[Logcheck-devel] Bug#296110: logcheck: ignore.d.server pure-ftpd pattern for '[NOTICE] ... uploaded' not matching

Jamie L. Penman-Smithson jamie at silverdream.org
Sun Feb 20 20:34:37 UTC 2005


tags 296110 pending
thanks

On Sun, 2005-02-20 at 21:08 +0100, Ingo Theiss wrote:
> the rule you mentioned is in ignore.d.server/pure-ftpd (see next
> line):

Okay, so that's ruled out.

> yes those messages showing up as 'Security Events'. permissions are ok
> as far as i can say:

Something in those messages is listed in violations.d/logcheck..

> i will give you the original line from syslog. maybe i stripped
> something important off:
> 
> Feb 18 23:05:58 web1 pure-ftpd: (www-0004-01 at 80.140.246.12)
> [NOTICE] /docroot/nfs-action.com//htdocs/guradia/plugin/net.php.smarty/libs/plugins/modifier.debug_print_var.php uploaded  (1863 bytes, 9.41KB/sec)

..the 'debug' part of the filename is causing those messages to be
listed as 'Security Events' (since debug is listed in
violations.d/logcheck).

Since the uploading and downloading of files isn't usually a security
risk and filenames can legitimately have 'debug' in them, I've added the
same rule to violations.ignore.d/logcheck-pureftp so they won't show up
in future.

Thanks,

-- 
-jamie <jamie at silverdream.org> | spamtrap: spam at silverdream.org
 w: http://www.silverdream.org | p: sms at silverdream.org
 pgp key @ http://silverdream.org/~jps/pub.key
 21:30:02 up 17 min,  2 users,  load average: 2.65, 2.52, 1.58

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20050220/de732843/attachment.pgp 


More information about the Logcheck-devel mailing list