Bug#255560: [Logcheck-devel] Bug#255560: logcheck-database: More Postfix rules

Mark Brown broonie at debian.org
Mon Jun 28 09:13:31 UTC 2004


On Mon, Jun 28, 2004 at 04:09:21AM -0400, Todd Troxell wrote:

> Maks applied parts of the patch to cvs version.  The .*$ stuff was a bit too
> general.  If you'd like those changes included, please write tighter rules.

The .$ stuff generally matches random text supplied by remote systems
that Postfix reports in the logs for diagnostic purposes.  As a result
it is not possible to supply more specific rules.  For example, in this
case:

+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: host [^[:space:]]+ refused to talk to me: [45][0-9][0-9].*$

Postfix is simply reporting a remote error - the [45][0-9][0-9] matches
the beginning of a SMTP response line and the rest of the line will be
whatever randomly formatted text the remote system decided to include.

It's the same with cases like:

+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [A-Z0-9]+: host [^[:space:]]+ said: .* \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|end of DATA) command\)$

where the .* matches some text supplied by the remote system which can
write pretty much whatever it pleases there.  The space where this text
will go is very clearly delimited, though, so it's possible to reliably
ignore it.

Similarly, here:

-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: message-id=<.*>( \(.*\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: message-id=.*$

and here:

+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: message-id=.*$

Postfix is just reporting the message ID it got from the remote system
verbatim.  While it would be nice if systems would reliably generate
valid message IDs delimited by <> it is unfortunately the case that some
systems generate invalid ones with one or both angle brackets missing.

The best you can do with this stuff is say "If Postfix wrote this then
the rest of the line will be a remote error and can therefore be
ignored.".  This is a fairly general problem with logging from services
like Postfix and INN - since they interact with remote systems and it is
useful to report text provided by remote systems for diagnostic purposes
you will find yourself needing very general matches.

BTW, CVS downloads via CVSweb are broken:

| Error: Unexpected output from cvs co: cvs [checkout aborted]:
| /var/lib/gforge/chroot/cvsroot/CVSROOT: No such file or directory

| Check whether the directory /var/lib/gforge/chroot/cvsroot/CVSROOT
| exists and the script has write-access to the CVSROOT/history file if it
| exists.  The script needs to place lock files in the directory the file
| is in as well. 

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."





More information about the Logcheck-devel mailing list