Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] question on logcheck
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1005

PostPosted: Wed Nov 27, 2019 10:05 pm    Post subject: [solved] question on logcheck Reply with quote

I have a question concerning logwatch. Having set reportlevel to server, I would not expect to get so many unusefull entries sent. Following some examples. Aren't they supposed to get filtered by the different ignore.d.server files like postfix, imap, cron ?

Is syslog-ng not producing the expected logs for logcheck? I dont know how to create ignore files myself for all these entries in order to create a meaningfull output. Should I try a syslog-ng alternative? My syslog-ng is configured as in default, meaning everything gets logged in /var/log/messages.

Code:
System Events
=-=-=-=-=-=-=
Nov 27 21:01:03 hostname dovecot[23078]: lda(admin@domain.com)<23078><pOueNf/V3l0mWgAACTO52g>: msgid=<20191127200103.403751C0217@mail.domain.com>: saved mail to INBOX
Nov 27 21:05:01 hostname CROND[23083]: (apache) CMD (php -f /var/www/path/to/cron.php)
Nov 27 21:07:15 hostname dovecot[2066]: imap-login: Login: user=<admin@domain.com>, method=PLAIN, rip=ip.ad.re.ss, lip=ip.ad.re.ss mpid=23090, TLS, session=<...>
Nov 27 21:07:16 hostname dovecot[2066]: imap(admin@domain.com)<12340><xxxxx>: Connection closed (UID FETCH finished 0.097 secs ago) in=304 out=13427 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=256 body_count=1 body_bytes=11637
Nov 27 21:09:31 hostname dovecot[2066]: imap(username2@domain2.com)<1234><fdgsdf>: Logged out in=538 out=2171 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Nov 27 21:11:33 hostname dovecot[2066]: imap(username1@domain.com)<344359><DADFdadfaAS>: Connection closed (LIST finished 0.104 secs ago) in=23 out=1009 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Nov 27 21:21:03 hostname postfix/smtp[23187]: Untrusted TLS connection established to anotherdomain[ip.ad.re.ss]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 27 22:01:01 hostname CROND[23490]: (root) CMD (run-parts /etc/cron.hourly)


Last edited by Elleni on Thu Nov 28, 2019 9:38 pm; edited 1 time in total
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1005

PostPosted: Thu Nov 28, 2019 7:57 pm    Post subject: Reply with quote

Help please. Not knowing too much about regular expressions I cannot determine why the preconfigured rules do not match. Playing around I can filter them out by creating local-rules file in ignore.d.server and just put
Code:
saved mail to INBOX
imap-login: Login: user=
php -f /var/www/path/to/folder/cron.php
Disconnected for inactivity
Connection closed
Logged out
Untrusted TLS connection established to
Anonymous TLS connection established from
disconnect from
to filter but that seems not very elegant.

Maybe someone who has an understanding of regexp could give me an example or pointing me to a tutorial that would help me understand those rules better?


Last edited by Elleni on Thu Nov 28, 2019 9:31 pm; edited 3 times in total
Back to top
View user's profile Send private message
freke
Guru
Guru


Joined: 23 Jan 2003
Posts: 529
Location: Somewhere in Denmark

PostPosted: Thu Nov 28, 2019 9:20 pm    Post subject: Reply with quote

I just tried out logcheck on my mailserver (running syslog-ng, too) - it does some filtering, but ie. looking at /etc/logcheck/ignore.d.server/postfix this line
Code:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: (dis)?connect from [^[:space:]]+$
should filter out connects/disconnects I guess, but it only filters out the connects, don't know if it's because on disconnects there's some added text, ie.
Code:
Nov 28 22:18:44 mail postfix/smtpd[19377]: connect from s4058.pingdom.com[151.106.52.134]
Nov 28 22:18:44 mail postfix/smtpd[19377]: disconnect from s4058.pingdom.com[151.106.52.134] helo=1 quit=1 commands=2
I'm nowhere regexp-qualified ;)
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1005

PostPosted: Thu Nov 28, 2019 9:26 pm    Post subject: Reply with quote

:wink: Thanks for checking - well at least above "workaround" lets me strip all that stuff I dont want in daily email. I just hope, I do not strip messages, that should come through by logcheck.cracking.d or logcheck.violations.d :twisted:

I guess, I'll put solved to the thread for now.
Back to top
View user's profile Send private message
freke
Guru
Guru


Joined: 23 Jan 2003
Posts: 529
Location: Somewhere in Denmark

PostPosted: Thu Nov 28, 2019 9:54 pm    Post subject: Reply with quote

No rules/lines in /etc/logcheck/ignore.d.server/dovecot is going to filter anything in the current state, at minimum they'd require the processid to be added; ie.
Code:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3)-login:
should be
Code:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot\[[[:digit:]]+\]: (imap|pop3)-login:
or something similar.

No idea if logcheck is horrible outdated or something else is up :/
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum