SQUAT warnings and logcheck
Sven Mueller
debian at incase.de
Fri May 25 16:51:14 UTC 2007
Ross Boylan schrieb:
> logcheck is reporting lots of errors like
> Security Events
> =-=-=-=-=-=-=-=
> May 23 07:03:13 corn cyrus/imap[11735]: SQUAT failed
> May 23 07:05:25 corn cyrus/imap[11734]: SQUAT failed
> May 23 07:05:25 corn cyrus/imap[11734]: SQUAT failed
> May 23 07:05:25 corn cyrus/imap[11734]: SQUAT failed
That's a debug level message given by search_prefilter_messages() in
imap/search_engines.c, as I understand it, they should be preceeded by
"failed to open index" messages. logcheck/ignore.d/cyrus2_2 should
filter those out. I added a rules to violations.ignore, too though.
> I notice that /etc/logcheck/violations.ignore.d/cyrus2_2, which is part of the
> cyrus-common-2.2 binary, has this pattern (one line in original):
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/(imaps?|pop3s?|lmtp|
> lmtpunix)\[[0-9]+\]: SQUAT failed to open index file$
>
> Is "SQUAT failed" the new text of this error, or does it indicate some other
> condition? I have not run squatter, so I have no indices.
>
> If the wording has changed, it would be good to adjust the logcheck patterns.
As far as I can tell, the wording didn't change (since a matching rule
already was in ignore.d/cyrus2_2).
> Also, if this is a relatively trivial error, it would be nice if that were
> more apparent. For example,
> 1) Change the text:
> May 23 07:03:13 corn cyrus/imap[11735]: INFO: SQUAT failed (no index files?).
> 2) Change the syslog level.
The level already is "DEBUG". Actually I wonder why you even have it in
your logs. Under normal circumstances, you shouldn't even have them
there. Logging debug level messages only makes sense while looking for a
specific problem.
> 3) Change the logcheck patterns to report this as a lower severity event, if
> it is reported at all. I'm not sure if the last is possible; the presence
> of "fail" in the string may impy it will either be reported as a Security
> Event or not reported at all.
I'm not sure how logcheck works. All I know is that you can add certain
patterns that are completely ignored.
regards,
Sven
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list