Displaying 20 results from an estimated 20000 matches similar to: "Processed: Re: Bug#444470: /etc/logcheck/violations.ignore.d/logcheck-ssh: Updated "authentication failure" rule"
2008 Mar 17
0
Bug#444470: /etc/logcheck/violations.ignore.d/logcheck-ssh: Updated "authentication failure" rule
In article <20080120021013.GA2871__36835.8155632906$1200797204$gmane$org at nexus.elho.net> you wrote:
> Looking at those two lines, they could just be different versions of
> the same thing, here are the commented differences:
Take my word: you'll live longer if you don't try to make sense of ssh
log messages. (I *swear* I once got different messages by doing the
same thing
Bug#551340: [logcheck-database] Rule in /etc/logcheck/violations.ignore.d/logcheck-su does not match
2009 Oct 17
1
Bug#551340: [logcheck-database] Rule in /etc/logcheck/violations.ignore.d/logcheck-su does not match
Package: logcheck-database
Version: 1.2.69
Severity: normal
Tags: patch
Hi,
I think that this rule:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: (\+|-)
(pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:[_[:alnum:]-]+$
is supposed to filter out lines like:
Oct 17 14:49:24 myhost su[13469]: + /dev/pts/1 user1:root
It is not working because the pattern dos not include the "/dev/" part
and
2006 Aug 11
0
Bug#382440: logcheck-database: Postfix rule missing in violations.ignore.d
Package: logcheck-database
Version: 1.2.47
Severity: normal
Tags: patch
Without the following logcheck line in
/etc/logcheck/violations.ignore.d, lines such as the following are
reported:
postfix/smtp[30054]: 824E9A2C1E: to=<nooneisillegal at someplace.net>,
relay=0.0.0.0[0.0.0.0], delay=1, status=sent (250 2.6.0 Ok, id=30274-22,
from MTA: 250 Ok: queued as 15140A2D0A)
This is because
2007 Oct 03
2
Bug#445072: /etc/logcheck/violations.ignore.d/logcheck-ssh: Failed password for ...
Package: logcheck-database
Version: 1.2.62
Severity: normal
File: /etc/logcheck/violations.ignore.d/logcheck-ssh
Somewhere between etch and now, ssh stopped reporting failed passwords
as "error: PAM: Authentication failure for foo", and switched to "Failed
password for foo", similar to what it already did for unknown users, but
without the "invalid user" part.
2010 Jan 21
1
Bug#566107: logcheck-database: with violations.d/logcheck empty most rules in violations.ignore.d look useless
Package: logcheck-database
Version: 1.3.5
Severity: normal
Hi,
I was having a look at logcheck and why I received a "verification failed:
Temporary failure in name resolution" as a _system_ message.
Turns out that since violations.d/logcheck is empty now, most of the rules in
violations.ignore.d look quite useless, can you confirm?
I suspect that a big part of those rules should be
2008 Jul 21
1
merging violations.ignore.d/logcheck-* into ignore.d.*/*
Hi guys, now that violations.d/logcheck is empty,
violations.ignore.d/logcheck-* are useless and many messages that
were previously elevated and filtered there now turn up as system
events. Thus, I went ahead and merged violations.ignore.d/logcheck-*
into ignore.d.*/* in the viol-merge branch.
http://git.debian.org/?p=logcheck/logcheck.git;a=shortlog;h=refs/heads/viol-merge
Unless I hear
2006 May 21
2
Bug#368313: logcheck-database: new postfix violations ignore rule
Package: logcheck-database
Version: 1.2.39
Severity: wishlist
Hi,
I'd like to add the following rule to /etc/logcheck/violations.ignore.d/logcheck-postfix :
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]: 554 <[._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]>:
2008 Mar 15
1
Bug#471072: logcheck-database: Moving most of violations.ignore.d to ignore.d.*
Package: logcheck-database
Version: 1.2.63
Severity: normal
Given that violations.d/logcheck has been emptied by
2394562ab4a13c4510c671f01ffc8f35e97f1cd3, shouldn't most of
violations.ignore.d be moved to one of ignore.d.*? AIUI, all of these
are currently rendered useless.
(I'll gladly lend a hand; I just want to make sure this is the right
thing to do.)
-- System Information:
Debian
2005 Feb 20
1
Rename violations.ignore.d/logcheck-pureftp
<nitpickyness>
To avoid possible confusion, shouldn't this be named logcheck-pureftpd,
or logcheck-pure-ftpd (instead of logcheck-pureftp)?
Or is there a reason (that I've missed) it's this way?
</nitpickyness>
-j
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This
2005 Jan 12
3
Bug#290195: violations.d/sudo and violations.ignore.d/logcheck-sudo missing sudo log entries
Package: logcheck
Version: 1.2.32
Severity: normal
It seems when someone runs a sudo command on my system, logcheck misses
it.
The second line of /etc/logcheck/violations.d/sudo matches them, but
the /etc/logcheck/violations.ignore.d/logcheck-sudo kills them.
Furthermore, when users run commands like '$ sudo rm *' in a directory
with lots of files, we reports with lines like:
Jan 13
2004 Sep 04
1
Bug#269959: logcheck-database: courier ignore.d.server contains word from violations.d list
Package: logcheck-database
Version: 1.2.26
Severity: normal
Hi,
the file courier contains the line:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pop3d-ssl: Unexpected SSL connection
shutdown\.$
This triggers the security logcheck section because of the word
"shutdown". Quick fix is to move or duplicate this line to
violations.ignore.d/logcheck-courier.
BTW: It looks like the courier package
2006 Jul 03
0
Bug#376533: updated violations.ignore.d/postfix file for postfix 2.3
Package: logcheck-database
Version: 1.2.44
Severity: minor
Tags: patch
Please change the following line in
violations.ignore.d/logcheck-postfix:
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: to=<[^[:space:]]+>, relay=[._[:alnum:]-]+\[[0-9.]{7,15}\], delay=[0-9]+, status=(deferred|bounced) \(host [._[:alnum:]-]+\[[0-9.]{7,15}\] said: [45][0-9][0-9] .* \(in
2007 Sep 26
1
Bug#444097: /etc/logcheck/ignore.d.server/ddclient: 2 rules to get you started
Package: logcheck
Version: 1.2.62
Severity: wishlist
Here are two rules for ddclient, a client for dynamic IP services such
as DynDNS or DynIP:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[[:digit:]]+\]: SUCCESS: updating [._[:alnum:]-]+: good: IP address set to [:[:xdigit:].]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[[:digit:]]+\]: WARNING: forcing update of [._[:alnum:]-]+ from
2013 Feb 18
0
Bug#700851: logcheck-database: postfix ignore.d.server now logs on the same line sasl_method, sasl_username AND sasl_sender, rule must be updated
Package: logcheck-database
Severity: normal
postfix has changed log formats, now it includes sasl_sender in log lines.
The rule at ./ignore.d.server/postfix:109
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
[[:alnum:]]+: client=[^[:space:]]+, sasl_method=[-[:alnum:]]+,
sasl_username=[-_.@[:alnum:]]+$
must be updated with:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+
2007 Sep 24
1
Bug#443908: /etc/logcheck/ignore.d.server/bind: [bind] unexpected RCODE (NOTIMP)
Package: logcheck-database
Version: 1.2.61
Severity: wishlist
File: /etc/logcheck/ignore.d.server/bind
After #437891, I got yet another new "unexpected RCODE", this time
"NOTIMP". As I was starting to get pissed off, I copied the whole list
out of lib/dns/result.c, in an attempt to put an end to my headache.
If you insist on using an enumeration instead of ".*",
2010 Dec 29
1
Bug#608256: /etc/logcheck/ignore.d.server/dnsmasq: dnsmasq: interface names are allowed to have a dash (-) please add this to the filter
Package: logcheck-database
Version: 1.2.69
Severity: normal
File: /etc/logcheck/ignore.d.server/dnsmasq
A dnsmasq log about DHCP events has the interface name in it. Interface names are allowed to have a dash (-) in them,
but the logcheck filter does not have the dash in it.
Please add the dash.
-- System Information:
Debian Release: 5.0.7
APT prefers stable
APT policy: (500,
2007 Oct 03
1
Bug#445074: /etc/logcheck/ignore.d.server/ssh: Nasty PTR record
Package: logcheck-database
Version: 1.2.62
Severity: wishlist
File: /etc/logcheck/ignore.d.server/ssh
openssh issues a friendly warning when the remote IP maps back to a
hostname that looks just like an IP address. (For example, the address
206.251.174.31 currently maps back to the hostname "206.251.174.31".)
Here's a rule that filters out these unimportant messages:
^\w{3} [
2004 Aug 31
1
Bug#269318: logcheck: /etc/logcheck/ignore.d.server (add spamassassin)
Package: logcheck
Version: 1.2.26
Severity: wishlist
Please add ignore for Spamassasin's "check" messages like:
Aug 16 19:27:54 ns spamd[23853]: checking message <20040816150710.86ADA708A8 at smtp-out.hotpop.com> for nobody:65534.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.26.20040601
Locale: LANG=C, LC_CTYPE=C (ignored: LC_ALL
2004 Oct 13
2
Bug#276317: logcheck-database: Namechange for ISC in /etc/logcheck/ignore.d.server/dhcp
Package: logcheck-database
Version: 1.2.28
Severity: normal
Hi,
the Internet Software Consortium changed the name to Internet Systems Consortium.
For a fix for the logcheck rules see the attachment.
-- System Information:
Debian Release: 3.0
APT prefers testing
APT policy: (600, 'testing'), (100, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel:
2007 Sep 24
3
Bug#443886: /etc/logcheck/ignore.d.server/proftpd: [proftpd] Refused user $USER for service $FOO
Package: logcheck-database
Version: 1.2.61
Severity: wishlist
File: /etc/logcheck/ignore.d.server/proftpd
Two weeks ago, I got a rush of these:
Sep 8 12:37:07 goretex proftpd: PAM-listfile: Refused user news for service proftpd
(Apparently, fail2ban managed to miss those.)
This is triggered by pam_listfile, which is used by proftpd (and other
FTP daemons) to block users listed in