---- ./systems/linux/logcheck.sh.sp Thu May 15 06:10:37 1997
-+++ ./systems/linux/logcheck.sh Mon Jul 13 12:07:09 1998
+diff -urN logcheck-1.1.1/Makefile logcheck-1.1.1.patched/Makefile
+--- logcheck-1.1.1/Makefile Sun Oct 31 16:07:29 1999
++++ logcheck-1.1.1.patched/Makefile Wed Jan 15 11:10:02 2003
+@@ -4,6 +4,8 @@
+ # Send problems/code hacks to crowland@psionic.com or crowland@vni.net
+ # Thanks to rbulling@obscure.org for cleaning this Makefile up..
+ #
++# Modified for rpm package building.
++#
+
+ # Generic compiler
+ CC = cc
+@@ -19,15 +21,15 @@
+ # the new paths!!
+
+ # This is where keyword files go.
+-INSTALLDIR = /usr/local/etc
++INSTALLDIR = ${RPM_BUILD_ROOT}/etc/logcheck
+
+ # This is where logtail will go
+-INSTALLDIR_BIN = /usr/local/bin
++INSTALLDIR_BIN = ${RPM_BUILD_ROOT}/usr/sbin
+
+ # Some people want the logcheck.sh in /usr/local/bin. Uncomment this
+ # if you want this. /usr/local/etc was kept for compatibility reasons.
+-#INSTALLDIR_SH = /usr/local/bin
+-INSTALLDIR_SH = /usr/local/etc
++INSTALLDIR_SH = ${RPM_BUILD_ROOT}/usr/sbin
++#INSTALLDIR_SH = /usr/local/etc
+
+ # The scratch directory for logcheck files.
+ TMPDIR = /usr/local/etc/tmp
+@@ -63,19 +65,21 @@
+ install:
+ @echo "Making $(SYSTYPE)"
+ $(CC) $(CFLAGS) -o ./src/logtail ./src/logtail.c
+- @echo "Creating temp directory $(TMPDIR)"
+- @if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
+- @echo "Setting temp directory permissions"
+- chmod 700 $(TMPDIR)
++ # These are no longer necessary because it handled by logcheck
++ # itself.
++ #@echo "Creating temp directory $(TMPDIR)"
++ #@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
++ #@echo "Setting temp directory permissions"
++ #chmod 700 $(TMPDIR)
+ @echo "Copying files"
+ cp ./systems/$(SYSTYPE)/logcheck.hacking $(INSTALLDIR)
+ cp ./systems/$(SYSTYPE)/logcheck.violations $(INSTALLDIR)
+ cp ./systems/$(SYSTYPE)/logcheck.violations.ignore $(INSTALLDIR)
+ cp ./systems/$(SYSTYPE)/logcheck.ignore $(INSTALLDIR)
+- cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)
++ cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)/logcheck
+ cp ./src/logtail $(INSTALLDIR_BIN)
+ @echo "Setting permissions"
+- chmod 700 $(INSTALLDIR_SH)/logcheck.sh
++ chmod 700 $(INSTALLDIR_SH)/logcheck
+ chmod 700 $(INSTALLDIR_BIN)/logtail
+ chmod 600 $(INSTALLDIR)/logcheck.violations.ignore
+ chmod 600 $(INSTALLDIR)/logcheck.violations
+diff -urN logcheck-1.1.1/systems/linux/logcheck.ignore logcheck-1.1.1.patched/systems/linux/logcheck.ignore
+--- logcheck-1.1.1/systems/linux/logcheck.ignore Sun Oct 31 16:07:29 1999
++++ logcheck-1.1.1.patched/systems/linux/logcheck.ignore Wed Jan 15 11:10:02 2003
+@@ -1,3 +1,5 @@
++PAM_pwdb.*session opened
++PAM_pwdb.*session closed
+ authsrv.*AUTHENTICATE
+ cron.*CMD
+ cron.*RELOAD
+@@ -8,8 +10,14 @@
+ ftpd.*FTP LOGIN FROM
+ ftpd.*retrieved
+ ftpd.*stored
++ftpd.*FTP session closed
++ftpd.*timed out
++ftpd.*connect from
+ http-gw.*: exit host
+ http-gw.*: permit host
++identd.*Successful lookup
++identd.*from:
++login.*: LOGIN ON
+ mail.local
+ named.*Lame delegation
+ named.*Response from
+@@ -17,11 +25,16 @@
+ named.*points to a CNAME
+ named.*reloading
+ named.*starting
++named.*NSTATS
++named.*XSTATS
+ netacl.*: exit host
+ netacl.*: permit host
+ popper.*Unable
+ popper: -ERR POP server at
+ popper: -ERR Unknown command: "uidl".
++pop3d.*connect from
++pop3d.* Login
++pop3d.* Logout
+ qmail.*new msg
+ qmail.*info msg
+ qmail.*starting delivery
+diff -urN logcheck-1.1.1/systems/linux/logcheck.sh logcheck-1.1.1.patched/systems/linux/logcheck.sh
+--- logcheck-1.1.1/systems/linux/logcheck.sh Sun Oct 31 16:07:29 1999
++++ logcheck-1.1.1.patched/systems/linux/logcheck.sh Wed Jan 15 11:12:22 2003
@@ -27,11 +27,13 @@
# 5/14/97 -- Added Digital OSF/1 logging support. Big thanks
# to Jay Vassos-Libove <libove@compgen.com> for
if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
echo "Log files exist in $TMPDIR directory that cannot be removed. This
may be an attempt to spoof the log checker." \
-@@ -165,7 +184,7 @@
+@@ -165,8 +184,9 @@
# Generic and Linux Slackware 3.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
-# Linux Red Hat Version 3.x, 4.x
+# Linux PLD
$LOGTAIL /var/log/messages > $TMPDIR/check.$$
++$LOGTAIL /var/log/syslog >> $TMPDIR/check.$$
$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
-@@ -220,6 +239,7 @@
+
+@@ -220,6 +240,7 @@
if [ ! -s $TMPDIR/check.$$ ]; then
rm -f $TMPDIR/check.$$
exit 0
fi
-@@ -270,3 +290,4 @@
+@@ -255,7 +276,7 @@
+ echo >> $TMPDIR/checkreport.$$
+ echo "Unusual System Events" >> $TMPDIR/checkreport.$$
+ echo "=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
+- cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
++ cat $TMPDIR/checkoutput.$$ | sort -u >> $TMPDIR/checkreport.$$
+ FOUND=1
+ fi
+ fi
+@@ -270,3 +291,4 @@
# Clean Up
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
+rm -rf $TMPDIR
---- ./systems/linux/logcheck.ignore.sp Thu May 15 06:19:40 1997
-+++ ./systems/linux/logcheck.ignore Mon Jul 13 12:06:40 1998
-@@ -1,3 +1,5 @@
-+PAM_pwdb.*session opened
-+PAM_pwdb.*session closed
- authsrv.*AUTHENTICATE
- cron.*CMD
- cron.*RELOAD
-@@ -8,8 +10,14 @@
- ftpd.*FTP LOGIN FROM
- ftpd.*retrieved
- ftpd.*stored
-+ftpd.*FTP session closed
-+ftpd.*timed out
-+ftpd.*connect from
- http-gw.*: exit host
- http-gw.*: permit host
-+identd.*Successful lookup
-+identd.*from:
-+login.*: LOGIN ON
- mail.local
- named.*Lame delegation
- named.*Response from
-@@ -17,11 +25,16 @@
- named.*points to a CNAME
- named.*reloading
- named.*starting
-+named.*NSTATS
-+named.*XSTATS
- netacl.*: exit host
- netacl.*: permit host
- popper.*Unable
- popper: -ERR POP server at
- popper: -ERR Unknown command: "uidl".
-+pop3d.*connect from
-+pop3d.* Login
-+pop3d.* Logout
- qmail.*new msg
- qmail.*info msg
- qmail.*starting delivery
---- ./Makefile.sp Thu May 22 03:55:53 1997
-+++ ./Makefile Mon Jul 13 12:07:09 1998
-@@ -4,6 +4,8 @@
- # Send problems/code hacks to crowland@psionic.com or crowland@vni.net
- # Thanks to rbulling@obscure.org for cleaning this Makefile up..
- #
-+# Modified for rpm package building.
-+#
-
- # Generic compiler
- CC = cc
-@@ -19,15 +21,15 @@
- # the new paths!!
-
- # This is where keyword files go.
--INSTALLDIR = /usr/local/etc
-+INSTALLDIR = ${RPM_BUILD_ROOT}/etc/logcheck
-
- # This is where logtail will go
--INSTALLDIR_BIN = /usr/local/bin
-+INSTALLDIR_BIN = ${RPM_BUILD_ROOT}/usr/sbin
-
- # Some people want the logcheck.sh in /usr/local/bin. Uncomment this
- # if you want this. /usr/local/etc was kept for compatibility reasons.
--#INSTALLDIR_SH = /usr/local/bin
--INSTALLDIR_SH = /usr/local/etc
-+INSTALLDIR_SH = ${RPM_BUILD_ROOT}/usr/sbin
-+#INSTALLDIR_SH = /usr/local/etc
-
- # The scratch directory for logcheck files.
- TMPDIR = /usr/local/etc/tmp
-@@ -63,19 +65,21 @@
- install:
- @echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -o ./src/logtail ./src/logtail.c
-- @echo "Creating temp directory $(TMPDIR)"
-- @if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
-- @echo "Setting temp directory permissions"
-- chmod 700 $(TMPDIR)
-+ # These are no longer necessary because it handled by logcheck
-+ # itself.
-+ #@echo "Creating temp directory $(TMPDIR)"
-+ #@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
-+ #@echo "Setting temp directory permissions"
-+ #chmod 700 $(TMPDIR)
- @echo "Copying files"
- cp ./systems/$(SYSTYPE)/logcheck.hacking $(INSTALLDIR)
- cp ./systems/$(SYSTYPE)/logcheck.violations $(INSTALLDIR)
- cp ./systems/$(SYSTYPE)/logcheck.violations.ignore $(INSTALLDIR)
- cp ./systems/$(SYSTYPE)/logcheck.ignore $(INSTALLDIR)
-- cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)
-+ cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)/logcheck
- cp ./src/logtail $(INSTALLDIR_BIN)
- @echo "Setting permissions"
-- chmod 700 $(INSTALLDIR_SH)/logcheck.sh
-+ chmod 700 $(INSTALLDIR_SH)/logcheck
- chmod 700 $(INSTALLDIR_BIN)/logtail
- chmod 600 $(INSTALLDIR)/logcheck.violations.ignore
- chmod 600 $(INSTALLDIR)/logcheck.violations