[EMAIL PROTECTED](maximilian attems) 11.07.05 13:55
Once upon a time "maximilian attems " shaped the electrons to say...
>> i change the rules but logcheck seems to ignore them
>>
>> One example:
>>
>> REPORTLEVEL="server"
>>
>> logcheck send mails containing:
>>
>> Security Events
>> =-=-=-=-=-=-=-=
>> Jul 10 09:11:53 machine ipop3ds[10304]: AUTHENTICATE CRAM-MD5
>> failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] Jul 9
>> 14:09:56 machine ipop3ds[4934]: AUTHENTICATE CRAM-MD5 failure
>> host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]
>>
>>
>> i don't want to see those messages (currently)
>>
>> So i added a new rule to ipopd-ssl
>>
>> [20:22:44]machine:# grep AUTH *
>> ipopd-ssl:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure
>> host=p.*.dip0.t-ipconnect.de \[84\.141\..*\]
>> logcheck.dpkg-old:authsrv.*AUTHENTICATE
>>
>> But why are they ignored by logcheck?
>did you check the permissions of the file you added/changed.
>ls -l /ssh
>-rw-r----- 1 root logcheck 1165 2005-04-03 01:00
>/ssh
>maybe your umask is too restrictive and aboves file can't be read
>by logcheck? please post the output of
>ls -l /etc/logcheck/violations.ignore.d/logcheck-ipop3
[19:27:29]machine:/etc/logcheck/violations.ignore.d# ll logcheck-ipop3
-rw------- 1 root logcheck 272 Jul 4 23:12 logcheck-ipop3
Argl...
but there are some more like this...
find . -perm 600
./kernel
./logcheck-ipop3
Ok, to make a long story short:
/etc/logcheck# find . -type f -exec chmod 640 {} \;
/etc/logcheck# find . -type f -exec chown root:logcheck {} \;
I hope that fixed all ;-)
drwxr-xr-x 122 root root 8192 Jul 11 09:55 ..
-rw-r----- 1 root logcheck 8257 Feb 27 22:13 README.logcheck-database
-rw-r----- 1 root logcheck 2004 Apr 16 23:27 logcheck.conf
-rw-r----- 1 root logcheck 1929 Jan 24 03:37 logcheck.conf.dpkg-dist
-rw-r----- 1 root logcheck 131 Jan 24 03:37 logcheck.logfiles
drwxr-s--- 2 root logcheck 4096 May 1 01:05 cracking.d
drwxr-xr-x 2 root root 4096 Jan 24 03:37 cracking.ignore.d
drwxr-s--- 2 root logcheck 4096 Jul 10 11:48 ignore.d.paranoid
drwxr-s--- 2 root logcheck 4096 Jul 10 23:31 ignore.d.server
drwxr-s--- 2 root logcheck 4096 Jul 10 11:41 ignore.d.workstation
drwxr-s--- 2 root logcheck 4096 May 1 01:05 violations.d
drwxr-s--- 2 root logcheck 4096 Jul 10 11:48 violations.ignore.d
/etc/logcheck# find . -type f -maxdepth 1 -exec chmod 644 {} \;
>> I meanwhile have the feeling that logcheck is using entire
>> other rule files than i edit (box root kitted?)
>> Is there a way to debug logcheck?
>> "-d" seems to give only a hints to program flow but
>> seems to be only a "one shot" so i can't debug the rules effective.
>would be cool to see if aboves rule is mentioned in the debug hints.
>did you check?
Yes...
i get(Now, after the "tabula rasa" above):
/etc/logcheck# su -s /bin/bash -c "/usr/sbin/logcheck -t -o " logcheck
grep: Unmatched ) or \)
/etc/logcheck# su -s /bin/bash -c "/usr/sbin/logcheck -t -o -d" logcheck
grep: Unmatched ) or \)
D: [1121190415] cleanchecked - dir - /tmp/logcheck.3iTyte/ignore/x
grep: Unmatched ) or \)
A temporary name is not very exact.
/etc/logcheck# find . -name x
./ignore.d.server/x
/etc/logcheck# chown root:root ./ignore.d.server/x
(as before)
Now new try:
/etc/logcheck# su -s /bin/bash -c "/usr/sbin/logcheck -t -o " logcheck
System Events
=-=-=-=-=-=-=
Jul 12 19:14:37 machine spamd[31658]: Argument "RBL" isn't numeric in addition
(+) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244.
Jul 12 19:37:50 machine spamd[31659]: Argument "RBL" isn't numeric in addition
(+) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244.
# grep "numeric in addition" *
spamd:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: Argument \"RBL\"
isn't numeric in addition \(\+\) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm
line 244. $
[19:50:32]machine:# egrep -f spamd /var/log/syslog
...
Jul 12 19:14:37 machine spamd[31658]: Argument "RBL" isn't numeric in addition
(+) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244.
Jul 12 19:37:50 machine spamd[31659]: Argument "RBL" isn't numeric in addition
(+) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244.
#su -s /bin/bash -c "egrep -f spamd /var/log/messages" logcheck
delivers the same lines, so i asume no perms problem and teh rule is OK.
Why does the rule not work in logcheck?
escaping "'t" does not help:
# grep "numeric in addition" *
spamd:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: Argument \"RBL\"
isn\'t numeric in addition \(\+\) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm
line 244. $
# egrep -f spamd /var/log/messages
-none-
remove the superflous "\" in front of "'t"
FTR:
# cat spamd
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: Argument \"RBL\" isn't
numeric in addition \(\+\) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line
244. $
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: connection from
[._[:alnum:]-]+ \[[\.[:digit:]]+\] at port [0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: info: setuid to
[[:alnum:]-]+ succeeded$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (checking|processing)
message .* for [._[:alnum:]-]+:[0-9]+\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: clean message
\([0-9.-]+/[0-9.]+\) for [._[:alnum:]-]+:[0-9]+ in [0-9.]+ seconds, [0-9]+
bytes\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: identified spam
\([0-9.-]+/[0-9.]+\) for [._[:alnum:]-]+:[0-9]+ in [0-9.]+ seconds, [0-9]+
bytes\.$
(BTW:
Would be possible to define "^\w{3} [ :0-9]{11} [._[:alnum:]-]+" into
a macro as that's everywhere the same but does not ease human reading.)
oogrs...
now it works. The lines are not shown anymore.
#su -s /bin/bash -c "/usr/sbin/logcheck -t -o " logcheck
-none-
#egrep -f spamd /var/log/messages
...
Jul 12 19:54:29 machine spamd[31660]: Argument "RBL" isn't numeric in addition
(+) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244.
Jul 12 19:57:00 machine spamd[31657]: Argument "RBL" isn't numeric in addition
(+) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244.
The "main" logcheck did run meanwhile and avanced the offsets, i assume...
Rainer
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
