Logcheck users - Oct 2005 - RE: Logcheck-users Digest, Vol 2, Issue 2

Comments within, denoted with "-->".

Message: 2
Date: Tue, 18 Oct 2005 20:43:55 +0100
From: "Jamie L. Penman-Smithson" <lists@silverdream.org>
Subject: Re: [Logcheck-users] logcheck.ignore issues
To: Patrice Seyed <apseyed@bu.edu>
Cc: logcheck-users@lists.alioth.debian.org
Message-ID: <1129664635.5066.15.camel@hercules.silverdream.lan>
Content-Type: text/plain; charset="us-ascii"

Hey Patrice,

On Tue, 2005-10-18 at 11:57 -0400, Patrice Seyed wrote:
> I have been successful in the past using the logcheck.ignore file to not 
> have logcheck email me on certain logs syntax.
If you find messages that should be ignored that are not, you should
file a bug report against the logcheck-database package in the BTS.

-->that's good to know, thanks. I originally emailed the maintainer
listed
in logcheck.sh, John Bambenek, but then realized it may not be current (then
found this list).
> For example:
> ntpd.*: exiting
It's best to avoid overly broad regular expressions like the plague and
make them as specific and targeted as possible. Overly broad regular
expressions in logcheck can lead to security issues.

-->yes, I recall reading that suggestion in the comments in logcheck.sh. I
believed I broadened the use of star to find a way to match the log I wanted
to match, in case I was missing something. Thanks for the suggestion
however.
> My problem is with :
> named*: lame server resolving
> or
> named*: lame server*
> or
> named*:*lame
> 
> in logcheck.ignore
Correct me if I'm wrong, but as far as I can see, logcheck.ignore was
phased out around version 1.1.9, is there any particular reason why
you're still using such an ancient version of logcheck?

-->it does seem to be a 1.1.x rev. I believe I started using it beginning of
2004. If 1.1 was still old at that point in time, then I'm not sure why or
how I got the elder rev. If 1.2.41 doesn't have any issue like potentially
the one I mention and also improvements, then I would probably be more than
happy to test it out at some point in the near future.
> I still get messages in email looking like:
> 
> > Oct 17 22:00:01 linga named[16014]: lame server resolving
> > '71.11.2.239.in-addr.arpa' (in '239.in-addr.arpa'?):
192.52.71.4#53
The "lame server resolving" messages from BIND can be disabled by
using
the appropriate logging statement.

logging {
	[...]
  category lame-servers { null; }; 
	[...]
}

-->thanks!
> If anyone could provide any suggestions or enlighten me in any way as to
the
> behaviours of logcheck I would appreciate it.
-->thanks for your response Jamie, I appreciate it. 

Re, Patrice

-j