Re: logcheck struggle

To: debian-user@lists.debian.org
Subject: Re: logcheck struggle
From: Richard Hector <richard@walnut.gen.nz>
Date: Fri, 1 Oct 2004 12:26:04 +1200
Message-id: <[🔎] 20041001002604.GA7210@walnut.gen.nz>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] fc1af19c04093001425b65dfe@mail.gmail.com>
References: <[🔎] fc1af19c040929143568c36968@mail.gmail.com> <[🔎] 20040929233204.GA5604@walnut.gen.nz> <[🔎] fc1af19c04093001425b65dfe@mail.gmail.com>

On Thu, Sep 30, 2004 at 10:42:38AM +0200, Pim Bliek wrote:
 
> On Thu, 30 Sep 2004 11:32:04 +1200, Richard Hector
> <richard@walnut.gen.nz> wrote:
> > On Wed, Sep 29, 2004 at 11:35:57PM +0200, Pim Bliek wrote:
> > > Hi All,
> > >
> > > I am no regular expression guru, and I am having severe difficulties
> > > adjusting logcheck to my needs (on a Sid system).
> > >
> > > I get the following stuff mailed by logcheck from my syslog which I
> > > don't want to see:
> > > Sep 29 23:02:02 srv1 postfix/smtpd[29293]: _sasl_plugin_load failed on
> > > sasl_auxprop_plug_init for plugin: sql
> > > Sep 29 23:02:02 srv1 postfix/smtpd[29293]: sql_select option missing
> > > Sep 29 23:02:02 srv1 postfix/smtpd[29293]: auxpropfunc error no
> > > mechanism available
> > >
> > > I created the following rules at the bottom of the postfix file in
> > > /etc/ignore.d.server/:
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/lmtp\[[0-9]+\]:
> > > _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql$
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/lmtp\[[0-9]+\]: sql_select
> > > option missing$
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/lmtp\[[0-9]+\]: auxpropfunc
> > > error no mechanism available$
> > >
> > > I got the ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/lmtp\[[0-9]+\]:
> > > part from other lines in the same file.
> > 
> > You're looking for lmtp instead of smtpd - are there other lines you
> > could work from instead?
> > 
> > Also, you may find that the first and last lines will come through
> > anyway in the "Possible Security Violations" section, because they
> > contain evil words like "fail" and "error" - you'll need to edit other
> > files to stop those, but do it carefully - it's easy to just ignore
> > everything by mistake.
>
> It was too late yesterday LOL. Off course it was smtpd ;). Also, I was
> not aware of the extra rules in /etc/logcheck/violations.d! Stupid,
> but I did not think of it. I commented out "failed" there and now it
> doesn't show anymore! Now let's hope there are no other serious things
> with "failed" :).

That's what I meant by "it's easy to just ignore everything by mistake".

Better would be to put the "failed" line back in violations.d, and put
the whole line you've now fixed in violations.ignore.d so that it only
ignores "failed" in that particular case.

You also want to check whether a comment is a valid concept in these
files - I don't think it is. What you're now (probably) asking it to
warn you about any line containing "# failed", which admittedly is
unlikely to occur, but it's better to know what you're getting.

> But I had logcheck running for months now and didn't
> get any other, so I guess I should be fine.

But the idea of logcheck is to tell you about the unusual stuff -
otherwise you might as well get rid of it.

Richard

Reply to:

References:
- logcheck struggle
  - From: Pim Bliek <pim.bliek@gmail.com>
- Re: logcheck struggle
  - From: Richard Hector <richard@walnut.gen.nz>
- Re: logcheck struggle
  - From: Pim Bliek <pim.bliek@gmail.com>

Prev by Date: Re: SSH Cracking Attempts
Next by Date: Re: "resolving host"
Previous by thread: Re: logcheck struggle
Next by thread: 3c59x driver woes with 2.6.8 kernel.
Index(es):
- Date
- Thread