similar to: Rule question for port 80 - outgoing

How do I tell LogCheck that I don't care what's in the rest of the search string? ^\w{3} [ :0-9]{11} m0n0wall ipmon\[[0-9]+\]: [0-9:]{8}\.[0-9]{6} xl0 (@ 0:3|@100:3) (b|p) 192\.168\.2\.[0-9]{1,3} -> [0-9.]{7,15} PR igmp len [0-9]{2} \([0-9]{2}+\) IN$ ^\w{3} [ :0-9]{11} m0n0wall ipmon\[[0-9]+\]: [0-9:]{8}\.[0-9]{6} xl0 (@ 0:3|@100:3) (b|p) 192\.168\.2\.[0-9]{1,3} -> [0-9.]{7,15} PR

Package: logcheck-database Version: 1.2.39 Severity: wishlist Hi, I'd like to add the following rule to /etc/logcheck/violations.ignore.d/logcheck-postfix : ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]: 554 <[._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]>:

I see that this openvpn rule has been modified to no longer attach the ":port" part to "[undef]" -- probably to reflect a recent change in openvpn. Unfortunately, the rule no longer matches in etch, thus breaking the backport. Here's a patch to match both versions. Signed-off-by: Fr?d?ric Bri?re <fbriere at fbriere.net> --- rulefiles/linux/ignore.d.server/openvpn

Package: logcheck Version: 1.3.14 Severity: normal I added a local.rules file to ignore.d.server and then ran logcheck. The file was not used during the run. Renaming it to local-rules got the file used during the next run. Fix: periods should be allowed in filenames, or the fact that they are forbidden expressly documented inteh logcheck README. Thanks Nils -- System Information: Debian

Package: logcheck-database Version: 1.2.47 Severity: normal Tags: patch Without the following logcheck line in /etc/logcheck/violations.ignore.d, lines such as the following are reported: postfix/smtp[30054]: 824E9A2C1E: to=<nooneisillegal at someplace.net>, relay=0.0.0.0[0.0.0.0], delay=1, status=sent (250 2.6.0 Ok, id=30274-22, from MTA: 250 Ok: queued as 15140A2D0A) This is because

Package: logcheck-database Version: 1.2.44 Severity: minor Tags: patch Hi, This patch changes one rule for dhcpd. It adds support for log lines of the following format: May 30 19:36:57 server dhcpd: DHCPACK to 10.10.10.10 (aa:bb:cc:dd:ee:ff) via eth1 Regards, Robbert --- /root/dhcp 2006-05-30 21:50:24.000000000 +0200 +++ dhcp 2006-05-30 23:27:06.000000000 +0200 @@ -18,7 +18,7 @@

Package: logcheck Version: 1.2.54 Severity: normal Tags: patch On my system, this ignore rule needs /usr/bin/ in front of the cron command, or the rule fails to match. hostname:/etc/logcheck/ignore.d.server# diff cron cron.old 1c1 < ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (/usr/bin/)?crontab\[[0-9]+\]: \([[:alnum:]-]+\) LIST \([[:alnum:]-]+\)$ --- > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+

package hylafax-server reassign 425035 logcheck-database 1.2.56 thanks I am reassigning this bug report since the hylafax logcheck rule is distributed in package logcheck-database. Bye, Giuseppe

Package: logcheck-database Version: 1.2.69 Severity: wishlist Hello, when newgrp (part of the package login) is used, I see messages like this in my syslog: Aug 27 23:36:16 debian64 newgrp[1975]: user `root' (login `root' on tty1) switched to group `backup' Aug 27 19:28:15 srv1 newgrp[10082]: user `root' (login `mazur' on pts/1) switched to group `backup' Aug 27

tags 338732 pending thanks On 12 Nov 2005, at 11:38, Martin Lohmeier wrote: > here is a rule for the cvs package. The line that should be ignored > looks like this: > > Nov 12 12:02:22 djinn01 cvs-pserver[15917]: connect from > 212.202.200.77 (212.202.200.77) > Nov 12 12:31:00 djinn01 cvs-pserver[18386]: connect from > 80.190.250.190 (80.190.250.190) > > I'll

Package: logcheck Version: 1.2.69 The inetutils-syslogd (2:1.5.dfsg.1-9) package provides a system logging daemon. syslogd periodically logs the following message: Dec 17 00:29:11 host syslogd (GNU inetutils 1.5): restart The following logcheck rulefile works to filter the messages from the "System Events" email: # cat inetutils-syslogd ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslogd

Package: logcheck-database Version: 1.2.39 Severity: normal The rule for postfix/smtp read timeout (port 25) doesn't match the actual log message: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+ \[[.0-9]+\]: read timeout \(port 25\)$ A sample log line is: May 17 17:38:16 dp postfix/smtp[12256]: connect to smtpv1.ihs.gov[198.45.3.65]: read timeout (port

Package: logcheck-database Version: 1.2.25 Severity: normal postfix/smtpd\[[0-9]+\]: lost connection after (CONNECT|DATA|RCPT|RSET|EHLO|HELO|MAIL) from Please include the above line in the ignore.d/server/postfix file. That catches messages that occur very often on busy Postfix servers. -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable')

Package: logcheck-database Version: 1.2.68 Severity: minor openssh-server version 1:5.1p1-2 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ failed - POSSIBLE BREAK-?IN ATTEMPT!$ should look like ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ \[[.[:alnum:]:]+\] failed -

Processing commands for control at bugs.debian.org: > # Commit 037fed5fc268088bad1f17c885d9153ee800ec40 > tag 444470 pending Bug#444470: /etc/logcheck/violations.ignore.d/logcheck-ssh: Updated "authentication failure" rule There were no tags set. Tags added: pending > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system

Package: logcheck-database Version: 1.2.42 Severity: normal Tags: patch Index: postfix =================================================================== --- postfix (revision 1097) +++ postfix (working copy) @@ -44,7 +44,7 @@ # Postfix < 2.1 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+: server dropped connection without sending the initial greeting

Package: logcheck-database Severity: wishlist Tags: patch Please consider applying the attached patch. Logcheck doesn't match lines like the following right now: ---- Jan 26 04:26:29 space-based cracklib: updated dictionary (read/written words: ). ---- /Armin -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'),

Package: logcheck-database Version: 1.2.63 Severity: wishlist Hi, Can you add rule to filter out following messages: System Events =-=-=-=-=-=-= May 15 07:44:48 niko syslog-ng[21911]: Configuration reload request received, reloading configuration; Best regards Andrei Emeltchenko -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing'),

Signed-off-by: Fr?d?ric Bri?re <fbriere at fbriere.net> --- rulefiles/linux/ignore.d.server/openvpn | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/rulefiles/linux/ignore.d.server/openvpn b/rulefiles/linux/ignore.d.server/openvpn index 68ebf8f..c57e3cb 100644 --- a/rulefiles/linux/ignore.d.server/openvpn +++ b/rulefiles/linux/ignore.d.server/openvpn @@ -13,7 +13,7

Package: logcheck-database Version: 1.2.52 Severity: Minor Tags: Patch I've got a suggested rule update for the kernel file in the /etc/logcheck/ignore.d.workstation directory. The file already contains this rule: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: input: Logitech USB Mouse as /class/input/input[[:digit:]]+$ However my system was reporting the following two similar events: