Re: logcheck struggle
From: Richard Hector (richard_at_walnut.gen.nz)
Date: 10/01/04
- Previous message: Ralph Katz: "Re: SSH Cracking Attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 1 Oct 2004 12:26:04 +1200 To: debian-user@lists.debian.org
On Thu, Sep 30, 2004 at 10:42:38AM +0200, Pim Bliek wrote:
> On Thu, 30 Sep 2004 11:32:04 +1200, Richard Hector
> <richard@walnut.gen.nz> wrote:
> > On Wed, Sep 29, 2004 at 11:35:57PM +0200, Pim Bliek wrote:
> > > Hi All,
> > >
> > > I am no regular expression guru, and I am having severe difficulties
> > > adjusting logcheck to my needs (on a Sid system).
> > >
> > > I get the following stuff mailed by logcheck from my syslog which I
> > > don't want to see:
> > > Sep 29 23:02:02 srv1 postfix/smtpd[29293]: _sasl_plugin_load failed on
> > > sasl_auxprop_plug_init for plugin: sql
> > > Sep 29 23:02:02 srv1 postfix/smtpd[29293]: sql_select option missing
> > > Sep 29 23:02:02 srv1 postfix/smtpd[29293]: auxpropfunc error no
> > > mechanism available
> > >
> > > I created the following rules at the bottom of the postfix file in
> > > /etc/ignore.d.server/:
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/lmtp\[[0-9]+\]:
> > > _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql$
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/lmtp\[[0-9]+\]: sql_select
> > > option missing$
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/lmtp\[[0-9]+\]: auxpropfunc
> > > error no mechanism available$
> > >
> > > I got the ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/lmtp\[[0-9]+\]:
> > > part from other lines in the same file.
> >
> > You're looking for lmtp instead of smtpd - are there other lines you
> > could work from instead?
> >
> > Also, you may find that the first and last lines will come through
> > anyway in the "Possible Security Violations" section, because they
> > contain evil words like "fail" and "error" - you'll need to edit other
> > files to stop those, but do it carefully - it's easy to just ignore
> > everything by mistake.
>
> It was too late yesterday LOL. Off course it was smtpd ;). Also, I was
> not aware of the extra rules in /etc/logcheck/violations.d! Stupid,
> but I did not think of it. I commented out "failed" there and now it
> doesn't show anymore! Now let's hope there are no other serious things
> with "failed" :).
That's what I meant by "it's easy to just ignore everything by mistake".
Better would be to put the "failed" line back in violations.d, and put
the whole line you've now fixed in violations.ignore.d so that it only
ignores "failed" in that particular case.
You also want to check whether a comment is a valid concept in these
files - I don't think it is. What you're now (probably) asking it to
warn you about any line containing "# failed", which admittedly is
unlikely to occur, but it's better to know what you're getting.
> But I had logcheck running for months now and didn't
> get any other, so I guess I should be fine.
But the idea of logcheck is to tell you about the unusual stuff -
otherwise you might as well get rid of it.
Richard
-- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
- Previous message: Ralph Katz: "Re: SSH Cracking Attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
