Bug#317642: [Logcheck-devel] Bug#317642: How to debug logcheck?

Rainer Zocholl UseNet-Posting-Nospam-74308- at zocki.toppoint.de
Tue Jul 12 18:24:00 UTC 2005 

debian at sternwelten.at(maximilian attems)  11.07.05 13:55

Once upon a time "maximilian attems " shaped the electrons to say...

>> i change the rules but logcheck seems to ignore them
>>
>> One example:
>>
>> REPORTLEVEL="server"
>>
>> logcheck send mails containing:
>>
>> Security Events
>> =-=-=-=-=-=-=-=
>> Jul 10 09:11:53 machine ipop3ds[10304]: AUTHENTICATE CRAM-MD5
>> failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] Jul  9
>> 14:09:56 machine ipop3ds[4934]: AUTHENTICATE CRAM-MD5 failure
>> host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]
>>
>>
>> i don't want to see those messages (currently)
>>
>> So i added a new rule to ipopd-ssl
>>
>> [20:22:44]machine:# grep AUTH *
>> ipopd-ssl:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure
>> host=p.*.dip0.t-ipconnect.de \[84\.141\..*\]
>> logcheck.dpkg-old:authsrv.*AUTHENTICATE
>>
>> But why are they ignored by logcheck?
>did you check the permissions of the file you added/changed.

>ls -l /ssh
>-rw-r-----  1 root logcheck 1165 2005-04-03 01:00
>/ssh

>maybe your umask is too restrictive and aboves file can't be read
>by logcheck? please post the output of
>ls -l /etc/logcheck/violations.ignore.d/logcheck-ipop3

[19:27:29]machine:/etc/logcheck/violations.ignore.d# ll logcheck-ipop3
-rw-------  1 root logcheck 272 Jul  4 23:12 logcheck-ipop3

Argl...
but there are some more like this...
 find . -perm 600
 ./kernel
 ./logcheck-ipop3
 

Ok, to make a long story short:

/etc/logcheck# find . -type f -exec chmod 640 {} \;
/etc/logcheck# find . -type f -exec chown root:logcheck {} \;

I hope that fixed all ;-)

drwxr-xr-x  122 root root     8192 Jul 11 09:55 ..
-rw-r-----    1 root logcheck 8257 Feb 27 22:13 README.logcheck-database
-rw-r-----    1 root logcheck 2004 Apr 16 23:27 logcheck.conf
-rw-r-----    1 root logcheck 1929 Jan 24 03:37 logcheck.conf.dpkg-dist
-rw-r-----    1 root logcheck  131 Jan 24 03:37 logcheck.logfiles
drwxr-s---    2 root logcheck 4096 May  1 01:05 cracking.d
drwxr-xr-x    2 root root     4096 Jan 24 03:37 cracking.ignore.d
drwxr-s---    2 root logcheck 4096 Jul 10 11:48 ignore.d.paranoid
drwxr-s---    2 root logcheck 4096 Jul 10 23:31 ignore.d.server
drwxr-s---    2 root logcheck 4096 Jul 10 11:41 ignore.d.workstation
drwxr-s---    2 root logcheck 4096 May  1 01:05 violations.d
drwxr-s---    2 root logcheck 4096 Jul 10 11:48 violations.ignore.d

/etc/logcheck# find . -type f -maxdepth 1  -exec chmod 644  {} \;


>> I meanwhile have the feeling that logcheck is using entire
>> other rule files than i edit (box root kitted?)
>> Is there a way to debug logcheck?
>> "-d" seems to give only a hints to program flow but
>> seems to be only a "one shot" so i can't debug the rules effective.

>would be cool to see if aboves rule is mentioned in the debug hints.
>did you check?

Yes...
i get(Now, after the "tabula rasa" above):

/etc/logcheck# su -s /bin/bash -c "/usr/sbin/logcheck -t -o " logcheck
grep: Unmatched ) or \)

/etc/logcheck# su -s /bin/bash -c "/usr/sbin/logcheck -t -o -d" logcheck
grep: Unmatched ) or \)

D: [1121190415] cleanchecked - dir - /tmp/logcheck.3iTyte/ignore/x
grep: Unmatched ) or \)

A temporary name is not very exact.


/etc/logcheck# find . -name x
./ignore.d.server/x

/etc/logcheck# chown  root:root ./ignore.d.server/x

(as before)




Now new try:


/etc/logcheck# su -s /bin/bash -c "/usr/sbin/logcheck -t -o " logcheck
System Events
=-=-=-=-=-=-=
Jul 12 19:14:37 machine spamd[31658]: Argument "RBL" isn't numeric in addition
(+) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244.
Jul 12 19:37:50 machine spamd[31659]: Argument "RBL" isn't numeric in addition
(+) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244.


# grep "numeric in addition" *
spamd:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: Argument \"RBL\" isn't numeric in addition \(\+\) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244. $


[19:50:32]machine:# egrep -f spamd /var/log/syslog
...
Jul 12 19:14:37 machine spamd[31658]: Argument "RBL" isn't numeric in addition
(+) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244.
Jul 12 19:37:50 machine spamd[31659]: Argument "RBL" isn't numeric in addition
(+) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244.

#su -s /bin/bash -c "egrep -f spamd /var/log/messages" logcheck
delivers  the same lines, so i asume no perms problem and teh rule is OK.

Why does the rule not work in logcheck?


escaping "'t" does not help:
# grep "numeric in addition" *
spamd:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: Argument \"RBL\" isn\'t numeric in addition \(\+\) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244. $

# egrep -f spamd /var/log/messages
-none-

remove the superflous "\" in front of "'t"

FTR:
# cat spamd
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: Argument \"RBL\" isn't numeric in addition \(\+\) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244. $
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: connection from [._[:alnum:]-]+ \[[\.[:digit:]]+\] at port [0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: info: setuid to [[:alnum:]-]+ succeeded$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (checking|processing) message .* for [._[:alnum:]-]+:[0-9]+\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: clean message \([0-9.-]+/[0-9.]+\) for [._[:alnum:]-]+:[0-9]+ in [0-9.]+ seconds, [0-9]+ bytes\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: identified spam \([0-9.-]+/[0-9.]+\) for [._[:alnum:]-]+:[0-9]+ in [0-9.]+ seconds, [0-9]+ bytes\.$

(BTW:
Would be possible to define "^\w{3} [ :0-9]{11} [._[:alnum:]-]+" into
a macro as that's everywhere the same but does not ease human reading.)


oogrs...
now it works. The lines are not shown anymore.

#su -s /bin/bash -c "/usr/sbin/logcheck -t -o " logcheck
-none-

#egrep -f spamd /var/log/messages
...
Jul 12 19:54:29 machine spamd[31660]: Argument "RBL" isn't numeric in addition (+) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244.
Jul 12 19:57:00 machine spamd[31657]: Argument "RBL" isn't numeric in addition (+) at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244.

The "main" logcheck did run meanwhile and avanced the offsets, i assume...





Rainer

More information about the Logcheck-devel mailing list