subject:"Bug#318731\: \[Logcheck\-devel\] Bug#318731\: spamd rule does not work"

Bug#318731: [Logcheck-devel] Bug#318731: spamd rule does not work

2005-07-18 Thread Rainer Zocholl

[EMAIL PROTECTED](Jamie L. Penman-Smithson)  18.07.05 14:38

Once upon a time "Jamie L. Penman-Smithson " shaped the electrons to say...

>On Sun, 2005-07-17 at 20:19 +0200, Rainer Zocholl wrote:
>> [EMAIL PROTECTED](Jamie L. Penman-Smithson)  17.07.05 13:31
>>>since all log messages have trailing
>>>spaces stripped before they are processed, your rule will never
>>>match anything.
>>
>> Sorry, i wasn't aware of that and throught something wiered inside
>> logcheck. That's why i file a bug.
>>
>> Too i was not warned that testing rules with "egrep -f"
>> is not recommandable/is senseless, because logcheck modifies the
>> logfile reads.

>There's a paragraph in README.logcheck-database:

Yes, i found that sentence meanwhile.
Previously i stopped reading because the part above did not
look very interessing and i thought that were all the same theme,
because there "suddenly" where no subtitles.

That's always the problem between the "knowing (deverloper)" and
the "just only user" to fidn teh right way of documenting.
(Logcheck documentation is really good, compared to several other OOS).
The developer knows that it is there, but the user have to read
tons and tons of text and try to weight what'S relevant and what can
be omitted/neglected..

A subtitle like

Testing Your New Rules
==

before that would have eaesd reading a lot!

>| To test new rules, you can grep your log file, and remove trailing
>| space with something like this:
>|
>| sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep \
>| '^\w{3} [ :0-9]{11} oempc wwwoffled\[[0-9]+\]: \
>| WWWOFFLE (On|Off)line\.$'
>|
>| If the log line is displayed, then your regex works.

>> I don't want "littering" logcheck mails with messages i
>> can't change. That's to dangerous as some day no one will
>> take a look into the file.

>Then find out which users config is causing the problem?

Yes. And as long as i am searching, i wanted to suppress the message,
not to oversee important notes.

>If your users config files are in the same directory, something like
>egrep -H " RBL" * might find the culprit. 
>Or "find / -name foobar.cf -exec grep -H " RBL" \{\} \;"

I tried searching "RBL", but, qwww, did not find.
Maybe it was too late in that evening?

>That'll only work if your config files have identical names, if they
>are named after the user, you could try something similar to:

>cat /etc/passwd | egrep -v "^[[:alnum:]]+:x:[0-9]{1,2}:.*$" | cut -f 1
>-d ":" > .users && for i in $(cat .users); do find /foo -name $i.cf
>-exec grep -H " RBL" \{\} \;; done ; rm .users

I would not hesitate to run a grep over the entire disk.
The disk is only 80GB, so let it run 1h or maybe 2h.
It's a computer, it's his job, isn't it?

>> Which words did you use?

>Argument "RBL" "isn't numeric in addition"

I did too. Funny, or not so funny...
Sometimes i have the feeling googles knows who is searching ;-)

>> I tried "Argument isn't numeric in addition" etc. with spamd and
>> without and only see that others asking the same.

>You may or may not already know, but placing quotation marks around
>words causes Google to search for the entire phrase[1], rather than
>occurrences of the individual words.

Yes, i added the """ only here.
I too serach with "RBL" like you did.
Very wiered, tah i did not get any hit into the bugzilla of
spamassasin.

>The first result from that is relevant to your problem, as are most of
>the other results from the first page.

>[1] http://www.google.co.uk/help/basics.html#phrases
   *~*!
My google jumps to "google.de"...regardless which language i choose.
And it's known that google is censoring the result country specific.
Maybe the censorment detect "bad words" in your URL?

But we are going offtopic, and the problem is solved!
Thanks a lot!

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#318731: [Logcheck-devel] Bug#318731: spamd rule does not work

2005-07-18 Thread Jamie L. Penman-Smithson

On Sun, 2005-07-17 at 20:19 +0200, Rainer Zocholl wrote:
> [EMAIL PROTECTED](Jamie L. Penman-Smithson)  17.07.05 13:31
> >since all log messages have trailing
> >spaces stripped before they are processed, your rule will never match
> >anything. 
> 
> Sorry, i wasn't aware of that and throught something wiered inside logcheck.
> That's why i file a bug.
> 
> Too i was not warned that testing rules with "egrep -f" 
> is not recommandable/is senseless, because logcheck modifies the logfile 
> reads.

There's a paragraph in README.logcheck-database:

| To test new rules, you can grep your log file, and remove trailing
| space with something like this:
|
| sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep \
| '^\w{3} [ :0-9]{11} oempc wwwoffled\[[0-9]+\]: \
| WWWOFFLE (On|Off)line\.$'
|
| If the log line is displayed, then your regex works.

> >Finally, this message indicates a _PROBLEM_ with your spamassassin
> >configuration, ignoring it _will not_ make the problem disappear.
> 
> I assume it's problem in some users config...
> 
> I don't want "littering" logcheck mails with messages i
> can't change. That's to dangerous as some day no one will
> take a look into the file.

Then find out which users config is causing the problem?

If your users config files are in the same directory, something like
egrep -H " RBL" * might find the culprit. Or "find / -name foobar.cf
-exec grep -H " RBL" \{\} \;"

That'll only work if your config files have identical names, if they are
named after the user, you could try something similar to:

cat /etc/passwd | egrep -v "^[[:alnum:]]+:x:[0-9]{1,2}:.*$" | cut -f 1
-d ":" > .users && for i in $(cat .users); do find /foo -name $i.cf
-exec grep -H " RBL" \{\} \;; done ; rm .users

> >Ignoring errors is not a good strategy. See bug #3853 in SA's bugzilla
> >(which I found within 5 seconds using Google) 
> 
> I have several(!) times tried google and did not find any useful hints
> or solution.
> 
> Which words did you use?

Argument "RBL" "isn't numeric in addition"

> I tried "Argument isn't numeric in addition" etc. with spamd and without
> and only see that others asking the same.

You may or may not already know, but placing quotation marks around
words causes Google to search for the entire phrase[1], rather than
occurrences of the individual words.

The first result from that is relevant to your problem, as are most of
the other results from the first page.

[1] http://www.google.co.uk/help/basics.html#phrases

-- 
-Jamie L. Penman-Smithson <[EMAIL PROTECTED]>
 t: +44 1273 424795; f: +44 1273 424795
 PGP: C0A7 955E EED6 A309 23D7 863B C76A 26A3 F0DC FCA8
 never send mail to: [EMAIL PROTECTED]


signature.asc
Description: This is a digitally signed message part

Bug#318731: [Logcheck-devel] Bug#318731: spamd rule does not work

2005-07-18 Thread Rainer Zocholl

[EMAIL PROTECTED](Jamie L. Penman-Smithson)  17.07.05 13:31


>Your rule has a trailing space, 

i know that. Without it did not work either.

>since all log messages have trailing
>spaces stripped before they are processed, your rule will never match
>anything. 

Sorry, i wasn't aware of that and throught something wiered inside logcheck.
That's why i file a bug.

Too i was not warned that testing rules with "egrep -f" 
is not recommandable/is senseless, because logcheck modifies the logfile reads.


>Removing the trailing space should fix the problem:

>^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: Argument \"RBL\"
>isn't numeric in addition \(\+\)
>at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244.$

Yes! I wonder why it did not work some days before...


>Finally, this message indicates a _PROBLEM_ with your spamassassin
>configuration, ignoring it _will not_ make the problem disappear.

I assume it's problem in some users config...

I don't want "littering" logcheck mails with messages i
can't change. That's to dangerous as some day no one will
take a look into the file.

>Ignoring errors is not a good strategy. See bug #3853 in SA's bugzilla
>(which I found within 5 seconds using Google) 

I have several(!) times tried google and did not find any useful hints
or solution.

Which words did you use?
I tried "Argument isn't numeric in addition" etc. with spamd and without
and only see that others asking the same.

http://www2.list.logwatch.org:81/pipermail/logwatch/2004-February/000459.html
no access..
http://www.dclug.org.uk/archive/2004/09/msg00214.html
no answer
http://www.mailarchives.org/list/spam-assassin/msg/2004/11717
no answer
etc.


The error is very common.



>which was the result of misconfiguration:

>> --- Additional Comments From [EMAIL PROTECTED]  2004-10-01
>> 10:05 ---
>> This type of issue has always been something like:
>>
>> score FOO_RULE RBL 3
>>
>> somewhere in the configuration files.  Could be in any of
>> the /etc/mail/spamassassin/*.cf files, or in
>> user_prefs, or anywhere your SA installation gets configuration data
>> from.

>Fix the problem in your SA configuration.

"find the user with the wrong config!" ;-)


Rainer



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#318731: [Logcheck-devel] Bug#318731: spamd rule does not work

2005-07-17 Thread Jamie L. Penman-Smithson

package logcheck
merge 317642 318731
tags 318731 wontfix
thanks

On Sun, 2005-07-17 at 12:33 +0200, Rainer Zocholl wrote:
> Package: logcheck   
> Version: "most recent stable"

Use apt to find the version number, "most recent stable" is pretty
useless.

Don't open multiple bug reports about the same issue. There is already
#317642. This isn't a problem with logcheck, it's a problem with _your
own_ rules, therefore this isn't a bug and the BTS isn't really the best
place, there's the logcheck-users mailing list which would be better.

Read README.logcheck-database, it explains, in detail, how to write
rules and how to test them correctly.

> i can't block the spamd warning.
> 
> Why?

Your rule has a trailing space, since all log messages have trailing
spaces stripped before they are processed, your rule will never match
anything. Removing the trailing space should fix the problem:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: Argument \"RBL\"
isn't numeric in addition \(\+\)
at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 244.$

Finally, this message indicates a _PROBLEM_ with your spamassassin
configuration, ignoring it _will not_ make the problem disappear.
Ignoring errors is not a good strategy. See bug #3853 in SA's bugzilla
(which I found within 5 seconds using Google) which was the result of
misconfiguration:

> --- Additional Comments From [EMAIL PROTECTED]  2004-10-01 10:05
> ---
> This type of issue has always been something like:
> 
> score FOO_RULE RBL 3
> 
> somewhere in the configuration files.  Could be in any of
> the /etc/mail/spamassassin/*.cf files, or in
> user_prefs, or anywhere your SA installation gets configuration data
> from.

Fix the problem in your SA configuration.

-- 
-Jamie L. Penman-Smithson <[EMAIL PROTECTED]>
 t: +44 1273 424795; f: +44 1273 424795
 PGP: C0A7 955E EED6 A309 23D7 863B C76A 26A3 F0DC FCA8
 never send mail to: [EMAIL PROTECTED]

signature.asc
Description: This is a digitally signed message part

Bug#318731: [Logcheck-devel] Bug#318731: spamd rule does not work

Bug#318731: [Logcheck-devel] Bug#318731: spamd rule does not work

Bug#318731: [Logcheck-devel] Bug#318731: spamd rule does not work

Bug#318731: [Logcheck-devel] Bug#318731: spamd rule does not work

4 matches

Site Navigation

Mail list logo

Footer information