Home » Tag

Rule

Automatische Logcheck Regelaktualisierung Für Hochpräzise Zeitstempel Ab Debian 12 Bookworm

Nach dem Update auf Debian 12 funktionieren die selbst angelegten logcheck Regeln nicht mehr. Das liegt daran, dass du nun hochpräzise Zeitstempel in den Logs genutzt werden.

Die eigenen Regeln kann man mit einem Befehl für das neue Format einfach konvertieren. Als root muss folgendes Kommando ausgeführt werden:

for rule in /etc/logcheck/*.d*/local-*; do sed --in-place --regexp-extended 's,^\^((\\w|\[\[:alpha:\]\])\{3\} \[ :(0-9|\[:digit:\])\]\{11\}),^(\1|[0-9T:.+-]{32}),' "$rule" ; done

Dabei muss der Ausdruck für die Dateipfade /etc/logcheck/*.d*/local-* an die eigenen Dateinamen der Regeln angepasst werden. Bei mir beginnen sie mit 01-, sodass ich diese Stelle auf /etc/logcheck/*.d*/01-* abgeändert habe.

Die Regel habe ich auch noch auf die postgrey Dateien angewendet, weil diese noch den alten Zeitstempel unterstützt haben und nicht auch den neuen.

September 27, 2023 · 1 Minute

Namespaces in logseq since v0.8.9

Namespaces in logseq are as simple as using a slash in the page’s title. If you have worked with namespaces in a logseq version, which is lower than v0.8.9, you should migrate your existing pages according to the “New file name rules”. These rules are mentioned almost at the end of release note. Otherwise you might notice some weird behaviour with the pages in a namespace.

The migration via GUI can be found in logseq: Settings → Advanced → File name format and there is an Edit button, which should be clicked and the instructions in the popup window need to be followed. In your logseq graph this will rename all pages with a slash, where the slash will be replace by three underscores.

November 22, 2022 · 1 Minute

logcheck Regel Update 3 - Entfernen der Clamav Installation outdated Warnung

Anbei ist das dritte logcheck Regel Update, um folgende drei Zeilen auszufiltern:

Dec 22 06:52:39 server freshclam[358]: WARNING: Your ClamAV installation is OUTDATED!
Dec 22 06:52:39 server freshclam[358]: WARNING: Local version: 0.98.7 Recommended version: 0.99
Dec 22 06:52:39 server freshclam[358]: DON'T PANIC! Read http://www.clamav.net/support/faq

Das Update der Regeln spiegelt folgender Patch wider:

/etc/logcheck/ignore.d.server# git diff
diff --git a/logcheck/ignore.d.server/clamav-freshclam b/logcheck/ignore.d.server/clamav-freshclam
index 2608bd3..47e2cbe 100644
--- a/logcheck/ignore.d.server/clamav-freshclam
+++ b/logcheck/ignore.d.server/clamav-freshclam
@@ -5,3 +5,6 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: --------------------------------------$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Database updated \([0-9]+ signatures\) from .* \(IP: [0-9.]+\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Downloading daily-[0-9]+.cdiff \[100%\] ?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: WARNING: Your ClamAV installation is OUTDATED!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: DON'T PANIC! Read http://www.clamav.net/support/faq$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: WARNING: Local version: [0-9.]+ Recommended version: [0-9.]+$

Vergangene logcheck Regel Updates: #1 #2

Dezember 22, 2015 · 1 Minute

logcheck Regel Update #2

Hier das zweite Update meiner logcheck Regeln. Aktuell nutze ich logcheck 1.3.17 unter Debian GNU/Linux 8.

diff --git a/logcheck/ignore.d.server/amavisd-new b/logcheck/ignore.d.server/amavisd-new
index fb794bd..a6121f3 100644
--- a/logcheck/ignore.d.server/amavisd-new
+++ b/logcheck/ignore.d.server/amavisd-new
@@ -3,5 +3,5 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) NOTICE: Not sending DSN in response to bulk mail from <[^.]*> containing [[:upper:] ]+, mail intentionally dropped$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) INFO: unfolded [[:digit:]]+ illegal all-whitespace continuation lines$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) WARN: address modified \((sender|recipient)\): <[^>]+> -> <[^>]+>$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (BAD-HEADER-[[:digit:]]|UNCHECKED|CLEAN|SPAM(MY)?) {(RelayedInbound|RelayedTaggedInbound|RelayedOpenRelay|RelayedInternal)(,Quarantined)?},( LOCAL)? (\[[.[:digit:]]+\]:[[:digit:]]+ )?(\[[.:[:alnum:]]+\] )?<([._-=@[:alnum:]]+)?> -> <([._-=@[:alnum:]]+)?>,( quarantine: [._-=/@[:alnum:]]+,)? (Queue-ID: [[:alnum:]]+, )?(Message-ID: <.*>, )?mail_id: [-_[:alnum:]]+, Hits: -?[.[:xdigit:]]*, size: [[:digit:]]+, queued_as: [_[:alnum:]]+, [[:digit:]]+ ms$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (BAD-HEADER-[[:digit:]]|UNCHECKED|CLEAN|SPAM(MY)?|UNCHECKED-ENCRYPTED) {(RelayedInbound|RelayedTaggedInbound|RelayedOpenRelay|RelayedInternal)(,Quarantined)?},( LOCAL)? (\[[.[:digit:]]+\]:[[:digit:]]+ )?(\[[.:[:alnum:]]+\] )?<([._-=@[:alnum:]]+)?> -> <([._-=@[:alnum:]]+)?>,( quarantine: [._-=/@[:alnum:]]+,)? (Queue-ID: [[:alnum:]]+, )?(Message-ID: <.*>, )?mail_id: [-_[:alnum:]]+, Hits: -?[.[:xdigit:]]*, size: [[:digit:]]+, queued_as: [_[:alnum:]]+, [[:digit:]]+ ms$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Blocked BANNED \(.*\) {(No)?BouncedInbound,Quarantined}, (\[[.[:digit:]]+\]:[[:digit:]]+ )?(\[[.:[:alnum:]]+\] )?<([._-=@[:alnum:]]+)?> -> <([._-=@[:alnum:]]+)?>, (quarantine: [[:alnum:]]/.*, )?(Queue-ID: [[:alnum:]]+, )?(Message-ID: <[._-$%@[:alnum:]]+>, )?mail_id: [-_[:alnum:]]+, Hits: -?[.[:xdigit:]]*, size: [[:digit:]]+, (queued_as: [_[:alnum:]]+, )?[[:digit:]]+ ms$

diff --git a/logcheck/ignore.d.server/clamav-freshclam b/logcheck/ignore.d.server/clamav-freshclam
index 73df35f..2608bd3 100644
--- a/logcheck/ignore.d.server/clamav-freshclam
+++ b/logcheck/ignore.d.server/clamav-freshclam
@@ -1,6 +1,6 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: ClamAV update process started at .*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Received signal: (wake up|re-opening log file)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (daily|main)\.c(l|v)d (is up to date|updated) \(version: [0-9]+, sigs: [0-9]+, f-level: [0-9]+, builder: \w+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (bytecode|daily|main)\.c(l|v)d (is up to date|updated) \(version: [0-9]+, sigs: [0-9]+, f-level: [0-9]+, builder: \w+\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Clamd successfully notified about the update\.$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: --------------------------------------$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Database updated \([0-9]+ signatures\) from .* \(IP: [0-9.]+\)$

diff --git a/logcheck/ignore.d.server/dovecot b/logcheck/ignore.d.server/dovecot
index 643a4e4..047fb97 100644
--- a/logcheck/ignore.d.server/dovecot
+++ b/logcheck/ignore.d.server/dovecot
@@ -28,4 +28,5 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: (Disconnected|Aborted login)(: Inactivity)? \(
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Disconnected
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lda\([-_.@[:alnum:]]+\): sieve: msgid=.*: stored mail into mailbox '[-.[:alnum:]]+'$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lda\([-_.@[:alnum:]]+\): sieve: msgid=.*: marked message to be discarded if not explicitly delivered \(discard action\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth-worker\([-_.[:alnum:]]+\): (pg|my)sql\([.:[:xdigit:]]+\): Connected to database [-_.[:alnum:]]+$

diff --git a/logcheck/ignore.d.server/apache b/logcheck/ignore.d.server/apache
index 9faac7e..040caa2 100644
--- a/logcheck/ignore.d.server/apache
+++ b/logcheck/ignore.d.server/apache
@@ -1 +1,2 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ apache: nss_ldap: reconnect(ing|ed) to LDAP server(\.\.\.| after [0-9]+ attempt\(s\))$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ apache2\[[0-9]+\]: Reloading web server: apache2.$

diff --git a/logcheck/ignore.d.server/rsyslog b/logcheck/ignore.d.server/rsyslog
index 171f20e..594b869 100644
--- a/logcheck/ignore.d.server/rsyslog
+++ b/logcheck/ignore.d.server/rsyslog
@@ -3,3 +3,5 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] start$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] exiting on signal [0-9]+.$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd(-)?[0-9]+: action 'action 17' resumed \(module 'builtin:ompipe'\) \[try http://www.rsyslog.com/e/[0-9]+ \]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd(-)?[0-9]+: action 'action 17' suspended, next retry is \w{3} \w{3} [ :0-9]{16} \[try http://www.rsyslog.com/e/[0-9]+ \]$

Neu hinzugekommen ist eine Datei für systemd und systemd-login mit dem folgenden Inhalt:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Reload(ed|ing) LSB: Apache2 web server.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Start(ed|ing) Cleanup of Temporary Directories[.]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Start(ed|ing) Session [0-9]+ of user [._[:alnum:]-]+\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd-logind\[[0-9]+\]: New session [0-9]+ of user [._[:alnum:]-]+\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd-logind\[[0-9]+\]: Removed session [0-9]+\.$

Vergangene logcheck Regel Updates: #1

August 9, 2015 · 3 Minuten