[Logcheck-devel] templates cleanup part2

Gerfried Fuchs alfie at ist.org
Fri Jun 11 09:35:40 UTC 2004


* maks attems <debian at sternwelten.at> [2004-06-10 14:10]:
> based on Alfie's proposal regarding 
> "Template: logcheck-database/rules-directories-note"
> 
>  - /etc/logcheck/cracking.ignore.d [for local use only]
> 
> this note regarding the cracking.ingore.d is confusing, what is meant is:
> 
>  - /etc/logcheck/cracking.ignore.d [no rules from logcheck-database itself]
> 
> we might even want to drop that message as in normal mode of operation,
> i never found it necessary to add local rules there?

 I wouldn't drop it because it can make sense. E.g. I will add entries
for this message locally:

May 28 10:40:53 tausendmorgenwald dhclient: receive_packet failed on eth0: Network is down
Jun  9 18:57:51 tausendmorgenwald shutdown[8355]: shutting down for system halt

 And some others, because I don't regard them as a security problem, but
don't want to force ignoring them for others.

> + These directories may contain files prefixed "logcheck-" (containing 
> generic alert/override patterns), "(packagename)" (containing patterns
> + specific to that one package) or prefixed "local-" (created by the local
> + administrator to contain patterns tailored for a particular site).
> Logcheck will then use rules collected from all the files found in the
> appropriate directories.

 object:

These directories may contain files prefixed with "logcheck-" (containing
generic alert/override patterns), named "(packagename)" (containing patterns
specific to that one package) or prefixed with "local-" (created by the local
administrator to contain patterns tailored for a particular site).
Logcheck will then use rules collected from all the files found in the
appropriate directories.

 Changes: "prefixed _with_", "named" added. In our last discussion I got
the opinion that we have also "local" as possible filename? I don't want
that to get dropped, and am using it.

> didn't mention the local file as admins will find local-foo easier
> for their setup.

 Do you think so? Why? I think local itself is easier, I don't see the
need to have multiple local files sitting around....

 So long,
Alfie
-- 
The biggest difference is that now I can hear bass.  I had almost forgotten
that Metallica isn't a teenage girl band.
         -- Lars Wirzenius, <http://liw.iki.fi/liw/log/2004-02.html#20040212c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040611/0c384962/attachment.pgp 


More information about the Logcheck-devel mailing list