From 18dda0784a99f94067305baf2a5841285bb57cd9 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 6 Dec 2012 17:13:38 +0100 Subject: Minimal logcheck configuration. --- fripost-docs.org | 45 ++++++++++++++++++--------------------------- 1 file changed, 18 insertions(+), 27 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index f79257c..a1037bb 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -134,18 +134,7 @@ sudo aptitude install logcheck syslog-summary :: /etc/logcheck/ignore.d.server/local -# XXX: not always necessary? -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed, type '(restart|lightweight)'\.$ -# XXX: necessary with squeeze? -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$ -# not necessary with squeeze -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$ -# not necessary with squeeze -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging \(proc\) stopped.$ -# ddclient +# If the machine has a dynamic IP ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: FAILED: updating [,._[:alnum:]-]+: Could not connect to dns.loopia.se/xdyndnsserver/xdyndns.php.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: TIMEOUT: dns.loopia.se after 120 seconds$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:80 socket: IO::Socket::INET: Bad hostname 'dns.loopia.se'$ @@ -155,25 +144,27 @@ sudo aptitude install logcheck syslog-summary ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:443 socket: IO::Socket::SSL: connect: Connection timed out IO::Socket::INET configuration failederror:00000000:lib\(0\):func\(0\):reason\(0\)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: file /var/cache/ddclient/ddclient.cache, line [0-9]+: Invalid Value for keyword 'ip' = ''$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: updating [._[:alnum:]-]+: nochg: No update required; unnecessary attempts to change to the current address are considered abusive$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: [.0-9]{7,15} interface [.0-9]{7,15} -> [.0-9]{7,15}$ -# | There is no way to get rid of the warning `Fixed query_filter [...] is probably useless'. -# It is harmless in our case, since the search base is precise enough. + +# If the machine does LDAP virtual lookups ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(smtpd|cleanup|trivial-rewrite|postmap)\[[0-9]+\]: warning: dict_ldap_open: /etc/postfix/ldap/ldap_virtual_alias_catchall_maps.cf: Fixed query_filter \(\&\(ObjectClass=virtualAliases\)\(mailLocalAddress=\)\(isActive=TRUE\)\) is probably useless$ -# | Postfix reload -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postfix-script\[[[:digit:]]+\]: refreshing the Postfix mail system$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[[:digit:]]+\]: reload -- version -# | slapo-constraint ignores slapd's logging configuration -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ slapd\[[[:digit:]]+\]: constraint_update\(\)$ -# | On the MXs only: Servers that don't speak proper (E)SMTP don't deserve to be listened. + +# If the machine uses amavisd-new as a content filter +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed [-+_[:alnum:]]+ {Relayed[[:alpha:]]+}, \S+(( LOCAL)? \[(IPv6:)?[[:xdigit:].:]{3,39}\]:[[:digit:]]+( \[(IPv6:)?[[:xdigit:].:]{3,39}\]){0,2})? <[^>]*> -> <[^>]*>(,<[^>]*>)*,( Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+_[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK id=[-[:alnum:]]+)?,( dkim_(sd|new)=([._[:alnum:]-]+:[._[:alnum:]-]+,)+)? [[:digit:]]+ ms$ + +# If the machine hosts MX ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: improper command pipelining after (EHLO|DATA) from [._[:alnum:]-]+\[[:[:xdigit:].]+\]$ -# | On the MXs only: Poorly configured server certificates will be ignored and the connection will back as untrusted. -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: certificate verification failed for [._[:alnum:]-]+\[[:[:xdigit:].]+\]: not designated for use as a client certificate$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: client certificate verification failed for [._[:alnum:]-]+\[[:[:xdigit:].]+\]: certificate has expired$ -# | On Benjamin -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? usb [[:digit:]]+-[.[:digit:]]+: (new|reset) (low|full|high) speed USB device using ([_[:alnum:]-]+ and )?address [[:digit:]]+$ -# | On the MSAs + +# If the machine hosts a MSA ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: replace: header Received: from +# If the machine has several ethernet interfaces +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: [.0-9]{7,15} interface [.0-9]{7,15} -> [.0-9]{7,15}$ + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postfix-script\[[[:digit:]]+\]: refreshing the Postfix mail system$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[[:digit:]]+\]: reload -- version + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-[a-z]+: Invoked + ** Configuring aptitude and friends # We are going to automatically install many security updates using the package -- cgit v1.2.3