similar to: Bug#590559: updated rules for webmin

Package: logcheck Version: 1.2.69 The current ruleset "kernel" provided with this logcheck package don't match entries where the kernel timeline has leading spaces, like: [ 42.302707] For example, the following entry: Feb 4 17:05:24 hostname kernel: [ 144.591487] tun: Universal TUN/TAP device driver, 1.6 didn't matched the re: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+

Package: logcheck Version: 1.2.69 Severity: normal In the file /etc/logcheck/ignore.d.server/wu-ftpd ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wu-ftpd: PAM-listfile: Refused user [._[:alnum:]-]+ for service wu-ftpd$ should be ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wu-ftpd\[[0-9]{4}\]: PAM-listfile: Refused user [._[:alnum:]-]+ for service wu-ftpd$ There is a number after "wu-ftpd" -- System

Package: logcheck-database Version: 1.2.69 Severity: wishlist Please add the rule ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/bounce\[[[:digit:]]+\]: [:alnum:]+: sender delay notification: [:alnum:]+$ -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (700, 'stable'), (650, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP

Package: logcheck-database Severity: wishlist Tags: patch Hi, some rules for ntpd as i couldn't find any: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: time reset [+-]*[0-9]{1,2}\.[0-9]{6} s$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronisation lost$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: no servers reachable$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+

Package: logcheck Version: 1.3.3 Severity: normal Tags: patch User: ubuntu-devel at lists.ubuntu.com Usertags: origin-ubuntu karmic ubuntu-patch As reported in https://launchpad.net/bugs/307847: recent dhclient includes the ip address it is releasing and renewing. ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: DHCP(NAK|ACK|OFFER) from [.0-9]{7,15}$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+

Subject: logcheck-database: Tweak to ssh rules to ignore AllowGroups denial Package: logcheck-database Version: 1.3.13 Severity: minor *** Please type your report below this line *** Similar to how AllowUsers denials are ignored, also ignore AllowGroups: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [-_.[:alnum:]]+ from [-_.[:alnum:]]+ not allowed because none of

Package: logcheck-database Version: 1.2.69 Severity: normal Tags: patch kernel log lines of the form: ...kernel: [1933150.816604] TCP: Treason uncloaked! Peer 0000:0000:0000:0000:0000:ffff:d04e:3f6b:4038/80 shrinks window 2491430013:2491430014. Repaired. are not caught by the current rules. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500,

Package: logcheck-database Version: 1.3.8 Severity: normal After double checking that I had the most up to date logcheck-database :-) I am seeing these lines reported. May 17 15:29:33 localhost named[1765]: error (network unreachable) resolving 'software.majix.org/A/IN': 2001:503:ba3e::2:30#53 I believe that this line was intended to match it. ^\w{3} [ :[:digit:]]{11}

Package: logcheck-database Version: 1.2.69 Severity: normal File: /etc/logcheck/ignore.d.server/dnsmasq A dnsmasq log about DHCP events has the interface name in it. Interface names are allowed to have a dash (-) in them, but the logcheck filter does not have the dash in it. Please add the dash. -- System Information: Debian Release: 5.0.7 APT prefers stable APT policy: (500,

Package: logcheck-database Version: 1.2.69 Severity: wishlist Hello, when newgrp (part of the package login) is used, I see messages like this in my syslog: Aug 27 23:36:16 debian64 newgrp[1975]: user `root' (login `root' on tty1) switched to group `backup' Aug 27 19:28:15 srv1 newgrp[10082]: user `root' (login `mazur' on pts/1) switched to group `backup' Aug 27

Package: logcheck Version: 1.2.69 Severity: normal Tags: patch Logcheck's reports contains many messages like: Feb 7 19:03:57 srv dhcpd: DHCPREQUEST for 172.21.0.126 from 00:19:7e:9f:cc:32 (Hostname Unsuitable for Printing) via eth0 Feb 7 19:03:57 srv dhcpd: DHCPACK on 172.21.0.126 to 00:19:7e:9f:cc:32 (Hostname Unsuitable for Printing) via eth0 I create file

Package: logcheck-database Version: 1.2.69 Severity: normal Tags: patch Hi, I think that this rule: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: (\+|-) (pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:[_[:alnum:]-]+$ is supposed to filter out lines like: Oct 17 14:49:24 myhost su[13469]: + /dev/pts/1 user1:root It is not working because the pattern dos not include the "/dev/" part and

Package: logcheck Version: 1.2.69 The inetutils-syslogd (2:1.5.dfsg.1-9) package provides a system logging daemon. syslogd periodically logs the following message: Dec 17 00:29:11 host syslogd (GNU inetutils 1.5): restart The following logcheck rulefile works to filter the messages from the "System Events" email: # cat inetutils-syslogd ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslogd

Package: logcheck-database Version: 1.2.69 Severity: normal Tags: patch The syslog messages for acpid when a window client connects or disconnect all have a trailing single space at each line. Therefore the existing two patterns in /etc/logcheck/ignore.d.server/acpid fail to filter out the events. Furthermore, the disconnect message includes a PID-numbered client, which is not present in the

Package: logcheck Severity: wishlist I'm attaching rules suggestions for dhcpcd as a git patch, and also a sample from my logs. Please review the patch (I can fix any issues with it) and include in logcheck if you like it. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Added-rules-for-dhcpcd.patch URL:

Package: logcheck-database Version: 1.3.13 Severity: normal Tags: patch mavisd-new uses SPAMMY since 2.4.1: http://www.mail-archive.com/amavis-user at lists.sourceforge.net/msg05055.html patch attached. -- System Information: Debian Release: 6.0.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux

Package: logcheck Version: 1.3.13 Severity: minor Tags: patch In Lenny it was possible to use wildcards in logcheck.logfiles. For example, I used: /var/log/HOSTS/*/*.log root at durer:~# su -s /bin/bash -c "bash -x /usr/sbin/logcheck" logcheck <cut> + read file + logoutput '/var/log/HOSTS/*/*.log' + file='/var/log/HOSTS/*/*.log' + debug 'logoutput called

Package: logcheck Version: 1.3.5 Severity: minor Hi, reading logcheck source it seems that it requires nail for MAILATTACH to work, however it is not suggested/recommended. (JFTR it is debatable if nail is appropriate or something else should be used) thanks, filippo -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (990, 'unstable'), (500,

Package: logcheck-database Version: 1.3.5 Severity: normal Hi, I was having a look at logcheck and why I received a "verification failed: Temporary failure in name resolution" as a _system_ message. Turns out that since violations.d/logcheck is empty now, most of the rules in violations.ignore.d look quite useless, can you confirm? I suspect that a big part of those rules should be

Package: logcheck-database Version: 1.2.68 Severity: minor openssh-server version 1:5.1p1-2 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ failed - POSSIBLE BREAK-?IN ATTEMPT!$ should look like ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ \[[.[:alnum:]:]+\] failed -