Ubuntu
logcheck package

[lucid] Misc bind9 entries missing

Bug #748870 reported by Tim White
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
logcheck (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Loïc Minier

Bug Description

IMPACT: up-to one logcheck email generated every hour (in practice this depends on DNS traffic), makes logcheck a spam source unless config is fixed locally

PROPOSED FIX: fix regular expression to allow for the missing log entries

TESTCASE: egrep -vf /etc/logcheck/ignore.d.server/bind test-logfile (attached)

REGRESSION POTENTIAL: low overall; conffile prompt while upgrading if any conffiles need to be merged; regular expression might also still be incomplete/incorrect after update, but that wouldn't really be a regression; this comes from tested latest version of logcheck

See original description
Revision history for this message
Loïc Minier (lool) wrote :

I don't think it's an option to do a wholesale backport to lucid-updates, but specific issues like the bind9 one could be suitable for stable updates following per https://wiki.ubuntu.com/StableReleaseUpdates

I would however think that this is a good package to backport; to request a backport to lucid-backports, see https://help.ubuntu.com/community/UbuntuBackports

Revision history for this message
Loïc Minier (lool) wrote :

Sample log message:
Oct 2 21:07:25 hostname named[786]: success resolving 'sec1.apnic.net/AAAA' (in 'apnic.net'?) after reducing the advertised EDNS UDP packet size to 512 octets

Revision history for this message
Loïc Minier (lool) wrote :

Hmm Launchpad seems to merge the two spaces at the start of the log into one:
Oct 2 21:07:25 hostname named[786]: success resolving 'sec1.apnic.net/AAAA' (in 'apnic.net'?) after reducing the advertised EDNS UDP packet size to 512 octets

This doesn't affect maverick.

Changed in logcheck (Ubuntu):
status: New → Fix Released
Changed in logcheck (Ubuntu Lucid):
status: New → Triaged
Revision history for this message
Loïc Minier (lool) wrote :

This is another affected log I get:
Oct 1 08:18:30 hostname named[786]: success resolving 'dnsdel.mantraonline.com/AAAA' (in 'mantraonline.com'?) after disabling EDNS

I also get a lot of:
Oct 3 11:53:02 hostname named[786]: error (unexpected RCODE SERVFAIL) resolving '208-30.pppoe.mp.farlep.net/AAAA/IN': 213.130.24.4#53
Oct 3 09:25:30 hostname named[786]: error (unexpected RCODE REFUSED) resolving
'dns2.telkom.net.id/A/IN': 2001:4488:4:600d::5#53

and some:
Oct 2 18:32:49 hostname named[786]: error (connection refused) resolving
'ns.isc.afilias-nst.info/A/IN': 2001:500:7::79#53

and even one:
Oct 1 00:22:14 hostname named[786]: error (host unreachable) resolving
'211.244.218.41.in-addr.arpa/PTR/IN': 193.194.185.2#53
but I think that last one is rather uncommon.

All of these except the last one are solved in the maverick version.

summary: - logcheck-database backport to lucid
+ [lucid] Misc bind9 entries missing
Revision history for this message
Loïc Minier (lool) wrote :

Correction, even the last one is fixed in maverick.

Loïc Minier (lool)
Changed in logcheck (Ubuntu Lucid):
assignee: nobody → Loïc Minier (lool)
status: Triaged → In Progress
Revision history for this message
Loïc Minier (lool) wrote :
description: updated
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Hello Tim, or anyone else affected,

Accepted logcheck into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in logcheck (Ubuntu Lucid):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Loïc Minier (lool) wrote :

So the new config definitely worked for me, some problematic logs have appeared in syslog and as expected weren't mailed out:
Oct 5 22:06:10 hostname named[786]: error (unexpected RCODE REFUSED) resolving 'aaadel.mantraonline.com/AAAA/IN': 202.56.240.5#53

I still get emails for other logs.

egrep -vf /etc/logcheck/ignore.d.server/bind logcheck on the attached file doesn't output anything, as expected.

NB: logcheck creates a logcheck -> root alias in /etc/aliases even on upgrades; I had removed it and it was recreated on upgrade to the lucid-proposed package. (Not a regression though, and there was already a lucid SRU.)

Fun: I have a server without the fix which sends an email every hour with the "unreachable host" message, this logcheck email triggers a DNS resolution which causes the "unreachable host" log to happen, so effectively a loop of logcheck triggering logcheck emails every hour :-)

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package logcheck - 1.3.7ubuntu2

---------------
logcheck (1.3.7ubuntu2) lucid-proposed; urgency=low

  * ignore.d.server/bind: Add two new rules from latest logcheck to allow
    various messages; LP: #748870.
    - "success resolving [...] after reducing advertized EDNS UDP packet size"
    - "success resolving [...] after disabling EDNS"
    - "error (connection refused) resolving [...]"
    - "error (unexpected RCODE REFUSED) resolving [...]"
    - "error (unexpected RCODE SERVFAIL) resolving [...]"
 -- Loic Minier <email address hidden> Mon, 03 Oct 2011 14:09:33 +0200

Changed in logcheck (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.