1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
--- docs/README.logcheck-database.orig 2017-01-25 21:08:04 UTC
+++ docs/README.logcheck-database
@@ -15,7 +15,7 @@ normal egrep pattern-matches, applied in
1. the "SECURITY ALERTS" layer, designed to detect the traces of active
intrusion attempts.
- Patterns raising the alarm go in "/etc/logcheck/cracking.d"; any
+ Patterns raising the alarm go in "%%ETCDIR%%/cracking.d"; any
event that matches one of these patterns turns the report
into an urgent "Security Alerts" report, with the relevant
event moved to a special section. The cracking.d standard
@@ -26,7 +26,7 @@ normal egrep pattern-matches, applied in
the default logcheck configuration, but if the local
administrator enables this layer of filtering in
logcheck.conf, then the rules go in the directory
- "/etc/logcheck/cracking.ignore.d". Matches with
+ "%%ETCDIR%%/cracking.ignore.d". Matches with
cracking.ignore rules will then reclassify the alert as a
false alarm (compare violations.ignore below). Note that
this means they are totally ignored - log messages handled
@@ -35,12 +35,12 @@ normal egrep pattern-matches, applied in
2. the "SECURITY EVENTS" layer, designed to detect less critical
events still considered worthy of special attention.
- Patterns raising the alarm go in "/etc/logcheck/violations.d";
+ Patterns raising the alarm go in "%%ETCDIR%%/violations.d";
matches with these result in a "Security Events" alert,
with the relevant event moved to a special section.
Patterns cancelling such alarms go in the standard directory
- "/etc/logcheck/violations.ignore.d"; apparent "Security
+ "%%ETCDIR%%/violations.ignore.d"; apparent "Security
Events" that match with violations.ignore patterns are
discarded as false alarms.
@@ -51,7 +51,7 @@ normal egrep pattern-matches, applied in
from the logfiles are considered for inclusion in the main
"System Events" section.
- Patterns in the three "/etc/logcheck/ignore.d.*" directories
+ Patterns in the three "%%ETCDIR%%/ignore.d.*" directories
again function to overrule alerts; the log messages that
match them are excluded from the report as trivial. The
specific directories consulted depend on the prevailing
@@ -78,13 +78,13 @@ underscore, and hyphen.
Contains filters relevant to only one Debian package - for example
if "fooserver" logs suspicious events like this:
"$DATE $HOSTNAME fooserver[$PID]: $USER is up to no good"
-then a line in "/etc/logcheck/violations.d/fooserver" with an
+then a line in "%%ETCDIR%%/violations.d/fooserver" with an
appropriate pattern will promote it from a mere "System Event"
to a full "Security Event" in a subsection of the mailing headed
"fooserver". Or then again if that kind of log message is more
trivial than it looks (maybe "foo" is a networked game of
spy-and-counterspy) then a line in
-"/etc/logcheck/ignore.d.server/fooserver" will turn it into a
+"%%ETCDIR%%/ignore.d.server/fooserver" will turn it into a
nonevent for all but the most assiduous of administrators.
Sometimes a package will have not only special alarm calls which
@@ -107,7 +107,7 @@ that need to be processed.
Standard "generic" rules go in each directory's "./logcheck" file;
thus for instance any log message at all matching "ATTACK"
-(listed in "/etc/logcheck/cracking.d/logcheck") _always_ triggers
+(listed in "%%ETCDIR%%/cracking.d/logcheck") _always_ triggers
a "Security Alert", unless you deliberately tamper with
"cracking.ignore.d" rules.
@@ -122,12 +122,12 @@ non-package-specific "flagging" patterns
"fooserver" outputs syslog messages like this:
"$DATE $HOSTNAME fooserver[$PID]: 3 attempts 0 rejected"
then the standard keyword "reject" listed in the generic
-"/etc/logcheck/violations.d/logcheck" file will trigger frequent
+"%%ETCDIR%%/violations.d/logcheck" file will trigger frequent
"Security Events" reports. Putting a filtering pattern in
-"/etc/logcheck/violations.ignore.d/fooserver" won't help here!
+"%%ETCDIR%%/violations.ignore.d/fooserver" won't help here!
The solution is to use a file named in the specially-privileged
./logcheck-<packagename> format:
-"/etc/logcheck/violations.ignore.d/logcheck-fooserver".
+"%%ETCDIR%%/violations.ignore.d/logcheck-fooserver".
This can contain patterns provided by that particular package
which nonetheless need to take precedence over the generic rules.
@@ -137,8 +137,8 @@ Sysadmins can use the "local-*" filename
additions to the "logcheck-*" pattern lists. If you have "ippl"
logging network connections verbosely into syslog then you can put
custom "Security Events" keywords in
-"/etc/logcheck/violations.d/local-ippl" and exceptions in
-"/etc/logcheck/violations.ignore.d/local-ippl".
+"%%ETCDIR%%/violations.d/local-ippl" and exceptions in
+"%%ETCDIR%%/violations.ignore.d/local-ippl".
WRITING RULES
@@ -181,7 +181,7 @@ logcheck-test(1)).
Alternatively you can manually grep your log file, and remove trailing
space with something like this:
- sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep \
+ sed -e 's/[[:space:]]*$//' /var/log/messages | egrep \
'^\w{3} [ :0-9]{11} oempc wwwoffled\[[0-9]+\]: WWWOFFLE (On|Off)line\.$'
If the log line is displayed, then your regex works.
|
