Hello Jonas, Thanks for you report.
On Sun, Mar 19, 2006 at 10:51:09PM +0100, Jonas Meurer wrote: > Package: logcheck > Version: 1.2.43a > Severity: important > > hello, > > it seems like logcheck always outputs some log lines longer than 503 > characters, even if they perfectly well match a given regex. > > i have the following entry in /etc/logcheck/ignore.d.server/syslog-ng: > syslog-ng\[.*\]: Log statistics; processed='.*\(.*\)=.*', .* > > and in the file 'testlog' i have the following two lines: > Mar 16 22:31:56 resivo syslog-ng[6932]: Log statistics; > processed='source(s_all)=2186', processed='destination(df_auth)=407', > processed='destination(df_news_dot_notice)=0', > processed='destination(df_news_dot_err)=0', > processed='destination(df_uucp)=0', processed='destination(df_mail)=0', > processed='destination(df_user)=126', > processed='destination(df_facility_dot_notice)=0', > processed='destination(df_daemon)=1415', > processed='destination(df_facility_dot_crit)=0', > processed='destination(df_debu)=28' > Mar 16 22:31:56 resivo syslog-ng[6932]: Log statistics; > processed='source(s_all)=2186', processed='destination(df_auth)=407', > processed='destination(df_news_dot_notice)=0', > processed='destination(df_news_dot_err)=0', > processed='destination(df_uucp)=0', processed='destination(df_mail)=0', > processed='destination(df_user)=126', > processed='destination(df_facility_dot_notice)=0', > processed='destination(df_daemon)=1415', > processed='destination(df_facility_dot_crit)=0', > processed='destination(df_debug)=28' > > (both are exactly identical, except that the second one has one more > character (third-last one). > > now see what logcheck gives: > # sudo -u logcheck logcheck -o -s -t -l testlog > This email is sent by logcheck. If you wish to no-longer receive it, > you can either deinstall the logcheck package or modify its > configuration file (/etc/logcheck/logcheck.conf). > > Security Events > =-=-=-=-=-=-=-= > Mar 16 22:31:56 resivo syslog-ng[6932]: Log statistics; > processed='source(s_all)=2186', processed='destination(df_auth)=407', > processed='destination(df_news_dot_notice)=0', > processed='destination(df_news_dot_err)=0', > processed='destination(df_uucp)=0', processed='destination(df_mail)=0', > processed='destination(df_user)=126', > processed='destination(df_facility_dot_notice)=0', > processed='destination(df_daemon)=1415', > processed='destination(df_facility_dot_crit)=0', > processed='destination(df_debug)=28' > > > > unfortunately the line length is not the only criteria. lines containing > only numbers and letters which are longer than 503 characters seem to be > ignored if they match a regex. I have tested this with a couple of versions of logcheck and I'm unable to reproduce. It is worth nothing that the string caught above contains substrings that would trigger a violation, and therefore needs a line in violations.ignore.d as well. I suspect this is a configuration issue. Please let me know your findings. -- Todd Troxell http://rapidpacket.com/~xtat -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
