[Logcheck-devel] Bug#317642: How to debug logcheck?

Rainer Zocholl UseNet-Posting-Nospam-74308- at zocki.toppoint.de
Sun Jul 10 11:01:00 UTC 2005 

Package: logcheck   
Version: 1.2.39

Hello

i change the rules but logcheck seems to ignore them

One example:

REPORTLEVEL="server"

logcheck send mails containing:

Security Events
=-=-=-=-=-=-=-=
Jul 10 09:11:53 machine ipop3ds[10304]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]
Jul  9 14:09:56 machine ipop3ds[4934]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]


i don't want to see those messages (currently)

So i added a new rule to ipopd-ssl

[20:22:44]machine:/etc/logcheck/ignore.d.server# grep AUTH * 
ipopd-ssl:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*.dip0.t-ipconnect.de \[84\.141\..*\]
logcheck.dpkg-old:authsrv.*AUTHENTICATE

(BTW: Wouldn't it be better to add an entire new file?)


If i test the rule file with that:

/etc/logcheck/ignore.d.server# egrep -f ipopd-ssl /var/log/syslog

i exactly get the lines i don't want to see in logcheck output, 
so i assume that rule is OK.

As there is the "magical" word "failure" i have to add that rule to
violations.ignore too, or?

[20:23:22]machine:/etc/logcheck/violations.ignore.d# grep AUTH * logcheck-ipop3:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*\.dip0\.t-ipconnect\.de \[84\.141\..*\]


/etc/logcheck/violations.ignore.d# egrep -f logcheck-ipop3 /var/log/syslog
gves
Jul  9 11:31:21 machine ipop3ds[29588]: AUTHENTICATE CRAM-MD5 failure 
host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]


So i assume the rules are right, or?

But why are they ignored by logcheck?
I meanwhile have the feeling that logcheck is using entire 
other rule files than i edit (box root kitted?)
Is there a way to debug logcheck?
"-d" seems to give only a hints to program flow but 
seems to be only a "one shot" so i can't debug the rules effective.

Isn't there somewhere a tool (bayes?) where i can feed the
"unwanted" lines to which in future are ignored by logcheck?
(Like "tiger" does which only reports changes/new lines)
Currently the "optimization" of the rule set took several weeks(!)
as i have to wait hours to veryfy the trivialest change.


What's the intended way to debug rules sets?

Why does the "egrep" trick can't be used to verify the rules?
(What is logcheck adding to the rules to make them fail?)

How can i verify which rules files logcheck really uses?

Where are the used rules (files that contens) logged?

How can i run "logcheck" repetely to debug?

More information about the Logcheck-devel mailing list