similar to: Bug#566107: logcheck-database: with violations.d/logcheck empty most rules in violations.ignore.d look useless

Package: logcheck Version: 1.3.5 Severity: minor Hi, reading logcheck source it seems that it requires nail for MAILATTACH to work, however it is not suggested/recommended. (JFTR it is debatable if nail is appropriate or something else should be used) thanks, filippo -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (990, 'unstable'), (500,

Package: logcheck-database Severity: wishlist Hi! if autossh debug is enabled it logs to syslog, thus the messages go thru logcheck, messages are in this form May 19 14:02:55 sagara autossh[1909]: port set to 0, monitoring disabled so this is the ignore line ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ autossh\[[0-9]+\]: .*$ thanks, filippo -------------- next part -------------- A non-text attachment

Package: logcheck-database Severity: wishlist Hi, the following two lines should be added either to ignore.d.server/dhcp or ignore.d.server/udhcp to ignore messages from udhcpd (other lines may be necessary) # udhcpd support ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ udhcpd\[[0-9]+\]: sending OFFER of [.0-9]+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ udhcpd\[[0-9]+\]: sending ACK to [.0-9]+ filippo

Package: logcheck Version: 1.3.3 Severity: normal Tags: patch User: ubuntu-devel at lists.ubuntu.com Usertags: origin-ubuntu karmic ubuntu-patch As reported in https://launchpad.net/bugs/307847: recent dhclient includes the ip address it is releasing and renewing. ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: DHCP(NAK|ACK|OFFER) from [.0-9]{7,15}$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+

Package: logcheck-database Version: 1.2.69 Severity: wishlist Hello, when newgrp (part of the package login) is used, I see messages like this in my syslog: Aug 27 23:36:16 debian64 newgrp[1975]: user `root' (login `root' on tty1) switched to group `backup' Aug 27 19:28:15 srv1 newgrp[10082]: user `root' (login `mazur' on pts/1) switched to group `backup' Aug 27

Package: logcheck Severity: wishlist I'm attaching rules suggestions for dhcpcd as a git patch, and also a sample from my logs. Please review the patch (I can fix any issues with it) and include in logcheck if you like it. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Added-rules-for-dhcpcd.patch URL:

Package: logcheck-database Version: 1.2.63 Severity: normal Given that violations.d/logcheck has been emptied by 2394562ab4a13c4510c671f01ffc8f35e97f1cd3, shouldn't most of violations.ignore.d be moved to one of ignore.d.*? AIUI, all of these are currently rendered useless. (I'll gladly lend a hand; I just want to make sure this is the right thing to do.) -- System Information: Debian

Package: logcheck-database Version: 1.2.69 Severity: normal Tags: patch Hi, I think that this rule: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: (\+|-) (pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:[_[:alnum:]-]+$ is supposed to filter out lines like: Oct 17 14:49:24 myhost su[13469]: + /dev/pts/1 user1:root It is not working because the pattern dos not include the "/dev/" part and

Package: logcheck-database Version: 1.2.62 Severity: normal File: /etc/logcheck/violations.ignore.d/logcheck-ssh Somewhere between etch and now, ssh stopped reporting failed passwords as "error: PAM: Authentication failure for foo", and switched to "Failed password for foo", similar to what it already did for unknown users, but without the "invalid user" part.

Hi guys, now that violations.d/logcheck is empty, violations.ignore.d/logcheck-* are useless and many messages that were previously elevated and filtered there now turn up as system events. Thus, I went ahead and merged violations.ignore.d/logcheck-* into ignore.d.*/* in the viol-merge branch. http://git.debian.org/?p=logcheck/logcheck.git;a=shortlog;h=refs/heads/viol-merge Unless I hear

Package: logcheck-database Version: 1.2.39 Severity: wishlist Hi, I'd like to add the following rule to /etc/logcheck/violations.ignore.d/logcheck-postfix : ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]: 554 <[._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]>:

Package: logcheck Version: 1.2.32 Severity: normal It seems when someone runs a sudo command on my system, logcheck misses it. The second line of /etc/logcheck/violations.d/sudo matches them, but the /etc/logcheck/violations.ignore.d/logcheck-sudo kills them. Furthermore, when users run commands like '$ sudo rm *' in a directory with lots of files, we reports with lines like: Jan 13

[please CC me on replies, I'm not subscribed] Hi, I'm trying to get dmraid 1.0.0rc9 [0] to compile with --enable-klibc, however I have some troubles with mkfifo defined in /usr/lib/klibc/include/sys/stat.h. /usr/lib/klibc/include/sys/stat.h: In function 'mkfifo': /usr/lib/klibc/include/sys/stat.h:28: error: 'S_IFMT' undeclared (first use in this function) after

Package: logcheck-database Version: 1.2.26 Severity: normal Hi, the file courier contains the line: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pop3d-ssl: Unexpected SSL connection shutdown\.$ This triggers the security logcheck section because of the word "shutdown". Quick fix is to move or duplicate this line to violations.ignore.d/logcheck-courier. BTW: It looks like the courier package

<nitpickyness> To avoid possible confusion, shouldn't this be named logcheck-pureftpd, or logcheck-pure-ftpd (instead of logcheck-pureftp)? Or is there a reason (that I've missed) it's this way? </nitpickyness> -j -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This

Processing commands for control at bugs.debian.org: > # Commit 037fed5fc268088bad1f17c885d9153ee800ec40 > tag 444470 pending Bug#444470: /etc/logcheck/violations.ignore.d/logcheck-ssh: Updated "authentication failure" rule There were no tags set. Tags added: pending > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system

In article <20080120021013.GA2871__36835.8155632906$1200797204$gmane$org at nexus.elho.net> you wrote: > Looking at those two lines, they could just be different versions of > the same thing, here are the commented differences: Take my word: you'll live longer if you don't try to make sense of ssh log messages. (I *swear* I once got different messages by doing the same thing

# Automatically generated email from bts, devscripts version 2.10.35 # via tagpending # # logcheck (1.3) unstable; urgency=low # # * Formalise the dropping of violations.d/logcheck. Please see # /usr/share/doc/logcheck-database/NEWS.Debian.gz for more information # (closes: #471072). # * Add Auto-Submitted header to outgoing mails (closes: #489172). # * ignore.d.server/kernel: # -

# Automatically generated email from bts, devscripts version 2.10.30 # via tagpending # # logcheck (1.2.65) unstable; urgency=low # # * ignore.d.server/courier: # - update rules to include port information; thanks to Antoine Pardignon # (closes: #446310). # - ignore couriertcpd messages; thanks to Andrew Gallagher # (closes: #451118). # * ignore.d.server/smbd_audit: # -

# Automatically generated email from bts, devscripts version 2.10.18.1 # # logcheck (1.2.64) unstable; urgency=low # # * ignore.d.server/bind: # - moved "[bind] query $FOO denied" rule to violations.ignore.d # (closes: #443881). # - added bind's "AXFR ended" rule alongside "AXFR started" # (closes: #445046). # - added "adding an