Adrian Heine
2015-Jan-11 07:40 UTC
[Logcheck-devel] Bug#775090: logcheck-database: Should filter shh preauth disconnect ok messages
Package: logcheck-database Version: 1.3.17 Severity: normal Tags: patch I get tons of messages for sshd like these: Received disconnect from [IP]: 11: ok [preauth] `Bye Bye [preauth]` is already filtered out. -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (101, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-server-ssh-Better-match-for-preauth-disconnect.patch Type: text/x-diff Size: 1741 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20150111/1c40cb4a/attachment.patch>
Enrico Zini
2016-Feb-10 10:58 UTC
[Logcheck-devel] Bug#775090: logcheck-database: Should filter shh preauth disconnect ok messages
On Sun, Jan 11, 2015 at 08:40:59AM +0100, Adrian Heine wrote:> I get tons of messages for sshd like these: > Received disconnect from [IP]: 11: ok [preauth] > `Bye Bye [preauth]` is already filtered out.I also get them with an empty string instead of ok or "Bye Bye": ? sshd[25563]: Received disconnect from 125.88.177.93: 11: [preauth] ? sshd[25565]: Received disconnect from 125.88.177.93: 11: [preauth] ? sshd[25569]: Received disconnect from 125.88.177.93: 11: [preauth] ? sshd[25594]: Received disconnect from 125.88.177.93: 11: [preauth] ? sshd[25596]: Received disconnect from 125.88.177.93: 11: [preauth] ? sshd[25598]: Received disconnect from 125.88.177.93: 11: [preauth] So I tweaked your rule this way: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 11: (Bye Bye|ok|) \[preauth\]$ Enrico -- GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini <enrico at enricozini.org>
Debian Bug Tracking System
2017-Jan-25 22:09 UTC
[Logcheck-devel] Bug#775090: marked as done (logcheck-database: Should filter shh preauth disconnect ok messages)
Your message dated Wed, 25 Jan 2017 22:05:36 +0000 with message-id <E1cWVhA-0002vs-RU at fasolo.debian.org> and subject line Bug#775090: fixed in logcheck 1.3.18 has caused the Debian Bug report #775090, regarding logcheck-database: Should filter shh preauth disconnect ok messages to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 775090: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775090 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Adrian Heine <debian at adrianlang.de> Subject: logcheck-database: Should filter shh preauth disconnect ok messages Date: Sun, 11 Jan 2015 08:40:59 +0100 Size: 4340 URL: <http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20170125/bf945b7f/attachment-0002.mht> -------------- next part -------------- An embedded message was scrubbed... From: Hannes von Haugwitz <hannes at vonhaugwitz.com> Subject: Bug#775090: fixed in logcheck 1.3.18 Date: Wed, 25 Jan 2017 22:05:36 +0000 Size: 7741 URL: <http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20170125/bf945b7f/attachment-0003.mht>