similar to: logcheck rules submission

Package: logcheck Version: 1.2.54 Severity: normal In the file ignore.d.paranoid/cron there are the rules ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$ to ignore lines like 10:17:01 at 04-03-2007 tooar

Package: logcheck-database Hey, I created a logcheck ignore file for Snort with stuff I don't particularly want to see every day. The one line with the warning in it is questionable, so leave it in or out at your discretion. Also, my regex skills are not as good as they could be, so there are probably mistakes, or things that could be simplified more. Rules are below: ^\w{3} [

Package: logcheck Version: 1.2.69 Severity: normal In the file /etc/logcheck/ignore.d.server/wu-ftpd ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wu-ftpd: PAM-listfile: Refused user [._[:alnum:]-]+ for service wu-ftpd$ should be ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wu-ftpd\[[0-9]{4}\]: PAM-listfile: Refused user [._[:alnum:]-]+ for service wu-ftpd$ There is a number after "wu-ftpd" -- System

Package: logcheck-database Severity: wishlist Tags: patch Hi, some rules for ntpd as i couldn't find any: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: time reset [+-]*[0-9]{1,2}\.[0-9]{6} s$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronisation lost$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: no servers reachable$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+

Package: logcheck-database Version: 1.2.44 Severity: minor Tags: patch Hi, This patch changes one rule for dhcpd. It adds support for log lines of the following format: May 30 19:36:57 server dhcpd: DHCPACK to 10.10.10.10 (aa:bb:cc:dd:ee:ff) via eth1 Regards, Robbert --- /root/dhcp 2006-05-30 21:50:24.000000000 +0200 +++ dhcp 2006-05-30 23:27:06.000000000 +0200 @@ -18,7 +18,7 @@

Package: logcheck Version: 1.2.62 Severity: wishlist Here are two rules for ddclient, a client for dynamic IP services such as DynDNS or DynIP: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[[:digit:]]+\]: SUCCESS: updating [._[:alnum:]-]+: good: IP address set to [:[:xdigit:].]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[[:digit:]]+\]: WARNING: forcing update of [._[:alnum:]-]+ from

Package: logcheck-database Version: 1.2.39 Severity: wishlist Hi, I'd like to add the following rule to /etc/logcheck/violations.ignore.d/logcheck-postfix : ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]: 554 <[._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]>:

Package: logcheck-database Version: 1.2.69 Severity: wishlist Please add the rule ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/bounce\[[[:digit:]]+\]: [:alnum:]+: sender delay notification: [:alnum:]+$ -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (700, 'stable'), (650, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP

Package: logcheck Version: 1.2.69 The current ruleset "kernel" provided with this logcheck package don't match entries where the kernel timeline has leading spaces, like: [ 42.302707] For example, the following entry: Feb 4 17:05:24 hostname kernel: [ 144.591487] tun: Universal TUN/TAP device driver, 1.6 didn't matched the re: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+

Package: logcheck-database Severity: wishlist Tags: patch Hi, ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: imklog 3\.18\.6, log source = /proc/kmsg started\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="3.18.6" x-pid="[[:digit:]]+" x-info="http://www.rsyslog.com"\] restart$ Hendrik -- Hendrik Jaeger

Package: logcheck-database Version: 1.2.47 Severity: normal Tags: patch Without the following logcheck line in /etc/logcheck/violations.ignore.d, lines such as the following are reported: postfix/smtp[30054]: 824E9A2C1E: to=<nooneisillegal at someplace.net>, relay=0.0.0.0[0.0.0.0], delay=1, status=sent (250 2.6.0 Ok, id=30274-22, from MTA: 250 Ok: queued as 15140A2D0A) This is because

Package: logcheck-database Version: 1.2.52 Severity: Minor Tags: Patch I've got a suggested rule update for the kernel file in the /etc/logcheck/ignore.d.workstation directory. The file already contains this rule: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: input: Logitech USB Mouse as /class/input/input[[:digit:]]+$ However my system was reporting the following two similar events:

Package: logcheck-database Version: 1.2.69 Severity: normal Tags: patch Hi, I think that this rule: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: (\+|-) (pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:[_[:alnum:]-]+$ is supposed to filter out lines like: Oct 17 14:49:24 myhost su[13469]: + /dev/pts/1 user1:root It is not working because the pattern dos not include the "/dev/" part and

Package: logcheck-database Version: 1.2.54 Severity: minor -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (990, 'stable'), (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18.2-dp0 Locale: LANG=de_DE at euro, LC_CTYPE=de_DE at euro (charmap=ISO-8859-15) Versions of packages logcheck-database depends

Package: logcheck-database Severity: normal postfix has changed log formats, now it includes sasl_sender in log lines. The rule at ./ignore.d.server/postfix:109 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: [[:alnum:]]+: client=[^[:space:]]+, sasl_method=[-[:alnum:]]+, sasl_username=[-_.@[:alnum:]]+$ must be updated with: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+

Package: logcheck-database Version: 1.2.39 Severity: normal I use dhcp3-server and a dhcp client which is Sony HDD video recorder CoCoon. The client not return client host name. In this case, dhcpd server assumed the client host name is (none). Therefor dhcpd output log described below. > Jan 7 10:49:24 on-o dhcpd: DHCPDISCOVER from 08:00:46:33:55:77 ((none)) via eth0 > Jan 7 10:49:25

Package: logcheck-database Version: 1.2.43a Severity: normal Tags: patch Hi, Given the following popa3d log messages: popa3d[15636]: 0 messages (0 bytes) loaded popa3d[15993]: 1 message (3837 bytes) loaded popa3d[15856]: 3 messages (18116 bytes) loaded The current logcheck ruleset does not take into account that sometimes there might be multiple message_S_ to be loaded. The following patch

Package: logcheck Version: 1.3.3 Severity: normal Tags: patch User: ubuntu-devel at lists.ubuntu.com Usertags: origin-ubuntu karmic ubuntu-patch As reported in https://launchpad.net/bugs/307847: recent dhclient includes the ip address it is releasing and renewing. ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: DHCP(NAK|ACK|OFFER) from [.0-9]{7,15}$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+

Package: logcheck Version: 1.3.13 Severity: minor Tags: patch Hi, Logcheck reports messages of the form: Mar 15 06:25:26 foohost rsyslogd: [origin software="rsyslogd" swVersion="5.7.6" x-pid="3301" x-info="http://www.rsyslog.com"] rsyslogd was HUPed I suggest the following tweak to /etc/logcheck/ignore.d.server/rsyslog: diff -u

Package: logcheck-database Version: 1.2.63 Severity: normal Tags: patch spamassassin is now reporting Unix domain sockets in the rport field. I'm not exactly sure what changed to cause this to happen; it started after an upgrade whose only remotely relevant package was razor. I think the following pattern in ignore.d.server/spamd will work ^\w{3} [ :0-9]{11} [._[:alnum:]-]+