Debian Bug report logs - #469507
aide-common: No rule for kern.log

version graph

Package: aide-common; Maintainer for aide-common is Aide Maintainers <aide@packages.debian.org>; Source for aide-common is src:aide (PTS, buildd, popcon).

Reported by: Francois Gouget <fgouget@free.fr>

Date: Wed, 5 Mar 2008 15:54:02 UTC

Severity: normal

Tags: confirmed

Found in version aide/0.13.1-8

Fixed in version 0.13.1-11

Done: Hannes von Haugwitz <hannes@vonhaugwitz.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Aide Maintainers <pkg-aide-maintainers@lists.alioth.debian.org>:
Bug#469507; Package aide-common. (full text, mbox, link).

Acknowledgement sent to Francois Gouget <fgouget@free.fr>:
New Bug report received and forwarded. Copy sent to Aide Maintainers <pkg-aide-maintainers@lists.alioth.debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Francois Gouget <fgouget@free.fr>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: aide-common: No rule for kern.log
Date: Wed, 05 Mar 2008 16:52:22 +0100
Package: aide-common
Version: 0.13.1-8
Severity: normal


aide issues warnings about /var/log/kern.log* files being added, changed and removed. This is a standard rotated log. I think this should be taken care of in 31_aide_syslog. I would propose the following rules for that:

---
/var/log/kern\.log\.0$ LowLogs
/var/log/kern\.log\.1\.gz$ RotatedLogs+ANF
/var/log/kern\.log\.[2345]\.gz$ RotatedLogs
/var/log/kern\.log\.9\.gz$ RotatedLogs+ARF
/var/log/kern\.log$ Logs
---

I'm not 100% sure these rules are correct as I never managed to get to
the zero-change point in order for ifnochange to kick in.

I will also note that the rules in 31_aide_syslog are a bit looser.
They use [0-9]+ to handle all the logs all at once (some keep a history
of only the last 4 files, others 6), and don't use +ARF on the last log
either (won't that prevent ifnochange from ever kicking in?). Also these
differences in how rotated logs are handled make it confusing when
trying to add rules for new logs (not that things are not confusing to
start with).

Well, I hope the above rules will be useful anyway.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.22.9fg2 (PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages aide-common depends on:
ii  aide [aide-binary] 0.13.1-8              Advanced Intrusion Detection Envir
ii  bsd-mailx [mailx]  8.1.2-0.20071201cvs-2 A simple mail user agent
ii  debconf [debconf-2 1.5.19                Debian configuration management sy
ii  liblockfile1       1.06.2                NFS-safe locking library, includes
ii  mailx              1:20071201-2          Transitional package for mailx ren
ii  ucf                3.004                 Update Configuration File: preserv

Versions of packages aide-common recommends:
ii  cron                          3.0pl1-103 management of regular background p

-- debconf information excluded

Information forwarded to debian-bugs-dist@lists.debian.org, Aide Maintainers <pkg-aide-maintainers@lists.alioth.debian.org>:
Bug#469507; Package aide-common. (full text, mbox, link).

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Aide Maintainers <pkg-aide-maintainers@lists.alioth.debian.org>. (full text, mbox, link).

Message #10 received at 469507@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Francois Gouget <fgouget@free.fr>, 469507@bugs.debian.org, 469507-submitter@bugs.debian.org
Cc: Marc Haber <mh+debian-packages@zugschlus.de>
Subject: Re: Bug#469507: aide-common: No rule for kern.log
Date: Thu, 6 Mar 2008 18:43:48 +0100
tags #469507 confirmed
thanks

On Wed, Mar 05, 2008 at 04:52:22PM +0100, Francois Gouget wrote:
> aide issues warnings about /var/log/kern.log* files being added, changed and removed. This is a standard rotated log. I think this should be taken care of in 31_aide_syslog. I would propose the following rules for that:
> 
> ---
> /var/log/kern\.log\.0$ LowLogs
> /var/log/kern\.log\.1\.gz$ RotatedLogs+ANF
> /var/log/kern\.log\.[2345]\.gz$ RotatedLogs
> /var/log/kern\.log\.9\.gz$ RotatedLogs+ARF
> /var/log/kern\.log$ Logs
> ---
> 
> I'm not 100% sure these rules are correct as I never managed to get to
> the zero-change point in order for ifnochange to kick in.

I have modified the regexp to match kern.log as well.

> I will also note that the rules in 31_aide_syslog are a bit looser.
> They use [0-9]+ to handle all the logs all at once (some keep a history
> of only the last 4 files, others 6), and don't use +ARF on the last log
> either (won't that prevent ifnochange from ever kicking in?). Also these
> differences in how rotated logs are handled make it confusing when
> trying to add rules for new logs (not that things are not confusing to
> start with).

The issue here is that I am not using these rules myself since my
systems log everything into /var/log/syslog/syslog, and I use
logrotate to rotate /var/log/syslog/syslog to
/var/log/syslog/syslog-yyyymmdd. I need to rely on users to submit
working rules, and I really appreciate your help.

A few weeks ago, I published a test environment for aide log rotation
rules. This allows one to test with a turn-around time of a few
seconds only. You can download and try it from
https://ivanova.notwork.de/~mh/stuff/aidetest.tar.gz.

I hope it helps, and I am looking forward to any rules you submit.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Tags added: confirmed Request was from Marc Haber <mh+debian-packages@zugschlus.de> to control@bugs.debian.org. (Thu, 06 Mar 2008 17:45:07 GMT) (full text, mbox, link).

Message sent on to Francois Gouget <fgouget@free.fr>:
Bug#469507. (full text, mbox, link).

Tags added: pending Request was from Marc Haber <mh+debian-packages@zugschlus.de> to control@bugs.debian.org. (Fri, 04 Apr 2008 06:42:02 GMT) (full text, mbox, link).

Reply sent to Hannes von Haugwitz <hannes@vonhaugwitz.com>:
You have taken responsibility. (Sun, 18 Apr 2010 12:15:03 GMT) (full text, mbox, link).

Notification sent to Francois Gouget <fgouget@free.fr>:
Bug acknowledged by developer. (Sun, 18 Apr 2010 12:15:03 GMT) (full text, mbox, link).

Message #22 received at 469507-done@bugs.debian.org (full text, mbox, reply):

From: Hannes von Haugwitz <hannes@vonhaugwitz.com>
To: Francois Gouget <fgouget@free.fr>, 469507-done@bugs.debian.org
Subject: Re: aide-common: No rule for kern.log
Date: Sun, 18 Apr 2010 14:12:11 +0200
Version: 0.13.1-11

Hi,

this bug has been fixed in 0.13.1-11, so I close this bug.

Greetings

Hannes

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 17 May 2010 07:57:33 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 08:53:21 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.