processed='destination(df_debug)=28' unfortunately the line length is not the only criteria. lines containing only numbers and letters which are longer than 503 characters seem to be ignored if they match a regex. ... jonas
Todd Troxell
2006-Apr-11 06:03 UTC
Bug#357841: [Logcheck-devel] Bug#357841: false positives for some lines longer than 503 characters
Hello Jonas, Thanks for you report. On Sun, Mar 19, 2006 at 10:51:09PM +0100, Jonas Meurer wrote:> Package: logcheck > Version: 1.2.43a > Severity: important > > hello, > > it seems like logcheck always outputs some log lines longer than 503 > characters, even if they perfectly well match a given regex. > > i have the following entry in /etc/logcheck/ignore.d.server/syslog-ng: > syslog-ng\[.*\]: Log statistics; processed='.*\(.*\)=.*', .* > > and in the file 'testlog' i have the following two lines: > Mar 16 22:31:56 resivo syslog-ng[6932]: Log statistics; processed='source(s_all)=2186', processed='destination(df_auth)=407', processed='destination(df_news_dot_notice)=0', processed='destination(df_news_dot_err)=0', processed='destination(df_uucp)=0', processed='destination(df_mail)=0', processed='destination(df_user)=126', processed='destination(df_facility_dot_notice)=0', processed='destination(df_daemon)=1415', processed='destination(df_facility_dot_crit)=0', processed='destination(df_debu)=28' > Mar 16 22:31:56 resivo syslog-ng[6932]: Log statistics; processed='source(s_all)=2186', processed='destination(df_auth)=407', processed='destination(df_news_dot_notice)=0', processed='destination(df_news_dot_err)=0', processed='destination(df_uucp)=0', processed='destination(df_mail)=0', processed='destination(df_user)=126', processed='destination(df_facility_dot_notice)=0', processed='destination(df_daemon)=1415', processed='destination(df_facility_dot_crit)=0', processed='destination(df_debug)=28' > > (both are exactly identical, except that the second one has one more > character (third-last one). > > now see what logcheck gives: > # sudo -u logcheck logcheck -o -s -t -l testlog > This email is sent by logcheck. If you wish to no-longer receive it, > you can either deinstall the logcheck package or modify its > configuration file (/etc/logcheck/logcheck.conf). > > Security Events > =-=-=-=-=-=-=-> Mar 16 22:31:56 resivo syslog-ng[6932]: Log statistics; processed='source(s_all)=2186', processed='destination(df_auth)=407', processed='destination(df_news_dot_notice)=0', processed='destination(df_news_dot_err)=0', processed='destination(df_uucp)=0', processed='destination(df_mail)=0', processed='destination(df_user)=126', processed='destination(df_facility_dot_notice)=0', processed='destination(df_daemon)=1415', processed='destination(df_facility_dot_crit)=0', processed='destination(df_debug)=28' > > > > unfortunately the line length is not the only criteria. lines containing > only numbers and letters which are longer than 503 characters seem to be > ignored if they match a regex.I have tested this with a couple of versions of logcheck and I'm unable to reproduce. It is worth nothing that the string caught above contains substrings that would trigger a violation, and therefore needs a line in violations.ignore.d as well. I suspect this is a configuration issue. Please let me know your findings. -- Todd Troxell http://rapidpacket.com/~xtat