Matt Corks
2007-Feb-10 19:09 UTC
[Logcheck-devel] Bug#410453: logcheck-database: filter kernel messages for UDP as well as TCP/IP traffic
Package: logcheck-database Version: 1.2.53 Severity: normal logcheck is generating messages like this: Feb 10 13:31:09 waterloo kernel: IN=ppp0 OUT= MAC= SRC=216.58.8.243 DST=239.255.67.250 LEN=176 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=34554 DPT=16680 LEN=156 the closest match to this is the following rule: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: BANDWIDTH_IN:IN=[[:alnum:]]+ OUT= MAC=[:[:xdigit:]]+ SRC=[.0-9]{7,15} DST=[.0-9]{7,15} LEN=[0-9]+ TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[0-9]+ ID=[0-9]+ (DF )?PROTO=TCP SPT=[0-9]+ DPT=[0-9]+ WINDOW=[0-9]+ RES=0x[[:xdigit:]]+ ACK (PSH )?URGP=[0-9]+$ but it only handles TCP/IP traffic. logcheck should filter normal UDP inbound & outbound traffic. thanks, matt -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-3-k7 Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1) Versions of packages logcheck-database depends on: ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy logcheck-database recommends no packages. -- debconf information: logcheck-database/rules-directories-note: logcheck-database/standard-rename-note: logcheck-database/conffile-cleanup: false