On Sun, 10 Jul 2005, Rainer Zocholl wrote: > Hello > > i change the rules but logcheck seems to ignore them > > One example: > > REPORTLEVEL="server" > > logcheck send mails containing: > > Security Events > =-=-=-=-=-=-=-= > Jul 10 09:11:53 machine ipop3ds[10304]: AUTHENTICATE CRAM-MD5 failure > host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] > Jul 9 14:09:56 machine ipop3ds[4934]: AUTHENTICATE CRAM-MD5 failure > host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] > > > i don't want to see those messages (currently) > > So i added a new rule to ipopd-ssl > > [20:22:44]machine:/etc/logcheck/ignore.d.server# grep AUTH * > ipopd-ssl:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure > host=p.*.dip0.t-ipconnect.de \[84\.141\..*\] > logcheck.dpkg-old:authsrv.*AUTHENTICATE > > (BTW: Wouldn't it be better to add an entire new file?)
yes add your local-packagename file. > If i test the rule file with that: > > /etc/logcheck/ignore.d.server# egrep -f ipopd-ssl /var/log/syslog > > i exactly get the lines i don't want to see in logcheck output, > so i assume that rule is OK. > > As there is the "magical" word "failure" i have to add that rule to > violations.ignore too, or? > > [20:23:22]machine:/etc/logcheck/violations.ignore.d# grep AUTH * > logcheck-ipop3:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure > host=p.*\.dip0\.t-ipconnect\.de \[84\.141\..*\] > > > /etc/logcheck/violations.ignore.d# egrep -f logcheck-ipop3 /var/log/syslog > gves > Jul 9 11:31:21 machine ipop3ds[29588]: AUTHENTICATE CRAM-MD5 failure > host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] > > > So i assume the rules are right, or? i wouldn't recommend aboves rule for upstream inclusion, but they look right. > But why are they ignored by logcheck? did you check the permissions of the file you added/changed. ls -l /etc/logcheck/ignore.d.server/ssh -rw-r----- 1 root logcheck 1165 2005-04-03 01:00 /etc/logcheck/ignore.d.server/ssh maybe your umask is too restrictive and aboves file can't be read by logcheck? please post the output of ls -l /etc/logcheck/violations.ignore.d/logcheck-ipop3 > I meanwhile have the feeling that logcheck is using entire > other rule files than i edit (box root kitted?) > Is there a way to debug logcheck? > "-d" seems to give only a hints to program flow but > seems to be only a "one shot" so i can't debug the rules effective. would be cool to see if aboves rule is mentioned in the debug hints. did you check? > Isn't there somewhere a tool (bayes?) where i can feed the > "unwanted" lines to which in future are ignored by logcheck? > (Like "tiger" does which only reports changes/new lines) > Currently the "optimization" of the rule set took several weeks(!) > as i have to wait hours to veryfy the trivialest change. why? just invoke it from the commandline. if you have sudo installed sudo -u logcheck logcheck [options] for example sudo -u logcheck logcheck -t -o -d else if you don't have sudo installed su -s /bin/bash -c \"/usr/sbin/logcheck [options]\" logcheck > What's the intended way to debug rules sets? > > Why does the "egrep" trick can't be used to verify the rules? > (What is logcheck adding to the rules to make them fail?) > > How can i verify which rules files logcheck really uses? run debug. > Where are the used rules (files that contens) logged? not atm. > How can i run "logcheck" repetely to debug? see aboves. i will add some examples to current manpage. -- maks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
