SQUAT warnings and logcheck

Sven Mueller debian at incase.de
Fri May 25 16:51:14 UTC 2007 

Ross Boylan schrieb:
> logcheck is reporting lots of errors like
> Security Events
> =-=-=-=-=-=-=-=
> May 23 07:03:13 corn cyrus/imap[11735]: SQUAT failed
> May 23 07:05:25 corn cyrus/imap[11734]: SQUAT failed
> May 23 07:05:25 corn cyrus/imap[11734]: SQUAT failed
> May 23 07:05:25 corn cyrus/imap[11734]: SQUAT failed

That's a debug level message given by search_prefilter_messages() in
imap/search_engines.c, as I understand it, they should be preceeded by
"failed to open index" messages. logcheck/ignore.d/cyrus2_2 should
filter those out. I added a rules to violations.ignore, too though.

> I notice that /etc/logcheck/violations.ignore.d/cyrus2_2, which is part of the 
> cyrus-common-2.2 binary, has this pattern (one line in original):
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/(imaps?|pop3s?|lmtp|
> lmtpunix)\[[0-9]+\]: SQUAT failed to open index file$
> 
> Is "SQUAT failed" the new text of this error, or does it indicate some other 
> condition?  I have not run squatter, so I have no indices.
> 
> If the wording has changed, it would be good to adjust the logcheck patterns.

As far as I can tell, the wording didn't change (since a matching rule
already was in ignore.d/cyrus2_2).

> Also, if this is a relatively trivial error, it would be nice if that were 
> more apparent.  For example, 
> 1) Change the text:
> May 23 07:03:13 corn cyrus/imap[11735]: INFO: SQUAT failed (no index files?).
> 2) Change the syslog level.

The level already is "DEBUG". Actually I wonder why you even have it in
your logs. Under normal circumstances, you shouldn't even have them
there. Logging debug level messages only makes sense while looking for a
specific problem.

> 3) Change the logcheck patterns to report this as a lower severity event, if 
> it is reported at all.  I'm not sure if the last is possible; the presence 
> of "fail" in the string may impy it will either be reported as a Security 
> Event or not reported at all.

I'm not sure how logcheck works. All I know is that you can add certain
patterns that are completely ignored.

regards,
Sven

More information about the Pkg-Cyrus-imapd-Debian-devel mailing list