thr3ads.net - Logcheck devel - [Logcheck-devel] Bug#508138: logcheck: loglines leakage [Dec 2008]

If this information is useful, please help other people find it:
Share via:

Paolo

2008-Dec-08 08:43 UTC

[Logcheck-devel] Bug#508138: logcheck: loglines leakage

Package: logcheck
Version: 1.2.54
Severity: normal

hello,

seems that somehow logcheck fails to filter out some lines, eg i get this 
warning:

Security Events
=-=-=-=-=-=-=-daemon.info: Dec  7 21:13:47 smartd[9668]: Device: /dev/hdb, SMART
Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 100 to 99
daemon.info: Dec  7 21:43:48 smartd[9668]: Device: /dev/hdb, SMART Prefailure
Attribute: 1 Raw_Read_Error_Rate changed from 99 to 100

however:

# grep -h '21:13:4[78]' /var/log/socklog/main/* 
Dec  7 21:13:47 smartd[9668]: Device: /dev/hdb, SMART Prefailure Attribute: 1
Raw_Read_Error_Rate changed from 100 to 99
Dec  7 21:13:47 smartd[9668]: Device: /dev/hdb, SMART Usage Attribute: 190
Temperature_Celsius changed from 58 to 59
Dec  7 21:13:47 smartd[9668]: Device: /dev/hdb, SMART Usage Attribute: 194
Temperature_Celsius changed from 42 to 41
Dec  7 21:13:47 smartd[9668]: Device: /dev/hdb, SMART Usage Attribute: 195
Hardware_ECC_Recovered changed from 72 to 73

and:

# grep -h '21:13:4[78]' /var/log/socklog/main/* | egrep -v -f
/etc/logcheck/ignore.d.server/smartd

so the patterns in /etc.../smartd do match and logcheck run should end up 
with no such lines.

# dpkg -s logcheck logtail lockfile-progs socklog-run|grep ^Vers
Version: 1.2.54
Version: 1.2.54
Version: 0.1.10
Version: 2.1.0-7


thanks
-- 
paolo

Gerfried Fuchs

2008-Dec-09 09:36 UTC

head link

[Logcheck-devel] Bug#508138: logcheck: loglines leakage

* Paolo <oopla at users.sf.net> [2008-12-08 09:43:01
CET]:> seems that somehow logcheck fails to filter out some lines, eg i get this 
> warning:
> 
> Security Events
  ^^^^^^^^^^^^^^^> =-=-=-=-=-=-=-> daemon.info: Dec  7 21:13:47 smartd[9668]: Device:
/dev/hdb, SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 100 to
99
> daemon.info: Dec  7 21:43:48 smartd[9668]: Device: /dev/hdb, SMART
Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 99 to 100
> 
> however:
> 
> # grep -h '21:13:4[78]' /var/log/socklog/main/* | egrep -v -f
/etc/logcheck/ignore.d.server/smartd                                                                             
^^^^^^^^^^^^^^^
 ignore.d.server rules won't filter out security events. I guess it's
matched as such because of the contained /failure/ in the line. I'm not
completely sure if this should be filtered out, but a matching rule for
that has to live below violations.ignore.d - and there is the
logcheck-smartd file in there which as far as I can see should match ...
> so the patterns in /etc.../smartd do match and logcheck run should end up 
> with no such lines.
 Can you egrep -v -f /etc/logcheck/ignore.d.server/smartd instead and
see if the Prefailure Attribute line does show up for you? From what I
can see it shouldn't ...

 Thanks,
Rhonda

Logcheck devel - Dec 2008 - Bug#508138: logcheck: loglines leakage

[Logcheck-devel] Bug#508138: logcheck: loglines leakage

[Logcheck-devel] Bug#508138: logcheck: loglines leakage