Hide Forgot
Description of problem: Logcheck has filters for dhclient, but those seem to be outdated. A typical dhclient log looks like this on F15: Nov 3 11:58:40 sirrah dhclient[718]: DHCPREQUEST on eth0 to 10.102.11.254 port 67 Nov 3 11:58:40 sirrah dhclient[718]: DHCPACK from 10.102.11.254 Nov 3 11:58:40 sirrah dhclient[718]: bound to 10.102.11.127 -- renewal in 1341 seconds. Logcheck filter from /etc/logcheck/ignore.d.server/logcheck: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: bound(:| to [.0-9]{7,15} --) renewal in [0-9]+ seconds\.$ If I replace "(-2.2.x)?" with "\[[[:digit:]]+\]", it works as expected meaning no DHCP logs are sent via mail. ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient\[[[:digit:]]+\]: bound(:| to [.0-9]{7,15} --) renewal in [0-9]+ seconds\.$
Tnaks for the report. Let's see, what I can do about this. I'll take a look on this later today.
logcheck-1.3.14-2.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/logcheck-1.3.14-2.fc16
Package logcheck-1.3.14-2.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing logcheck-1.3.14-2.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-15929 then log in and leave karma (feedback).
Hi Matthias, the bug has been reported against Fedora 15. However I updated that very system to Fedora 16 and now logcheck reports the following every hour: Nov 16 21:37:37 sirrah NetworkManager[677]: DHCPREQUEST on eth0 to 10.102.11.254 port 67 Nov 16 21:37:37 sirrah NetworkManager[677]: DHCPACK from 10.102.11.254 Nov 16 21:37:37 sirrah NetworkManager[677]: bound to 10.102.11.127 -- renewal in 1503 seconds. Nov 16 22:00:01 sirrah systemd-logind[704]: New user root logged in. Nov 16 22:00:01 sirrah systemd-logind[704]: New session 356 of user root. Nov 16 22:00:01 sirrah systemd-logind[704]: Removed session 356. Nov 16 22:01:01 sirrah systemd-logind[704]: New session 357 of user root. Nov 16 22:01:01 sirrah systemd-logind[704]: Removed session 357. Nov 16 22:02:01 sirrah systemd-logind[704]: New session 358 of user logcheck. Regards Marcel
logcheck-1.3.14-3.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/logcheck-1.3.14-3.fc16
Marcel, I just put some additional rules together; they should prevent those annoying messages. It's inlcuded in the update.
Matthias, looks good, but I think you missed this one: Nov 16 22:00:01 sirrah systemd-logind[704]: New user root logged in. And I think the filenames should be different. /etc/logcheck/ignore.d.server/logchk-systemd-ignore /etc/logcheck/ignore.d.server/logchk-NetworkManager-ignore To me it looks like the first term logchk and the last term ignore are redundant within the full path. Other filters don't use these terms neither. Regards Marcel
Marcel, your're absolutely right, those files should get other names following the name scheme of all the other filters. Regarding New user logins, I'm undecided, if I'd like to get this ignores, or not. This gets reported afaik on each new interactive session, i.e. for each session created via login manager (gdm, kdm, ..) For my systems, I'd like to get informed, because this may mean a break in. In normal usage, real logins happen every 5-10 days. One mail in 5-10 days is something I really can live with. Is there anything else missing?
Matthias, these logins are caused by cronjobs of sysstat, so it's not just user logins. Nov 21 15:10:01 sirrah systemd-logind[704]: New user root logged in. Nov 21 15:20:01 sirrah systemd-logind[704]: New user root logged in. Nov 21 15:30:01 sirrah systemd-logind[704]: New user root logged in. Nov 21 15:40:01 sirrah systemd-logind[704]: New user root logged in. Nov 21 16:01:01 sirrah systemd-logind[704]: New user root logged in. Nov 21 15:10:01 sirrah /USR/SBIN/CROND[30372]: (root) CMD (/usr/lib64/sa/sa1 1 1) Nov 21 15:20:01 sirrah /USR/SBIN/CROND[30378]: (root) CMD (/usr/lib64/sa/sa1 1 1) Nov 21 15:30:01 sirrah /USR/SBIN/CROND[30384]: (root) CMD (/usr/lib64/sa/sa1 1 1) Nov 21 15:40:01 sirrah /USR/SBIN/CROND[30390]: (root) CMD (/usr/lib64/sa/sa1 1 1) Nov 21 15:50:01 sirrah /USR/SBIN/CROND[30395]: (root) CMD (/usr/lib64/sa/sa1 1 1) Nov 21 16:00:01 sirrah /USR/SBIN/CROND[30399]: (root) CMD (/usr/lib64/sa/sa1 1 1) IMHO: Logcheck should only report irregular events and logins aren't such events. Even failed logins are not irregular if the machine is connected to the internet directly. There are different profiles (server, workstation, paranoid) in logcheck. Reporting logins, successful or failed, should be done in paranoid only. This is not a forum, so I don't want to do a lot of discussion here. If you disagree I'll add filter rules myself and close this bug. It's anyway unrelated to the original subjects. Regards Marcel
Ok, there's a new update. https://admin.fedoraproject.org/updates/FEDORA-2011-16076/logcheck-1.3.14-4.fc16 I'd like to close this bug. If you see other issues, please open a new bug. Thanks.
Works perfectly now. Thanks Matthias.
logcheck-1.3.14-4.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.