[Logcheck-devel] Bug#357841: false positives for some lines longer than 503 characters

Jonas Meurer mejo at debian.org
Sun Mar 19 21:51:09 UTC 2006 

Package: logcheck
Version: 1.2.43a
Severity: important

hello,

it seems like logcheck always outputs some log lines longer than 503
characters, even if they perfectly well match a given regex.

i have the following entry in /etc/logcheck/ignore.d.server/syslog-ng:
syslog-ng\[.*\]: Log statistics; processed='.*\(.*\)=.*', .*

and in the file 'testlog' i have the following two lines:
Mar 16 22:31:56 resivo syslog-ng[6932]: Log statistics; processed='source(s_all)=2186', processed='destination(df_auth)=407', processed='destination(df_news_dot_notice)=0', processed='destination(df_news_dot_err)=0', processed='destination(df_uucp)=0', processed='destination(df_mail)=0', processed='destination(df_user)=126', processed='destination(df_facility_dot_notice)=0', processed='destination(df_daemon)=1415', processed='destination(df_facility_dot_crit)=0', processed='destination(df_debu)=28'
Mar 16 22:31:56 resivo syslog-ng[6932]: Log statistics; processed='source(s_all)=2186', processed='destination(df_auth)=407', processed='destination(df_news_dot_notice)=0', processed='destination(df_news_dot_err)=0', processed='destination(df_uucp)=0', processed='destination(df_mail)=0', processed='destination(df_user)=126', processed='destination(df_facility_dot_notice)=0', processed='destination(df_daemon)=1415', processed='destination(df_facility_dot_crit)=0', processed='destination(df_debug)=28'

(both are exactly identical, except that the second one has one more
character (third-last one).

now see what logcheck gives:
# sudo -u logcheck logcheck -o -s -t -l testlog
This email is sent by logcheck. If you wish to no-longer receive it,
you can either deinstall the logcheck package or modify its
configuration file (/etc/logcheck/logcheck.conf).

Security Events
=-=-=-=-=-=-=-=
Mar 16 22:31:56 resivo syslog-ng[6932]: Log statistics; processed='source(s_all)=2186', processed='destination(df_auth)=407', processed='destination(df_news_dot_notice)=0', processed='destination(df_news_dot_err)=0', processed='destination(df_uucp)=0', processed='destination(df_mail)=0', processed='destination(df_user)=126', processed='destination(df_facility_dot_notice)=0', processed='destination(df_daemon)=1415', processed='destination(df_facility_dot_crit)=0', processed='destination(df_debug)=28'



unfortunately the line length is not the only criteria. lines containing
only numbers and letters which are longer than 503 characters seem to be
ignored if they match a regex.

...
 jonas

More information about the Logcheck-devel mailing list