#560245 logcheck: violations.ignore.d causes lines to not show up at any level

Package:
logcheck
Source:
logcheck
Submitter:
Dan D Niles
Date:
2010-05-21 09:21:08 UTC
Severity:
important
Tags:
#560245#5
Date:
2009-12-09 22:25:01 UTC
From:
To:
Adding an exclusion to violations.ignore.d causes matching lines to not
show up at all.  The same applies to cracking.ignore.d.  As a result,
important message my be inadvertentlly missed.

For example, suppose you have a program that outputs:

        This is a failure test

This would show up a a SECURITY event.  It isn't really a SECURITY
event, so you exclude it in violations.ignore.d.  Now it does not show
up as a SECURITY event, but it also does not show up as a SYSTEM event.
That behavior is not what I would expect.  I could potentially be missing
important events.

It is easy to test:

  logger -p kern.notice This is a failure test
  run logcheck

You will get an email showing a SECURITY event.

Add "This is a failure test" to a file in violations.ignore.d.

  logger -p kern.notice This is a failure test
  run logcheck

You will not get any notification of the event.

I cannot off the top of my head think of an easy fix.  I for one would
MUCH rather have duplicate messages than risk missing something
important.

#560245#10
Date:
2010-05-21 09:15:58 UTC
From:
To:
tags 560245 +wontfix
thanks

Dan D Niles wrote:

The current behavior is due to the design of logcheck and avoids
duplicate rules in {cracking,violations}.ignore.d/ and ignore.d.*/.
Additionally the behavior is documented in README.logcheck-database.gz.
So I'm tagging this bug as wontfix.

To avoid false ignored messages, you can ensure that the rules in
violations.ignore.d are as specific as possible.

Greetings

Hannes