similar to: Bug#369603: logcheck-database: new rule for dhcpd

Package: logcheck Version: 1.2.69 Severity: normal Tags: patch Logcheck's reports contains many messages like: Feb 7 19:03:57 srv dhcpd: DHCPREQUEST for 172.21.0.126 from 00:19:7e:9f:cc:32 (Hostname Unsuitable for Printing) via eth0 Feb 7 19:03:57 srv dhcpd: DHCPACK on 172.21.0.126 to 00:19:7e:9f:cc:32 (Hostname Unsuitable for Printing) via eth0 I create file

Package: logcheck-database Version: 1.2.39 Severity: normal I use dhcp3-server and a dhcp client which is Sony HDD video recorder CoCoon. The client not return client host name. In this case, dhcpd server assumed the client host name is (none). Therefor dhcpd output log described below. > Jan 7 10:49:24 on-o dhcpd: DHCPDISCOVER from 08:00:46:33:55:77 ((none)) via eth0 > Jan 7 10:49:25

Package: logcheck-database Version: 1.2.23 Severity: minor Hi, a couple of minor corrections to the dhcp rule sets: First of all, the hostname matching parts need to include the "._-" signs (maybe . is not needed but it might be). Then when using failover, log lines of type DHCPDISCOVER and DHCPREQUEST may be entailed by the string ": load balance to peer <somestring>".

Package: logcheck-database Version: 1.2.32 Severity: normal Tags: patch The fix for 283331 exposed a bug in the dnsmasq rules. The rule was looking for DHCPINFO, but the actual message is DHCPINFORM. Prior to the 283331 fix, the old rule worked, because the "[()[:alnum:]]+" part of the rule matched the "RM" at the end of DHCPINFORM. -- System Information: Debian Release:

Package: logcheck Version: 1.3.3 Severity: normal Tags: patch User: ubuntu-devel at lists.ubuntu.com Usertags: origin-ubuntu karmic ubuntu-patch As reported in https://launchpad.net/bugs/307847: recent dhclient includes the ip address it is releasing and renewing. ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: DHCP(NAK|ACK|OFFER) from [.0-9]{7,15}$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+

Package: logcheck-database Severity: wishlist Tags: patch Hi, some rules for ntpd as i couldn't find any: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: time reset [+-]*[0-9]{1,2}\.[0-9]{6} s$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronisation lost$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: no servers reachable$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+

Package: logcheck-database Version: 1.2.22a Severity: normal Thanks to the upgrade to Postfix 2.1 and deploying a newer logcheck ruleset on a busier server I've found a bunch more rules for Postfix. I've attached new rules files and patches are inline. The following patch is for violations.ignore.d: --- logcheck-postfix.orig 2004-06-21 20:11:14.000000000 +0100 +++ logcheck-postfix

I have rules like this on my servers: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]+\]: [._[:alnum:]-]+ \([._[:alnum:]-]+\[[[:digit:].]{7,15}\]\) (- )USER [-_.[:alnum:]]+: no such user found from [._[:alnum:]-]+ \[[[:digit:].]{7,15}\]\ to [[:digit:].]{7,15}:21$ basically, I just don't care about logins as nonexistent users, I get so many of those that I don't even

Hi there, I know this is the classic RTFM list question but... I've really tried hard on this and no result! This is what I'm receving from logcheck: System Events =-=-=-=-=-=-= Apr 3 06:55:13 bsg sshd[32246]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.233.245.226 user=root Apr 3 06:55:19 bsg sshd[32248]: pam_unix(sshd:auth):

Package: logcheck-database Version: 1.2.40 Severity: normal Tags: patch There are one line that is not properly ignored. I include in the report a better version. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (400, 'testing'), (300, 'unstable'), (200, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.8-2-k7 Locale:

Signed-off-by: Fr?d?ric Bri?re <fbriere at fbriere.net> --- rulefiles/linux/ignore.d.server/openvpn | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/rulefiles/linux/ignore.d.server/openvpn b/rulefiles/linux/ignore.d.server/openvpn index 68ebf8f..c57e3cb 100644 --- a/rulefiles/linux/ignore.d.server/openvpn +++ b/rulefiles/linux/ignore.d.server/openvpn @@ -13,7 +13,7

I see that this openvpn rule has been modified to no longer attach the ":port" part to "[undef]" -- probably to reflect a recent change in openvpn. Unfortunately, the rule no longer matches in etch, thus breaking the backport. Here's a patch to match both versions. Signed-off-by: Fr?d?ric Bri?re <fbriere at fbriere.net> --- rulefiles/linux/ignore.d.server/openvpn

package logcheck-database tags 125794 pending tags 191637 pending thanks I've been running the latest version of qpopper from unstable for a few days and I've added the following rules to CVS: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.qpopper\[[0-9]+\]: connect from [._[:alnum:]-]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.qpopper\[[0-9]+\]: \(v[.[:digit:]]+\) POP login by user

Package: logcheck Version: 1.2.22a Severity: wishlist There is no support for imapproxy, and it would be a great help if it was added. Following are two sample lines from the syslog: Jun 11 09:36:55 MyHost in.imapproxyd[30845]: LOGOUT: '"MyUser"' from server sd [13] Jun 11 09:37:02 MyHost in.imapproxyd[30846]: LOGIN: '"MyUser"' (xxx.xxx.xxx.xx:yyyyy) on

Package: logcheck-database Version: 1.2.28 Severity: normal Hi, the Internet Software Consortium changed the name to Internet Systems Consortium. For a fix for the logcheck rules see the attachment. -- System Information: Debian Release: 3.0 APT prefers testing APT policy: (600, 'testing'), (100, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel:

From: Simon Deziel <simon.deziel at gmail.com> Fixes LP: #806537 Signed-off-by: Simon Deziel <simon.deziel at gmail.com> --- rulefiles/linux/ignore.d.server/openvpn | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/rulefiles/linux/ignore.d.server/openvpn b/rulefiles/linux/ignore.d.server/openvpn index 2b4bfd6..d80f42f 100644 ---

Package: logcheck Version: 1.2.23 Severity: normal Hello, I have: # /bin/cat ignore.d.server/cron ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ crontab\[[0-9]+\]: \([[:alnum:]-]+\) LIST \([[:alnum:]-]+\)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ crontab\[[0-9]+\]: \([[:alnum:]-]+\) REPLACE \([[:alnum:]-]+\)$ and: # /bin/cat ignore.d.paranoid/cron ^\w{3} [ :0-9]{11} [._[:alnum:]-]+

Package: logcheck-database Version: 1.2.69 Severity: normal Tags: patch Hi, I think that this rule: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: (\+|-) (pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:[_[:alnum:]-]+$ is supposed to filter out lines like: Oct 17 14:49:24 myhost su[13469]: + /dev/pts/1 user1:root It is not working because the pattern dos not include the "/dev/" part and

I upgraded to 1.2.28, same results. Here are the rules I added. ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Connect: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: [^[:space:]]+ \[NOTICE\] ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: [^[:space:]]+ \[INFO\] ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ exact\[[0-9]+\]: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ slapd\[[0-9]+\]: ^\w{3} [ :0-9]{11}

Package: logcheck-database Version: 1.2.32 Severity: wishlist Ignore rules to supress messages generated from pugging in, and then removing, a USB headset (one speaker). ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: drivers\/usb\/class\/audio\.c: v1.0.0:USB Audio Class driver$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: usbaudio: assuming that a stereo channel connected directly to a mixer is