Bug#808429: systemd: Please add logcheck rules

Kevin Locke Sat, 19 Dec 2015 17:15:47 -0800

Package: systemd
Version: 228-2
Severity: wishlist
Tags: patch

Dear Maintainer,


systemd currently logs many informational messages to the system log and
does not exclude any of these messages from logcheck, which results in
an overwhelming number of systemd log messages being reported.

The logcheck maintainers recommend that packages maintain their own
logcheck rules.[1]  To that end I'm filing this bug report along with
the rules that I am currently using.  They are based on the rules from
the Debian Wiki[2] with additional rules and additional work to organize
and structure the rules based on the log statements in the source code.
Although the rules on the wiki attempt to match target/service/unit
names, I think this is futile, especially given the low-security nature
of such messages, and instead exclude all start/stop/restart messages.
This has 2 known false-negatives noted in the rules, which are difficult
to exclude due to the lack of negative lookahead in the POSIX regex
language (although it could be done if desired).

To use the file, install it as /etc/logcheck/ignore.d.server/systemd

Thanks for considering,
Kevin


1.  https://logcheck.alioth.debian.org/docs/README.Maintainer
2.  https://wiki.debian.org/systemd/logcheck

-- Package-specific info:

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0+kevinoid1 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages systemd depends on:
ii  adduser         3.113+nmu3
ii  libacl1         2.2.52-2
ii  libapparmor1    2.10-2+b1
ii  libaudit1       1:2.4.4-4
ii  libblkid1       2.27.1-1
ii  libc6           2.21-4
ii  libcap2         1:2.24-12
ii  libcap2-bin     1:2.24-12
ii  libcryptsetup4  2:1.6.6-5
ii  libgcrypt20     1.6.4-3
ii  libkmod2        21-1
ii  liblzma5        5.1.1alpha+20120614-2.1
ii  libmount1       2.27.1-1
ii  libpam0g        1.1.8-3.1
ii  libseccomp2     2.2.3-2
ii  libselinux1     2.4-3
ii  libsystemd0     228-2
ii  mount           2.27.1-1
ii  sysv-rc         2.88dsf-59.2
ii  util-linux      2.27.1-1

Versions of packages systemd recommends:
ii  dbus            1.10.6-1
ii  libpam-systemd  228-2

Versions of packages systemd suggests:
pn  systemd-container  <none>
pn  systemd-ui         <none>

Versions of packages systemd is related to:
ii  udev  228-2

-- no debconf information

# Logcheck rules for systemd, organized by component.

# Automount
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Set 
up|Unset) automount .+\.$

# Busname & Socket
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: 
(Closed|Listening on) .+\.$

# Device
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Expecting 
device [^[:space:]]+\.device\.\.\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Found device 
[^[:space:]]+\.$

# Device
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Successfully 
loaded the IMA custom policy [^[:space:]]+\.$

# Job & Service & Unit
# FIXME:  Don't want to match "Stopped \(with error\) .+\.$"
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: 
(Started|Stopped|Reloaded) .+\.$
# FIXME:  Don't want to match "Starting of .+ not supported\.$"
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: 
(Starting|Stopping|Reloading) .+\.$

# Log
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ 
systemd(-[^[:space:]]+)?\[[[:digit:]]+\]: Received SIG[^[:space:]]+( from PID 
[[:digit:]]+ \([^[:space:]]+\))?\.$

# Main
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: 
(Reexecuting|Reloading|Shutting down|Switching root)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Detected 
architecture [^[:space:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Detected 
virtualization [^[:space:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: RTC 
configured in localtime, applying delta of -?[[:digit:]]+ minutes to system 
time\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Running in 
initial RAM disk\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: systemd 
[[:digit:]]+ running in (test )?system mode. \((\+[[:alnum:]]+ ?)+\)$

# Manager
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Startup 
finished in [[:digit:]]+ms\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Time has been 
changed$

# Mount
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: 
(Mounted|Unmounted) .+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Mounting 
.+\.\.\.$

# PAM
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: 
pam_unix\(systemd-user:session\): session (opened|closed) for user 
[^[:space:]]+( by \(uid=[[:digit:]]+\))?$

# SELinux
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Successfully 
loaded SELinux policy in [^[:space:]]+\.$

# Smack
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Successfully 
loaded Smack(/CIPSO)? policies\.$

# Slice
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: 
(Created|Removed) slice User Slice of .+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: 
(Created|Removed) slice [^[:space:]]+\.slice\.$

# Swap
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: 
(Activated|Deactivated) swap .+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Activating 
swap .+\.\.\.$

# Target
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: 
(Reached|Stopped) target .+\.$

# Unit
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: 
[^[:space:]]+: Unit is bound to inactive unit [^[:space:]]+\. Stopping, too\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: 
[^[:space:]]+: Unit not needed anymore\. Stopping\.$

# systemd-journald
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-journald\[[[:digit:]]+\]: 
Received request to (flush|rotate) runtime journal from PID [[:digit:]]+$

# systemd-logind
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New 
session [^[:space:]]+ of user [^[:space:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: 
Removed session [^[:space:]]+\.$

# systemd-sleep
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-sleep\[[[:digit:]]+\]: 
Suspending system\.\.\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-sleep\[[[:digit:]]+\]: System 
resumed\.$

# systemd-timesyncd
# Note:  Only required for systemd 218 and earlier due to
#        https://bugs.freedesktop.org/show_bug.cgi?id=88926
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[[:digit:]]+\]: 
interval/delta/delay/jitter/drift 
[[:digit:]]+s/(\+|-)[.[:digit:]]+s/-?[.[:digit:]]+s/-?[.[:digit:]]+s/(\+|-)[[:digit:]]+ppm(
 \(ignored\))?$

_______________________________________________
Pkg-systemd-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers

Bug#808429: systemd: Please add logcheck rules

Reply via email to