similar to: Bug#590679: [logcheck-database] rules for ntpd

Package: logcheck-database Severity: wishlist Tags: patch Hi, ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: imklog 3\.18\.6, log source = /proc/kmsg started\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="3.18.6" x-pid="[[:digit:]]+" x-info="http://www.rsyslog.com"\] restart$ Hendrik -- Hendrik Jaeger

Package: logcheck-database Severity: wishlist Tags: patch Hi, check_radius output filter: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ check_radius: rc_avpair_gen: received VSA attribute with unknown Vendor-Id [[:digit:]]+$ Hendrik -- Hendrik Jaeger Linux Systemadministrator Init Seven AG Elias-Canetti-Strasse 7 CH-8050 Z?rich phone: +41 44 315 44 00 fax: +41 44 315 44 01 http://www.init7.net/

Package: logcheck Version: 1.3.3 Severity: normal Tags: patch User: ubuntu-devel at lists.ubuntu.com Usertags: origin-ubuntu karmic ubuntu-patch As reported in https://launchpad.net/bugs/307847: recent dhclient includes the ip address it is releasing and renewing. ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: DHCP(NAK|ACK|OFFER) from [.0-9]{7,15}$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+

Package: logcheck-database Version: 1.2.69 Severity: wishlist (also in version 1.3.10~bpo50+1) Please update the rules for webmin -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ webmin\[[0-9]+\]: Timeout of [[:alnum:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ webmin\[[0-9]+\]: Timeout of( session for)? [[:alnum:]]+$ (Webmin is version 1.517 from virtualmin.com, if that matters) - Tim

Package: logcheck Version: 1.2.69 The current ruleset "kernel" provided with this logcheck package don't match entries where the kernel timeline has leading spaces, like: [ 42.302707] For example, the following entry: Feb 4 17:05:24 hostname kernel: [ 144.591487] tun: Universal TUN/TAP device driver, 1.6 didn't matched the re: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+

Package: logcheck Version: 1.2.69 Severity: normal In the file /etc/logcheck/ignore.d.server/wu-ftpd ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wu-ftpd: PAM-listfile: Refused user [._[:alnum:]-]+ for service wu-ftpd$ should be ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wu-ftpd\[[0-9]{4}\]: PAM-listfile: Refused user [._[:alnum:]-]+ for service wu-ftpd$ There is a number after "wu-ftpd" -- System

Package: logcheck-database Version: 1.2.69 Severity: wishlist Please add the rule ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/bounce\[[[:digit:]]+\]: [:alnum:]+: sender delay notification: [:alnum:]+$ -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (700, 'stable'), (650, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP

Subject: logcheck-database: Tweak to ssh rules to ignore AllowGroups denial Package: logcheck-database Version: 1.3.13 Severity: minor *** Please type your report below this line *** Similar to how AllowUsers denials are ignored, also ignore AllowGroups: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [-_.[:alnum:]]+ from [-_.[:alnum:]]+ not allowed because none of

Package: logcheck-database Version: 1.3.8 Severity: normal After double checking that I had the most up to date logcheck-database :-) I am seeing these lines reported. May 17 15:29:33 localhost named[1765]: error (network unreachable) resolving 'software.majix.org/A/IN': 2001:503:ba3e::2:30#53 I believe that this line was intended to match it. ^\w{3} [ :[:digit:]]{11}

Package: logcheck-database Version: 1.2.44 Severity: minor Tags: patch Hi, This patch changes one rule for dhcpd. It adds support for log lines of the following format: May 30 19:36:57 server dhcpd: DHCPACK to 10.10.10.10 (aa:bb:cc:dd:ee:ff) via eth1 Regards, Robbert --- /root/dhcp 2006-05-30 21:50:24.000000000 +0200 +++ dhcp 2006-05-30 23:27:06.000000000 +0200 @@ -18,7 +18,7 @@

Package: logcheck-database Version: 1.2.22a Severity: normal Thanks to the upgrade to Postfix 2.1 and deploying a newer logcheck ruleset on a busier server I've found a bunch more rules for Postfix. I've attached new rules files and patches are inline. The following patch is for violations.ignore.d: --- logcheck-postfix.orig 2004-06-21 20:11:14.000000000 +0100 +++ logcheck-postfix

Package: logcheck Version: 1.2.69 Severity: normal Tags: patch Logcheck's reports contains many messages like: Feb 7 19:03:57 srv dhcpd: DHCPREQUEST for 172.21.0.126 from 00:19:7e:9f:cc:32 (Hostname Unsuitable for Printing) via eth0 Feb 7 19:03:57 srv dhcpd: DHCPACK on 172.21.0.126 to 00:19:7e:9f:cc:32 (Hostname Unsuitable for Printing) via eth0 I create file

I have rules like this on my servers: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]+\]: [._[:alnum:]-]+ \([._[:alnum:]-]+\[[[:digit:].]{7,15}\]\) (- )USER [-_.[:alnum:]]+: no such user found from [._[:alnum:]-]+ \[[[:digit:].]{7,15}\]\ to [[:digit:].]{7,15}:21$ basically, I just don't care about logins as nonexistent users, I get so many of those that I don't even

From: Simon Deziel <simon.deziel at gmail.com> Fixes LP: #806537 Signed-off-by: Simon Deziel <simon.deziel at gmail.com> --- rulefiles/linux/ignore.d.server/openvpn | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/rulefiles/linux/ignore.d.server/openvpn b/rulefiles/linux/ignore.d.server/openvpn index 2b4bfd6..d80f42f 100644 ---

Hi there, I know this is the classic RTFM list question but... I've really tried hard on this and no result! This is what I'm receving from logcheck: System Events =-=-=-=-=-=-= Apr 3 06:55:13 bsg sshd[32246]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.233.245.226 user=root Apr 3 06:55:19 bsg sshd[32248]: pam_unix(sshd:auth):

Signed-off-by: Fr?d?ric Bri?re <fbriere at fbriere.net> --- rulefiles/linux/ignore.d.server/openvpn | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/rulefiles/linux/ignore.d.server/openvpn b/rulefiles/linux/ignore.d.server/openvpn index 68ebf8f..c57e3cb 100644 --- a/rulefiles/linux/ignore.d.server/openvpn +++ b/rulefiles/linux/ignore.d.server/openvpn @@ -13,7 +13,7

I see that this openvpn rule has been modified to no longer attach the ":port" part to "[undef]" -- probably to reflect a recent change in openvpn. Unfortunately, the rule no longer matches in etch, thus breaking the backport. Here's a patch to match both versions. Signed-off-by: Fr?d?ric Bri?re <fbriere at fbriere.net> --- rulefiles/linux/ignore.d.server/openvpn

Package: logcheck-database Version: 1.2.40 Severity: normal Tags: patch There are one line that is not properly ignored. I include in the report a better version. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (400, 'testing'), (300, 'unstable'), (200, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.8-2-k7 Locale:

Package: logcheck-database Version: 1.2.23 Severity: minor Hi, a couple of minor corrections to the dhcp rule sets: First of all, the hostname matching parts need to include the "._-" signs (maybe . is not needed but it might be). Then when using failover, log lines of type DHCPDISCOVER and DHCPREQUEST may be entailed by the string ": load balance to peer <somestring>".

package logcheck-database tags 125794 pending tags 191637 pending thanks I've been running the latest version of qpopper from unstable for a few days and I've added the following rules to CVS: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.qpopper\[[0-9]+\]: connect from [._[:alnum:]-]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.qpopper\[[0-9]+\]: \(v[.[:digit:]]+\) POP login by user