similar to: logcheck vs auditd

hello all. My system is centos 5.x and there is no module related auditd there is no process(daemon) related auditd and selinux definately disabled. But I can see lots of auditd messages like below. Oct 20 02:01:01 linux kernel: type=1106 audit(1224435661.064:65210): user pid=25860 uid=0 auid=0 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?,

Hi, please add the following rule to the logcheck database: For package/daemon auditd: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$ Log line as system event: May 31 11:41:11 localhost auditd[2594]: Audit daemon rotating log files Regards Till

Greetings: i have an x86_64 Centos5.3 box and i'm trying to run auditd. it fails on startup and this is the O/P at the end: config_manager init complete Error setting audit daemon pid (Connection refused) type=DAEMON_ABORT msg=audit(1260554376.697:5674): auditd error halt, auid=4294967295 pid=32702 res=failed Unable to set audit pid, exiting The audit daemon is exiting. Error setting

Package: logcheck-database Version: 1.2.54 Severity: normal Tags: patch Logcheck fails to ignore certain lines generated by OpenVPN; the attached patch fixes several regular expressions: * OpenVPN does not print the full path to ifconfig or route (at least here) * The interface name can also contain dots and does not always start with "tun" * The startup messages now gets suppressed

On Sat, 15 May 2004, CVS User ttroxell wrote: > if [ -f /etc/logcheck/header.txt ] ; then > - $CAT /etc/logcheck/header.txt >> $TMPDIR/report > + $CAT /etc/logcheck/header.txt >> $TMPDIR/report \ > + || error "Could not append header to $TMPDIR/report Disk full?" > fi > } > > @@ -152,7 +157,8 @@ > # Add a footer

Hello, list! I can't run logcheck. This is the first time my system has not let me run something, any way I try. I am member of sudo group. I run this sudo -u logcheck logcheck -o -t and get Sorry, user [user] is not allowed to execute '/usr/sbin/logcheck -o -t' as logcheck on [machine]. If I try su -s /bin/bash -c "/usr/sbin/logcheck -o -t" logcheck I get

# Automatically generated email from bts, devscripts version 2.10.35 # via tagpending # # logcheck (1.3) unstable; urgency=low # # * Formalise the dropping of violations.d/logcheck. Please see # /usr/share/doc/logcheck-database/NEWS.Debian.gz for more information # (closes: #471072). # * Add Auto-Submitted header to outgoing mails (closes: #489172). # * ignore.d.server/kernel: # -

Hi guys, now that violations.d/logcheck is empty, violations.ignore.d/logcheck-* are useless and many messages that were previously elevated and filtered there now turn up as system events. Thus, I went ahead and merged violations.ignore.d/logcheck-* into ignore.d.*/* in the viol-merge branch. http://git.debian.org/?p=logcheck/logcheck.git;a=shortlog;h=refs/heads/viol-merge Unless I hear

Package: logcheck-database Version: 1.2.39 Severity: wishlist Hi, I'd like to add the following rule to /etc/logcheck/violations.ignore.d/logcheck-postfix : ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]: 554 <[._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]>:

I've installed logcheck on CentOS from source, as well as liblockfile and lockfile-progs. I've created a logcheck user with /var/lib/logcheck as the home and /sbin/nologin as the shell. logcheck user is in the adm group. I also customised the list of logfiles for CentOS. When I run logcheck, I get the following errors: # sudo -u logcheck logcheck -ot basename: invalid option -- - Try

Package: logcheck Version: 1.2.35 Severity: minor Current manual reads: EXAMPLES logcheck can be invoked directly thanks to su(8) or sudo(8), which change the user ID: logcheck -o -t Check the logfiles without updating the offset. Print everything to STDOUT I believe this shuold be formatted as: EXAMPLES logcheck can be invoked directly thanks

apt-get install svn-buildpackage cat <<_eof >> ~/.svn-buildpackage.conf svn-lintian svn-linda svn-move _eof mkdir logcheck; cd logcheck svn co svn+ssh://svn.debian.org/svn/logcheck/logcheck/trunk cd trunk svn-buildpackage -k<your key ID> -rfakeroot man svn-buildpackage for more. Nice, huh? -- .''`. martin f. krafft <madduck at debian.org> : :' :

Package: logcheck-database Version: 1.2.69 Severity: normal Tags: patch kernel log lines of the form: ...kernel: [1933150.816604] TCP: Treason uncloaked! Peer 0000:0000:0000:0000:0000:ffff:d04e:3f6b:4038/80 shrinks window 2491430013:2491430014. Repaired. are not caught by the current rules. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500,

Hi, I've got a few logcheck ignore.d rules that I'd like to submit, one example is sqlgrey. /usr/share/doc/logcheck/README.maintainer talks about shipping the rules inside the package itself, so I could file a request with sqlgrey. However, that doesn't work because of course I don't have all the packages I use on my network installed on my loghost. In fact, I believe that

Package: logcheck Version: 1.3.14 Severity: normal I added a local.rules file to ignore.d.server and then ran logcheck. The file was not used during the run. Renaming it to local-rules got the file used during the next run. Fix: periods should be allowed in filenames, or the fact that they are forbidden expressly documented inteh logcheck README. Thanks Nils -- System Information: Debian

Package: logcheck Version: 1.2.26 Severity: wishlist Please add ignore for Spamassasin's "check" messages like: Aug 16 19:27:54 ns spamd[23853]: checking message <20040816150710.86ADA708A8 at smtp-out.hotpop.com> for nobody:65534. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.4.26.20040601 Locale: LANG=C, LC_CTYPE=C (ignored: LC_ALL

# Automatically generated email from bts, devscripts version 2.10.18.1 # # logcheck (1.2.64) unstable; urgency=low # # * ignore.d.server/bind: # - moved "[bind] query $FOO denied" rule to violations.ignore.d # (closes: #443881). # - added bind's "AXFR ended" rule alongside "AXFR started" # (closes: #445046). # - added "adding an

Package: logcheck Version: 1.1.1-13.1woody1 Severity: important logcheck line 56 uses "TMPDIR=$(mktemp -d -p ..." but mktemp from woody doesn't accept -p option Cheers, Chris -- System Information Debian Release: 3.0 Kernel Version: Linux ethlife-a 2.4.26-vs1.27 #4 SMP Mit Apr 28 15:20:15 MEST 2004 i686 unknown Versions of the packages logcheck depends on: ii cron

Package: logcheck-database Version: 1.2.54 Severity: normal The included filters for cyrus (/etc/logcheck/ignore.d.server/cyrus) are very minimal. The cyrus-imapd-2.2 has a more extensive ruleset (there's a /etc/logcheck/ignore.d.server/cyrus2_2 file in that package). Please copy over the filters from cyrus-imapd-2.2. I'm running logcheck on a loghost, which doesn't run cyrus

# Automatically generated email from bts, devscripts version 2.10.30 # via tagpending # # logcheck (1.2.65) unstable; urgency=low # # * ignore.d.server/courier: # - update rules to include port information; thanks to Antoine Pardignon # (closes: #446310). # - ignore couriertcpd messages; thanks to Andrew Gallagher # (closes: #451118). # * ignore.d.server/smbd_audit: # -