SQUAT warnings and logcheck
Ross Boylan
ross at biostat.ucsf.edu
Wed May 23 15:52:44 UTC 2007
logcheck is reporting lots of errors like
Security Events
=-=-=-=-=-=-=-=
May 23 07:03:13 corn cyrus/imap[11735]: SQUAT failed
May 23 07:05:25 corn cyrus/imap[11734]: SQUAT failed
May 23 07:05:25 corn cyrus/imap[11734]: SQUAT failed
May 23 07:05:25 corn cyrus/imap[11734]: SQUAT failed
I notice that /etc/logcheck/violations.ignore.d/cyrus2_2, which is part of the
cyrus-common-2.2 binary, has this pattern (one line in original):
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/(imaps?|pop3s?|lmtp|
lmtpunix)\[[0-9]+\]: SQUAT failed to open index file$
Is "SQUAT failed" the new text of this error, or does it indicate some other
condition? I have not run squatter, so I have no indices.
If the wording has changed, it would be good to adjust the logcheck patterns.
Also, if this is a relatively trivial error, it would be nice if that were
more apparent. For example,
1) Change the text:
May 23 07:03:13 corn cyrus/imap[11735]: INFO: SQUAT failed (no index files?).
2) Change the syslog level.
3) Change the logcheck patterns to report this as a lower severity event, if
it is reported at all. I'm not sure if the last is possible; the presence
of "fail" in the string may impy it will either be reported as a Security
Event or not reported at all.
Ross Boylan
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list